Microsoft Zero-Days, Wormable Bugs Spark Concern

For April Patch Tuesday, the computing giant addressed a zero-day under active attack and several critical security vulnerabilities, including three that allow self-propagating exploits.

Microsoft has released patches for 128 security vulnerabilities for its April 2022 monthly scheduled update – ten of them rated critical (including three wormable code-execution bugs that require no user interaction to exploit).

There are also two important-rated zero-days that allow privilege escalation, including one listed as under active exploit.

The bugs in the update are found across the portfolio, including in Microsoft Windows and Windows Components, Microsoft Defender and Defender for Endpoint, Microsoft Dynamics, Microsoft Edge (Chromium-based), Exchange Server, Office and Office Components, SharePoint Server, Windows Hyper-V, DNS Server, Skype for Business, .NET and Visual Studio, Windows App Store and Windows Print Spooler Components.

Infosec Insiders Newsletter

“This large volume of patches hasn’t been seen since the fall of 2020. However, this level is similar to what we saw in the first quarter of last year,” Dustin Childs, researcher at Trend Micro’s Zero Day Initiative, said in a blog breaking down the fixes.

Zero-Day Patches

The vulnerability that’s been exploited in the wild ahead of patching allows privilege escalation, and is tracked as CVE-2022-24521. It rates 7.8 out of 10 on the CVSS vulnerability-severity scale. It’s listed as a “Windows Common Log File System Driver Execution Vulnerability,” and was reported to Microsoft by the National Security Agency.

“It’s not stated how widely the exploit is being used in the wild, but it’s likely still targeted at this point and not broadly available,” Childs noted. “Go patch your systems before that situation changes.”

Researchers noted that attackers are likely pairing it with a separate code-execution bug in their campaigns. For that reason, Immersive Labs’ Kevin Breen, director of cyber-threat research, places the actively exploited bug at the top of the priority list for patching.

“Being the type of vulnerability for escalating privileges, this would indicate a threat actor is currently using it to aid lateral movement to capitalize on a pre-existing foothold,” he explained.

The second zero-day is found in the Windows User Profile Service, and is tracked as CVE-2022-26904.

It also allows privilege escalation, and rates a CVSS score of 7. Even though it’s listed as exploitation more likely, it has a high attack complexity, Microsoft noted in its advisory, because “successful exploitation of this vulnerability requires an attacker to win a race condition.”

Even so, researchers at Tripwire noted that exploit code is available for the bug, including in the Metasploit framework.

Critical Concerns for April

Out of the critical flaws, all of which allow remote code-execution (RCE), researchers flagged a bug that could allow for self-propagating exploits (CVE-2022-26809) as being of the most concern.

It exists in the Remote Procedure Call (RPC) Runtime Library, and rates 9.8 out of 10 on the CVSS scale, with exploitation noted as more likely. If exploited, a remote attacker could execute code with high privileges.

Danny Kim, principal architect at Virsec, noted that the vulnerability is specifically found in Microsoft’s Server Message Block (SMB) functionality, which is used primarily for file-sharing and inter-process communication, including Remote Procedure Calls. RPC is a communication mechanism that allows for one program to request a service or functionality from another program located on the network (internet and/or intranet). RPCs can be used in technologies like storage replica or managing shared volumes.

“This vulnerability is another example of an attacker taking advantage of legitimate functionality for malicious gain,” he said via email. “Using the vulnerability, an attacker can create a specially crafted RPC to execute code on the remote server with the same permissions as the RPC service.”

The bug could be used to create especially virulent threats, according to Childs.

“Since no user interaction is required, these factors combine to make this wormable, at least between machines where RPC can be reached,” Childs noted.

Microsoft recommends configuring firewall rules to help prevent this vulnerability from being exploited; the static port used (TCP port 135) can be blocked at the network perimeter.

“Still, this bug could be used for lateral movement by an attacker,” Childs warned. “Definitely test and deploy this one quickly.”

Next up are CVE-2022-24491/24497, two RCE bugs that affect the Windows Network File System (NFS). Both also have CVSS scores of 9.8, and both are listed as exploitation more likely. They also allow the potential for worming exploits, Childs warned.

“On systems where the NFS role is enabled, a remote attacker could execute their code on an affected system with high privileges and without user interaction,” Childs explained. “Again, that adds up to a wormable bug – at least between NFS servers. Similar to RPC, this is often blocked at the network perimeter.”

Immersive’s Breen added, “These could be the kind of vulnerabilities which appeal to ransomware operators as they provide the potential to expose critical data.  It is also important for security teams to note that NFS Role is not a default configuration for Windows devices.”

The remaining critical vulnerabilities are as follows:

Other Bugs of Note

Also worth mentioning: Out of a whopping 18 bugs found in the Windows Domain Name Server (DNS), one (CVE-2022-26815) allows RCE and is listed as important, with a CVSS score of 7.2.

Microsoft noted that while attack complexity is low, “the attacker or targeted user would need specific elevated privileges [for successful exploitation]. As is best practice, regular validation and audits of administrative groups should be conducted.”

Meanwhile, “there are a couple of important mitigations to point out here,” Childs noted. “The first is that dynamic updates must be enabled for a server to be affected by this bug. The CVSS also lists some level of privileges to exploit. Still, any chance of an attacker getting RCE on a DNS server is one too many, so get your DNS servers patched.”

Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our FREE downloadable eBook, “Cloud Security: The Forecast for 2022.” We explore organizations’ top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists.


Suggested articles