Microsoft Patch Tuesday: PetitPotam Cornered Again74 Security Vulnerabilities - Including 3 Critical Bugs, 3 Zero-Days - Fixed
The May 2022 Microsoft Patch Tuesday releases fix 74 security vulnerabilities, including three zero-days, one of which is actively exploited in the wild, and three vulnerabilities classified as "critical," as they exploit remote code execution with escalation of privileges.
The now-patched zero-day vulnerability that is being actively exploited in the wild is for a new NTLM relay attack using an LSARPC flaw tracked as CVE-2022-26925, a Windows LSA spoofing vulnerability.
In the NTLM relay attack, also known as PetitPotam, threat actors can intercept legitimate authentication requests and use them to gain elevated privileges, even assuming the identity of a domain controller.
PetitPotam is a classic NTLM relay attack, and such attacks have been previously documented by Microsoft along with numerous mitigation options to protect customers.
In a security advisory, Microsoft says: "An unauthenticated attacker could call a method on the LSARPC interface and coerce the domain controller to authenticate to the attacker using NTLM. This security update detects anonymous connection attempts in LSARPC and disallows it."
LSARPC is a protocol, or a set of calls, transmitted with a remote procedure call to a system called the Local Security Authority, or LSA. This is used in Microsoft/Windows systems to perform management tasks on domain security policies from a remote machine.
Microsoft cautions those who use Active Directory Certificate Services, or AD CS, with Certificate Authority Web Enrollment or Certificate Enrollment Web Service and advises admins to read the PetitPotam advisory for information on how to mitigate these types of attacks.
The two other publicly exposed zero-days are:
- CVE-2022-22713 - a Windows Hyper-V denial of service vulnerability;
- CVE-2022-29972 - Insight Software: CVE-2022-29972 Magnitude Simba Amazon Redshift ODBC Driver.
Following are the vulnerabilities that have CVSSv3.1 scores of 9 to 10, classified as "critical," and 7 to 8.9, classified as "high."
CVE-2022-22012 and CVE-2022-29130
An unauthenticated attacker could send a specially crafted request to a vulnerable server. Successful exploitation could result in the attacker's code running in the context of the SYSTEM account.
Both these vulnerabilities are only exploitable if the MaxReceiveBuffer LDAP policy is set to a value higher than the default value. Systems with the default value of this policy would not be vulnerable. For more information, see Microsoft's LDAP policies.
CVE-2022-26937 is a Windows Network File System RCE vulnerability with a CVSS score of 9.8 and critical severity.
This vulnerability could be exploited over the network by making an unauthenticated, specially crafted call to a Network File System, or NFS, service to trigger an RCE.
This vulnerability is not exploitable in NFSV4.1. Prior to updating your version of Windows that protects against this vulnerability, you can mitigate an attack by disabling NFSV2 and NFSV3. This may adversely affect your ecosystem and should only be used as a temporary mitigation.
CVE-2022-22017 is a Remote Desktop Client RCE vulnerability with a CVSS score of 8.8 and high severity.
An attacker would have to convince a targeted user to connect to a malicious RDP server. Upon connecting, the malicious server could execute code on the victim's system in the context of the targeted user.
CVE-2022-26923 is an Active Directory Domain Services elevation of privilege vulnerability with a CVSS score of 8.8 and high severity.
An authenticated user could manipulate attributes on computer accounts they own or manage and acquire a certificate from Active Directory Certificate Services that would allow elevation of privilege.
CVE-2022-29108 is a Microsoft SharePoint Server remote code execution vulnerability with a CVSS score of 8.8 and a high severity.
The attacker must be authenticated and possess the permissions for page creation to be able to exploit this vulnerability.
CVE-2022-29133 is a Windows Kernel elevation of privilege vulnerability with a CVSS score of 8.8 and high severity.
A successful attack could be performed from a low-privilege AppContainer. The attacker could elevate their privileges and execute code or access resources at a higher integrity level than that of the AppContainer execution environment.
CVE-2022-21978 is a Microsoft Exchange Server elevation of privilege vulnerability with a CVSSv3.1 score of 8.2 and high severity.
Successful exploitation of this vulnerability requires the attacker to be authenticated to the Exchange Server as a member of a high privileged group, so Microsoft assesses this vulnerability's exploitability to be "less likely."
CVE-2022-26913 is a Windows authentication security feature bypass vulnerability with a CVSS score of 7.4 and high severity.
An attacker who successfully exploited this vulnerability could carry out a man-in-the-middle attack and could decrypt and read or modify TLS traffic between the client and server. There is no effect on the availability of the attacked machine.
Some administrators have been unable to apply the patches. They have been presented with an error message saying: "Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing account or the password was incorrect."
According to Microsoft, the issue is only triggered after the updates have been installed on servers used as domain controllers and will not occur when they are deployed on client Windows devices and non-domain controller Windows servers.
"After installing updates released May 10, 2022, on your domain controllers, you might see authentication failures on the server or client for services such as Network Policy Server, Routing and Remote Access Service, Radius, Extensible Authentication Protocol and Protected Extensible Authentication Protocol," Microsoft says.
The company is investigating the issue and is expected to provide more updates soon. It says, "An issue has been found related to how the mapping of certificates to machine accounts is being handled by the domain controller."
Last month, Microsoft’s April Patch Tuesday resolved and provided security fixes for more than 100 vulnerabilities, including two zero-day vulnerabilities.