Microsoft has released April’s Patch Tuesday security updates with 119 Vulnerabilities, including two zero-days and nine being rated as critical. The products covered in April’s security update include Windows User Profile Service, Windows Common Log File System Driver, .NET Framework, Active Directory Domain Services, Azure SDK, Windows Kernel, Microsoft Dynamics, Microsoft Edge (Chromium-based), Microsoft Office Excel, Windows Installer, Windows RDP, Windows Upgrade Assistant, etc.
The vulnerability for Windows User Profile Service (CVE-2022-26904) has been publicly disclosed.
Zero-day Vulnerability Fixed
CVE-2022-26904 – Windows User Profile Service Elevation of Privilege Vulnerability. This flaw has been rated as important as it received the CVSSv3 score of 7.0 out of 10. This flaw was identified by CrowdStrike and the US National Security Agency (NSA). This flaw requires an attacker to win a race condition for successful exploitation so, its attack complexity is high.
CVE-2022-24521 – Windows Common Log File System Driver Elevation of Privilege Vulnerability. This flaw has been actively exploited as a zero-day.
Critical Vulnerabilities Fixed
CVE-2022-24491 – Windows Network File System Remote Code Execution Vulnerability. This flaw doesn’t require any authentication. A remote attacker can exploit this vulnerability by sending specially crafted NFS protocol network messages to a vulnerable system. The systems in which the NFS role is enabled are at risk. This flaw received the CVSSv3 score of 9.8 out of 10.
CVE-2022-26809 – Remote Procedure Call Runtime Remote Code Execution Vulnerability. This flaw doesn’t require any authentication. A remote attacker can exploit this vulnerability by sending a specially crafted RPC call to an RPC host. This flaw received the CVSSv3 score of 9.8 out of 10. Patches are available to address this issue, however if you are unable to patch it immediately, you can still mitigate attempts to exploit this flaw by blocking TCP port 445 on the perimeter firewall. After applying this mitigation, systems can still be vulnerable to attacks from within their enterprise perimeter.
CVE-2022-26919 – Windows LDAP Remote Code Execution Vulnerability. This flaw can be remotely exploitable over the network by a standard user who has been authenticated in the domain. According to Microsoft, this has “high complexity” for any attack and an attack is not possible unless the default setting for MaxReceiveBuffer has been changed.
CVE-2022-23259 – Microsoft Dynamics 365 (on-premises) Remote Code Execution Vulnerability. This flaw impacts confidentiality, integrity, and availability. The exploitation of this flaw is easy and can be performed remotely. Authentication is required for successful exploitation.
CVE-2022-22008, CVE-2022-24537, CVE-2022-23257 – Windows Hyper-V Remote Code Execution Vulnerability. For Successful exploitation, an attacker would need to open a specially crafted file, and then the attacker could run a specially crafted application on a Hyper-V guest that could cause the Hyper-V host operating system to execute arbitrary code.
CVE-2022-24541 – Windows Server Service Remote Code Execution Vulnerability. This flaw exists due to insufficient validation of user-supplied input in Windows Server Service. A remote attacker can send specially crafted SMB packets to port 445/tcp and execute arbitrary code on the system.
CVE-2022-24500 – Windows SMB Remote Code Execution Vulnerability. This flaw exists due to insufficient validation of user-supplied input in Windows SMB. A remote attacker can trick a victim to access a malicious server and execute arbitrary code on the target system.
Microsoft security bulletin summary for April 2022
- .NET Framework
- Active Directory Domain Services
- Azure SDK
- Azure Site Recovery
- LDAP – Lightweight Directory Access Protocol
- Microsoft Bluetooth Driver
- Microsoft Dynamics
- Microsoft Edge (Chromium-based)
- Microsoft Graphics Component
- Microsoft Local Security Authority Server (lsasrv)
- Microsoft Office Excel
- Microsoft Office SharePoint
- Microsoft Windows ALPC
- Microsoft Windows Codecs Library
- Microsoft Windows Media Foundation
- Power BI
- Role: DNS Server
- Role: Windows Hyper-V
- Skype for Business
- Visual Studio
- Visual Studio Code
- Windows Ancillary Function Driver for WinSock
- Windows App Store
- Windows AppX Package Manager
- Windows Cluster Client Failover
- Windows Cluster Shared Volume (CSV)
- Windows Common Log File System Driver
- Windows Defender
- Windows DWM Core Library
- Windows Endpoint Configuration Manager
- Windows Fax Compose Form
- Windows Feedback Hub
- Windows File Explorer
- Windows File Server
- Windows Installer
- Windows iSCSI Target Service
- Windows Kerberos
- Windows Kernel
- Windows Local Security Authority Subsystem Service
- Windows Media
Product: Microsoft Windows
CVEs/Advisory: CVE-2022-21983, CVE-2022-22008, CVE-2022-22009, CVE-2022-23257, CVE-2022-23268, CVE-2022-24474, CVE-2022-24479, CVE-2022-24481, CVE-2022-24482, CVE-2022-24483, CVE-2022-24484, CVE-2022-24485, CVE-2022-24486, CVE-2022-24487, CVE-2022-24488, CVE-2022-24489, CVE-2022-24490, CVE-2022-24491, CVE-2022-24492, CVE-2022-24493, CVE-2022-24494, CVE-2022-24495, CVE-2022-24496, CVE-2022-24497, CVE-2022-24498, CVE-2022-24499, CVE-2022-24500, CVE-2022-24521, CVE-2022-24527, CVE-2022-24528, CVE-2022-24530, CVE-2022-24532, CVE-2022-24533, CVE-2022-24534, CVE-2022-24536, CVE-2022-24537, CVE-2022-24538, CVE-2022-24539, CVE-2022-24540, CVE-2022-24541, CVE-2022-24542, CVE-2022-24543, CVE-2022-24544, CVE-2022-24545, CVE-2022-24546, CVE-2022-24547, CVE-2022-24549, CVE-2022-24550, CVE-2022-26783, CVE-2022-26784, CVE-2022-26785, CVE-2022-26786, CVE-2022-26787, CVE-2022-26788, CVE-2022-26789, CVE-2022-26790, CVE-2022-26791, CVE-2022-26792, CVE-2022-26793, CVE-2022-26794, CVE-2022-26795, CVE-2022-26796, CVE-2022-26797, CVE-2022-26798, CVE-2022-26801, CVE-2022-26802, CVE-2022-26803, CVE-2022-26807, CVE-2022-26808, CVE-2022-26809, CVE-2022-26810, CVE-2022-26811, CVE-2022-26812, CVE-2022-26813, CVE-2022-26814, CVE-2022-26815, CVE-2022-26816, CVE-2022-26817, CVE-2022-26818, CVE-2022-26819, CVE-2022-26820, CVE-2022-26821, CVE-2022-26822, CVE-2022-26823, CVE-2022-26824, CVE-2022-26825, CVE-2022-26826, CVE-2022-26827, CVE-2022-26828, CVE-2022-26829, CVE-2022-26830, CVE-2022-26831, CVE-2022-26903, CVE-2022-26904, CVE-2022-26914, CVE-2022-26915, CVE-2022-26916, CVE-2022-26917, CVE-2022-26918, CVE-2022-26919, CVE-2022-26920
Impact: Denial of Service, Elevation of Privilege, Impact, Information Disclosure, Remote Code Execution
Product: Microsoft Dynamics
Impact: Remote Code Execution
Product: Microsoft Office Excel
Impact: Remote Code Execution
Product: Microsoft Edge (Chromium-based)
CVEs/Advisory: CVE-2022-1125, CVE-2022-1127, CVE-2022-1128, CVE-2022-1129, CVE-2022-1130, CVE-2022-1131, CVE-2022-1133, CVE-2022-1134, CVE-2022-1135, CVE-2022-1136, CVE-2022-1137, CVE-2022-1138, CVE-2022-1139, CVE-2022-1143, CVE-2022-1145, CVE-2022-1146, CVE-2022-1232, CVE-2022-24475, CVE-2022-24523, CVE-2022-26891, CVE-2022-26894, CVE-2022-26895, CVE-2022-26900, CVE-2022-26908, CVE-2022-26909, CVE-2022-26912
Impact: Elevation of Privilege, Spoofing