Actively Exploited Windows Zero-Day Threatens Domain Controllers

Microsoft eliminated 74 security vulnerabilities with its May 2022 Patch Tuesday update, including a significant zero-day bug that’s being actively exploited in the wild and several that are likely widely present in enterprise.

It also fixed seven critical flaws, 65 other significant bugs, and one low-severity issue. The patches cover the full range of the IT giant’s portfolio, including: Windows and Windows Components, .NET and Visual Studio, Microsoft Edge (Chromium-based), Microsoft Exchange Server, Office and Office Components, Windows Hyper-V, authentication methods Windows, BitLocker, Windows Cluster Shared Volume (CSV), Remote Desktop Client, Windows Network File System, NTFS, and Windows Point-to-Point Tunneling Protocol.

3 Zero Days, 1 actively operated
The actively exploited bug (CVE-2022-26925) is a Windows LSA spoofing vulnerability that is rated 8.1 out of 10 on the CVSS Vulnerability Severity Scale – however, Microsoft notes in its advisory that it should be increased to critical (CVSS 9.8) if used in Windows NT LAN Manager (NTLM) relay attacks.

“[A]An unauthenticated attacker could call a method on the LSARPC interface and cause the domain controller to authenticate to the attacker using NTLM,” Microsoft warns in its advisory — a concerning situation given that domain controllers domain names provide high-level privilege access.

Now obsolete, NTLM uses a weak authentication protocol that can easily reveal credentials and session keys. In a relay attack, malicious actors can capture authentication and relay it to another server, which they can then use to authenticate to the remote server with the privileges of the compromised user.

That said, the bug is harder to exploit than most, Trend Micro Zero Day Initiative (ZDI) researcher Dustin Childs said in a blog post on Tuesday. “The threat actor should be in the logical network path between the target and the requested resource (e.g. man-in-the-middle), but since this is listed as under active attack, someone must have figured out how to make that happen.”

Tyler Reguly, head of security R&D at Tripwire, told Dark Reading that the bug could be related to a threat previously known as PetitPotam, which emerged in July to allow attackers to force remote Windows systems to reveal easily crackable password hashes.

“Based on links provided by Microsoft, this appears to be related to the previous PetitPotam patch,” he notes, adding that researchers will guess on this. “This is a great example of where detailed executive summaries explaining what’s going on were helpful in the past. It would be great if Microsoft could start providing them on a regular basis again,” he says.

Microsoft also fixed two other zero-days, including a critical bug (CVE-2022-29972, CVSS unavailable) in Insight Software’s Magnitude Simba Amazon Redshift ODBC driver – “a third-party ODBC data connector used to connect to Amazon Redshift, in Integration Runtime (IR) in Azure Synapse Pipelines and Azure Data Factory,” as ZDI’s Childs explains.

He adds, “This update is complicated enough that Microsoft is blogging about the bug and how it affects multiple Microsoft services.”

Last day zero (CVE-2022-22713, CVSS 5.6) is an important rated bug in Windows Hyper-V that could allow denial of service (DoS).

Key Lights: Critical Microsoft Security Bugs to Fix Now
As for the other patches admins should prioritize this month, some of the critical issues have far-reaching reach into organizational infrastructure and could affect millions of businesses, the researchers warn.

“The big news is the critical vulnerabilities that need to be highlighted for immediate action,” Chris Hass, director of security at Automox, told Dark Reading. “This month introduces vulnerabilities in a number of applications common to most enterprises, including NSF, Remote Desktop Client, and Active Directory.”

For example, the critical bug affecting Windows Network File System, or NFS (CVE-2022-26937, CVSS 9.8) could allow unauthenticated remote code execution (RCE) in the context of the highly privileged NFS service, according to the notice from Microsoft. To boot, its ubiquity resembles Log4j: it “is present in all versions of Windows Server from 2008 onwards,” Hass says, “which puts most organizations at risk if action isn’t taken quickly.”

Additionally, “These types of vulnerabilities will potentially be of interest to ransomware operators because they could lead to the type of exposure of critical data, often as part of a ransom attempt,” said Kevin Breen, director of security research. Cyber ​​Threats at Immersive Labs, Dark Reading.

As for who should prioritize the fix, “NFS is not enabled by default, but it is prevalent in environments where Windows systems are mixed with other operating systems such as Linux or Unix. If it describes your environment, you absolutely need to test and deploy this patch quickly,” warns Childs.

As for other critical bugs to consider, Breen reports CVE-2022-22017 (CVSS 8.8), an equally pervasive RCE issue in the Remote Desktop (RDP) client.

“With more telecommuters than ever, companies need to put anything affecting RDP on the radar, especially given its popularity with ransomware actors and access brokers,” he warns.

The Active Directory bug (CVE-2022-26923, CVSS 8.8) is in Domain Services and could allow elevation of privilege through a certificate issuance issue. ZDI, which reported the bug, says an attacker can access a certificate to authenticate to a DC with an elevated privilege level, allowing any domain-authenticated user to become a domain administrator if the Active Directory Certificate Services are running.

“This is a very common deployment,” says Childs. “Given the severity of this bug and the relative ease of exploitation, I wouldn’t be surprised to see active attacks using this technique sooner rather than later.”

A cluster of 10 RCE bugs in LDAP are less of a concern, Breen says (the most serious, CVE-2022-22012, has a CVSS score of 9.8). These “seem particularly threatening; however, they have been marked by Microsoft as ‘less likely to be exploited’ because they require a default configuration that is unlikely to exist in most environments,” he notes. “That’s not to say they don’t need to be patched, but rather a reminder that context matters when prioritizing patches.”

The worst of the rest
A handful of other vulnerabilities that have also stood out to researchers are worth noting here, starting with Windows Print Spooler, which has long presented an attractive target for cyberattackers.

“Several Windows Print Spooler vulnerabilities were patched this month, including two information disclosure flaws (CVE-2022-29114, CVE-2022-29140) and two elevation of privilege flaws (CVE-2022 -29104, CVE-2022-29132), ” Satnam Narang, research engineer at Tenable, tells Dark Reading. “All flaws are rated as material, and two of the three are considered more likely to be exploited. Windows Print Spooler has remained a valuable target for attackers ever since PrintNightmare was leaked nearly a year ago. Particular must be carefully prioritized, as we’ve seen ransomware groups like Conti favor them as part of their playbook.”

Breen also highlighted two other important bugs as priorities for fixing:

  • CVE-2022-29108, a remotely executable flaw in Sharepoint that could likely be exploited by an attacker looking to move laterally through an organization. “Requiring authenticated access to operate, it could be used by a threat actor to steal confidential information or inject documents with malicious code or macros that could be part of a larger attack chain,” warns Breen.
  • A bug in Azure Data Factory (no CVE assigned) is remotely exploitable and could expose a company’s confidential data, according to Breen.

Satya Gupta, CTO and co-founder of Virsec, says that overall, the broader context of Microsoft patch trends is important for advocates to consider. Specifically, over the past year, more than a third of patches (1,330 or 36%) relate to RCE issues.

“This of course presents a huge opportunity for malicious actors to compromise almost any customer,” he said. “In total, several of May’s vulnerabilities represent a Log4j level of exposure, especially considering what it would take to patch millions of servers.”