APRIL 14, 2022 20:32 GMT
Microsoft’s Patch Tuesday for April includes a notably high volume of critical fixes. There are 10 critical CVEs patched, including a particularly severe “wormable” Remote Code Execution (RCE) vulnerability within the Remote Procedure Call (RPC) protocol. In addition, there are two Privilege Escalation zero-days, which are known to be actively exploited at time of disclosure.
The Remote Procedure Call Runtime Remote Code Execution Vulnerability (CVE-2022-26809) allows a threat actor to send a specially crafted RPC packet to a target RPC endpoint. The target machine will remotely execute the code with the same permissions as the RPC service, which is often at an elevated permissions level.
RPC traffic is used by many services in Windows enivironments for remote authentication and communication. The ubiquity of normal RPC communications in Microsoft environments in addition to the non-interactive nature of RPC communications, means that a threat actor can create a wormable malware that is able to spread from vulnerable host to vulnerable host.
Researchers have drawn similarities to EternalBlue, a tool developed by the NSA to exploit a similar flaw in the Server Message Block (SMB) protocol (which underlies RPC traffic). EternalBlue was used by threat actors in both the devastating WannaCry and NotPetya ransomware attacks.
Other notable patched vulnerabilities include:
- Two critical vulnerabilities to Microsoft’s implementation of the Network File Share (NFS) protocol (CVE-2022-24491 and CVE-2022-24497)
- Three critical vulnerabilities impacting Microsoft’s Hyper-V Hypervisor (CVE-2022-22008, CVE-2022-23257 and CVE-2022-24537)
- A critical vulnerability in Windows LDAP implementation (CVE-2022-26919)
- A critical SMB vulnerability in addition to the above RPC vulnerability (CVE-2022-24500)
- A critical vulnerability in Windows Server (CVE-2022-24541)
- A critical vulnerability in Microsoft Dynamics 365 (CVE-2022-23259).
All of the above critical vulnerabilities are Remote Code Execution vulnerabilities.
Two of the vulnerabilities patched are zero-days. The first, CVE-2022-24521 CVSS 7.8, is a Privilege Escalation vulnerability in the Windows Common Log File System (CLFS).
The second zero-day is a Privilege Escalation vulnerability in Windows User Profile Service (CVE-2022-26904 CVSS 7.0). Though they are rated lower than the above RCE vulnerabilities, both are known by Microsoft to be actively exploited by threat actors.
ThreatPost mentions 18 vulnerabilities patched within Microsoft Domain Name Server (DNS), including a high rated RCE vulnerability (CVE-2022-26815).
- It is highly recommended to test and run system updates from Microsoft on impacted servers as soon as possible
- Microsoft suggests limiting RPC service on the perimeter firewall (TCP port 445). Note, this will only protect from attacks from the Internet, not those originating from within your environment.
- See the KB article on how to harden RPC services.
- Ensure proper network segmentation, especially for critical server infrastructure to limit opportunities for exploit or lateral movement.
- Run scheduled vulnerability scans as a proactive solution for finding unpatched systems.
- ThreatPost Patch Tuesday Article
- KrebsOnSecurity on April Patch Tuesday
- Official Microsoft Adivsory
- Microsoft’s Advice for Hardening SMB
- CISA Advisory
Other MS Advisories related to this month’s Patch Tuesday: