April 2022 Patch Tuesday: 10 Critical CVEs, One Zero-Day Under Attack and Wormable Bugs

Microsoft has released 117 security patches for its April Patch Tuesday rollout. Of the 117 CVEs addressed, two are ranked as Important zero-days, including CVE-2022-24521, which is under active exploitation. This zero-day was discovered by CrowdStrike Intelligence and affects the Windows Common Log File System. Additionally, this month featured 10 critical vulnerability patches, bringing the total number of updates to nearly double what was offered in March 2022.

Two Zero-Day Vulnerabilities, One Under Active Attack

The two zero-day vulnerabilities patched this month received CVSS scores between 7 and 7.8 — a rank of Important. Nonetheless, these vulnerabilities are relevant to any organization using the affected products. CrowdStrike Falcon® Spotlight™ ExPRT.AI provides valuable data and insights for a more accurate understanding of how these zero-day vulnerabilities could affect your environment.

 

CVE-2022-24521: Windows Common Log File System Driver elevation of privilege vulnerability. Although given a CVSS score of 7.8, Microsoft has seen active exploitation with a low attack complexity. Now that Microsoft has issued a patch, adversaries may be analyzing the details of this vulnerability to learn how to better exploit it.

 

CVE-2022-26904: Windows User Profile Service elevation of privilege vulnerability. This publicly known zero-day flaw impacts the Windows User Profile Service and has a CVSS severity score of 7.0. In addition to having a proof-of-concept (POC) code available, there’s a Metasploit module. This vulnerability allows an attacker to gain code execution at SYSTEM level on affected systems. Microsoft has not seen this exploited in the wild.
RankCVSS ScoreCVEDescription
Important7.8CVE-2022-24521Windows Common Log File System Driver Elevation of Privilege Vulnerability
Important7.0CVE-2022-26904Windows User Profile Service Elevation of Privilege Vulnerability

April 2022 Risk Analysis

The top three attack types — remote code execution, elevation of privilege and information disclosure — continue to dominate, with denial of service following at almost 8% (up from 5% in March).
Figure 1. Breakdown of April 2022 Patch Tuesday attack types
The affected product families, however, are much different than last month. For April 2022, Developer tools saw a significant increase in vulnerabilities patched. Microsoft Office has taken second place in receiving the most patches, with Windows and Extended Security Updates following close behind.
Figure 2. Breakdown of April 2022 Patch Tuesday affected product families

Critical Vulnerabilities in LDAP, Hyper-V and SMB

Ten vulnerabilities ranked as Critical received patches this month across a number of Microsoft products, most notably in Windows Network File System (NFS) and Remote Procedure Call (RPC) runtime.

 

CVE-2022-26809: Remote Procedure Call (RPC) runtime remote code execution vulnerability. This flaw is rated CVSS 9.8, and is described as “exploitation more likely” by Microsoft. It could allow an attacker to execute code with high privileges on an affected system. Since no user interaction is required, these factors combine to make this wormable, at least between target hosts where RPC can be reached. However, the static port used (TCP port 135) is typically blocked at the network perimeter. This vulnerability could be used for lateral movement by an attacker. We recommend that your team test and deploy this patch quickly as possible.

 

CVE-2022-24491 and CVE-2022-24497: Windows Network File System remote code execution vulnerabilities. These two NFS vulnerabilities also have a 9.8 CVSS score and are listed as “exploitation more likely.” On systems where the NFS role is enabled, a remote attacker could execute their code on an affected system with high privileges and without user interaction. Again, that adds up to a wormable bug — at least between NFS servers. Similar to RPC, this is often blocked at the network perimeter. Microsoft offers some guidance on how the RPC port multiplexer (port 2049) “is firewall-friendly and simplifies deployment of NFS.” Check your installations and roll out these patches rapidly.
RankCVSS ScoreCVEDescription
Critical8.1CVE-2022-26919Windows LDAP Remote Code Execution Vulnerability
Critical8.8CVE-2022-23259Microsoft Dynamics 365 (on-premises) Remote Code Execution Vulnerability
Critical7.8CVE-2022-22008Windows Hyper-V Remote Code Execution Vulnerability
Critical7.8CVE-2022-24537Windows Hyper-V Remote Code Execution Vulnerability
Critical8.8CVE-2022-23257Windows Hyper-V Remote Code Execution Vulnerability
Critical9.8CVE-2022-24491Windows Network File System Remote Code Execution Vulnerability
Critical9.8CVE-2022-24497Windows Network File System Remote Code Execution Vulnerability
Critical9.8CVE-2022-26809Remote Procedure Call Runtime Remote Code Execution Vulnerability
Critical8.8CVE-2022-24541Windows Server Service Remote Code Execution Vulnerability
Critical8.8CVE-2022-24500Windows SMB Remote Code Execution Vulnerability

18 Windows DNS Server Remote Code Execution Vulnerabilities

Eighteen RCE vulnerabilities affecting Windows DNS Server received patches this month. All are ranked as Important, with two vulnerabilities that warrant additional attention.

