Microsoft Patch Tuesday
Of the 75 updates released this month, the most notable is CVE-2022-26925, a zero-day LSA spoofing bug that can be chained with other exploits to compromise a system. Microsoft have helpfully provided supporting documentation for hardening servers to prevent the attack, and note that the patch may affect functionality for older servers using certain EFS functionality. This is prevalent in backup systems and it’s important to review this functionality before applying the patches to Server 2008 assets.
Two further bugs stand out as the highest scoring of the month. Firstly, CVE-2022-22012 is an LDAP Remote Code Execution vulnerability scoring a 9.8 CVSS score. Domain Controllers can be queried by any authenticated user, however this bug allows an unauthenticated attacker to send a crafted LDAP request to the server and elevate themselves to SYSTEM. This can only occur if a certain parameter (the MaxReceiveBuffer LDAP policy) has been changed from the default setting, making the risk of exploitation low despite the high score.
Modifying the MaxReceiveBuffer involves using NTDSUTIL to modify the maximum LDAP request size from the default setting of 10485760 bytes. It’s unlikely many admins will have changed this setting, but it’s a potential step for troubleshooting LDAP connections from non-Windows systems and so is worth checking. The bug affects all Windows OSes back to Windows 7/Server 2008.
Conversely, Microsoft rate CVE-2022-26937 as a more likely bug to be attacked. Microsoft’s NFS (Network File System) is a long-standing feature of the OS and older versions are affected by this bug, which is also a remote code execution attack triggered by sending crafted packets to an unpatched asset. As a temporary fix, older versions of NFS can be disabled using the commands provided in the Microsoft article ahead of the roll-out of the patch, however it’s noted that this may affect functionality and might need to be reversed once patched.
Outside of Microsoft, the big news this month is CVE-2022-1388, a remote exploit affecting BIG-IP network devices that allows the attacker to run commands as root without authentication. This has been seen actively used in the wild, allowing attackers to carry out a variety of malicious activities using the high system access level, including completely bricking the devices using ‘rm -rf /*’ commands to attempt to delete all local files. There have been reports of the fix itself causing issues, likely the result of its compatibility with systems missing other, older updates. Users of F5 systems are urged to patch as quickly as possible.
Cisco continue to release updates for the Spring Java bug dubbed “spring4shell”, with a number of patches being released across the month of May for various products. They also continue to update the list of confirmed unaffected systems in the article.