Microsoft’s massive April Patch Tuesday includes one bug that has already been exploited in the wild and a second that has been publicly disclosed.
In total, the Redmond giant patched a whopping 128 bugs today, including 10 critical remote code execution (RCE) vulnerabilities.
First, though: CVE-2022-24521, which NSA and CrowdStrike security researchers reported to Microsoft, is under active exploitation. It’s an elevation-of-privilege vulnerability, and it occurs in the Windows Common Log File System Driver.
While its severity score didn’t rank as high as some on today’s list — it received a 7.8 CVSS score aka “important” — Microsoft stated its attack complexity low. It can be used by rogue software and users to gain admin-level privileges on a logged-in machine.
So this, combined with the fact that it is already being actively exploited, should make it “top of the priority list this month,” said Kev Breen, director of cyber threat research at Immersive Labs. “With it being the type of vulnerability for escalating privileges — this would indicate a threat actor is currently using it to aid lateral movement to capitalize on a pre-existing foothold,” he noted.
Breen also commented on the high number of privilege escalation vulnerabilities that Microsoft labeled as “exploitation more likely.”
“This speaks to its increasing popularity as a technique, providing lateral movement to critical and high value targets once attackers have gained initial access,” Breen said.
Though CVE-2022-24521 has been exploited, its exploit code is not public, according to Microsoft. The opposite is the case for fellow privilege-escalation hole CVE-2022-26904, which has had its exploit publicly disclosed though no malicious exploitation is said to have happened yet, apparently.
This flaw, which occurs in Windows User Profile Service, received a CVSS severity score of 7.0, aka important, and Microsoft ranked its attack complexity as high because “successful exploitation of this vulnerability requires an attacker to win a race condition.” That might explain why no one’s exploited it yet. It can be abused to raise the privileges of a normal user.
Trend Micro’s Dustin Childs noted on the Zero Day Initiative blog that not only does a proof-of-concept exploit exist for this bug, there’s also a Metasploit module. So most of the legwork has already been done for would-be attackers. The requirements for exploitation are a little involved.
- Microsoft patches critical remote-code-exec hole in Exchange Server and others
- Attackers exploit Spring4Shell flaw to let loose the Mirai botnet
- Apple patched critical flaws in macOS Monterey but not in Big Sur nor Catalina
- AWS fixes local file vuln on internal credential access for Relational Database Service
A few other notable high-severity bugs in April’s patch-a-looza include a remote procedure call runtime RCE vulnerability (CVE-2022-26809) and two Windows Network File System RCE vulns (CVE-2022-24491 and CVE-2022-24497).
All three of these RCE bugs received a 9.8 CVSS score, which means they are about as bad as they come.
CVE-2022-26809, which has a low attack complexity, is found in Microsoft’s Server Message Block (SMB) functionality. To exploit this bug, an attacker would send a specially crafted remote procedure call (RPC) to an RPC host machine, Microsoft explained. “This could result in remote code execution on the server side with the same permissions as the RPC service,” the security note detailed. Microsoft also advised blocking TCP port 445 at the perimeter firewall to prevent new attacks coming in from the internet.
Meanwhile, the two Windows Network File System (NFS) holes (CVE-2022-24491 and CVE-2022-24497), also received a 9.8 CVSS and Microsoft said exploitation is “more likely.”
“On systems where the NFS role is enabled, a remote attacker could execute their code on an affected system with high privileges and without user interaction,” Childs noted. “Again, that adds up to a wormable bug — at least between NFS servers.”
These vulnerabilities would be appealing to ransomware operators because they have the potential to expose critical data, Breen added.
Adobe joins the patch party
Adobe also issued a ton of fixes in its April patch event.
In total, it released four updates that address 78 vulnerabilities in its Acrobat and Reader, Photoshop, After Effects, and Adobe Commerce products.
The bulk of these are found in Adobe Acrobat and Reader and address 62 critical, important, and moderate vulnerabilities on Windows and macOS. If exploited, they could allow for arbitrary code execution, memory leaks, security feature bypass, and privilege escalation, according to Adobe.
The Zero Day Initiative noted the most severe bugs here are the critical-rated use-after-free() and out-of-bounds write vulns. “These could allow an attacker to execute code on a target system if they can convince a user to open a specially crafted PDF document,” Childs wrote.
Google updates Android, Cisco still battling Spring Framework
Meanwhile, Google patched 44 vulnerabilities in its April Android update earlier this month.
The most severe bug of the bunch is a high-severity flaw in Framework that could allow an attacker to escalate privilege with no additional execution privileges needed, according to the security advisory.
Also today Cisco updated a security advisory that addresses a critical vulnerability in Spring Framework. CVE-2022-22965, which received a 9.8 CVSS severity score, affects a long list of Cisco products — not to mention a slew of other vendors’ products that use the open-source Spring Framework.
Since the Java RCE vuln was first discovered last month, it’s been a race between defenders, trying to patch buggy products, and attackers attempting to exploit holes in said products and unleash all types of malware.
As Cisco noted in its security update: “The Cisco Product Security Incident Response Team (PSIRT) is aware that proof-of-concept exploit code is available for the vulnerability described in this advisory.” ®