 

CVE-2022-26815: This vulnerability is the most severe of the 18 DNS Server CVEs patched this month. This flaw is also very similar to one (CVE-2022-21984) patched in February, which raises the question whether or not this month’s patch for CVE-2022-26815 is the result of a failed or incomplete patch. Important to note for patching teams:
  • Dynamic updates must be enabled for a server to be affected
  • CVSS details lists a level of privileges to exploit

     

Any opportunity for an attacker to get RCE on a DNS server is one too many, so we recommend prioritizing this vulnerability and patching your DNS servers. CVE-2022-26826: This vulnerability is rated as Important with a CVSS score of 7.2.

 

To exploit this vulnerability, the attacker or targeted user would need specific elevated privileges. As is best practice, regular validation and audits of administrative groups should be conducted.
RankCVSS ScoreCVEDescription
Important8.8CVE-2022-26815Windows DNS Server Information Disclosure Vulnerability
Important7.5CVE-2022-26814Windows DNS Server Information Disclosure Vulnerability
Important7.5CVE-2022-26817Windows DNS Server Information Disclosure Vulnerability
Important7.5CVE-2022-26818Windows DNS Server Information Disclosure Vulnerability
Important7.5CVE-2022-26829Windows DNS Server Information Disclosure Vulnerability
Important7.2CVE-2022-24536Windows DNS Server Information Disclosure Vulnerability
Important7.2CVE-2022-26811Windows DNS Server Information Disclosure Vulnerability
Important7.2CVE-2022-26813Windows DNS Server Information Disclosure Vulnerability
Important7.2CVE-2022-26823Windows DNS Server Information Disclosure Vulnerability
Important7.2CVE-2022-26824Windows DNS Server Information Disclosure Vulnerability
Important7.2CVE-2022-26825Windows DNS Server Information Disclosure Vulnerability
Important7.2CVE-2022-26826Windows DNS Server Information Disclosure Vulnerability
Important6.7CVE-2022-26812Windows DNS Server Information Disclosure Vulnerability
Important6.6CVE-2022-26819Windows DNS Server Information Disclosure Vulnerability
Important6.6CVE-2022-26820Windows DNS Server Information Disclosure Vulnerability
Important6.6CVE-2022-26821Windows DNS Server Information Disclosure Vulnerability
Important6.6CVE-2022-26822Windows DNS Server Information Disclosure Vulnerability
Important4.9CVE-2022-26816Windows DNS Server Information Disclosure Vulnerability

RCE Is Still a Popular Attack Type, So Consider Prioritizing Patches Accordingly

This month’s Patch Tuesday contains 47 patches for RCE bugs. In addition to those already mentioned is yet another RDP client flaw (CVE-2022-24533) that would allow code execution if a user connected to a malicious RDP server. If that sounds familiar, it’s because there was a similar bug last month, with a number of related CVEs going further back. There are a few open-and-own vulnerabilities in Office components, most notably Excel, that have also received patches this month. The chance of people applying patches to Excel before April 15 appears low, but there is risk of exploitation if patching isn’t applied. Another vulnerability to consider is CVE-2022-26788 (another CVE this month discovered by CrowdStrike, this one in conjunction with VMware), which is a PowerShell privilege elevation CVE. It’s ranked as Important with a CVSS of 7.8.

 

CrowdStrike recommends continually reviewing your patching strategy, as vigilance can make a dramatic difference in keeping your environments protected.

 

Learn More

Watch this video on Falcon Spotlight™ vulnerability management to see how you can quickly monitor and prioritize vulnerabilities within the systems and applications in your organization.

 

About CVSS Scores

The Common Vulnerability Scoring System (CVSS) is a free and open industry standard that CrowdStrike and many other cybersecurity organizations use to assess and communicate software vulnerabilities’ severity and characteristics. The CVSS Base Score ranges from 0.0 to 10.0, and the National Vulnerability Database (NVD) adds a severity rating for CVSS scores. Learn more about vulnerability scoring in this article.

 

Additional Resources

Breaches Stop Here