Threat Response: Patches available for multiple critical vulnerabilities in Microsoft products

13-04-2022

A SAFE DIGITAL JOURNEY

On Tuesday April 12th, Microsoft published a number of patches for multiple security vulnerabilities as part of “Patch Tuesday”. The patched vulnerabilities include critical security vulnerabilities in Microsoft Windows.

We recommend installing these patches as soon as possible.

Description

On April 12th, Microsoft published security patches for a large number of vulnerabilities, ten of which are marked as ‘critical’. The two most severe vulnerabilities are tracked under the following CVE-numbers:

  • CVE-2022-26809 – RPC Runtime Library Remote Code Execution Vulnerability (CVSS3.1: 9.8)
  • CVE-2022-24491 – Windows Network File System Remote Code Execution Vulnerability (CVSS3.1: 9.8)

In total, Microsoft has patched 101 vulnerabilities with this update. This Threat Response will describe the most important vulnerabilities. Microsoft has published a complete overview of the patched vulnerabilities[1].

CVE-2022-26809 – RPC Runtime Library Remote Code Execution Vulnerability

This vulnerability allows unauthenticated users to execute arbitrary code. Using a specially crafted RPC-call, a user can remotely execute arbitrary code with the same privileges as the RPC service on the targeted host. This vulnerability is wormable, which means that the vulnerability can spread to other vulnerable hosts without any human interaction.

CVE-2022-24491 – Windows Network File System Remote Code Execution Vulnerability

This vulnerability also allows unauthenticated users to execute arbitrary code. Systems with the NFS Role enabled can be targeted using a specially crafted NFS protocol message, which allows for remote code execution without any human interaction. This vulnerability is therefore also considered wormable.

Impact

From the list of vulnerabilities, ten are marked as critical. Arbitrary code execution has a large impact on the affected system, and, because malicious users are able to use this for lateral movement, we assess the impact as high. Microsoft has provided a detailed list of all the affected products[2,3].

Risk

There is currently no public exploit code available for the two mentioned vulnerabilities, but we expect these to be available soon. Furthermore, a proof-of-concept and Metasploit module is available for one of the other vulnerabilities (CVE-2022-26904). We asses the risk as high.

Mitigation

We recommend installing the security updates as soon as possible. If this is not possible, the following mitigation can be taken:

CVE-2022-26809 – RPC Runtime Library Remote Code Execution Vulnerability

Port 445 is used to initiate the RPC connection. Blocking this port at the network perimeter firewall will protect from external attempts to exploit this vulnerability. However, systems could still be vulnerable to attacks from the internal network, allowing abuse of this vulnerability to spread quickly.

CVE-2022-24491 – Windows Network File System Remote Code Execution Vulnerability

This vulnerability is only exploitable on hosts with the NFS Role enabled and can be prevented by disabling this role. Microsoft has published a manual with more information on installing or uninstalling Roles or Role Services [4].

What should you do?

Install the latest updates.

What will Northwave do?

Northwave will monitor developments around these vulnerabilities. When possible, we will add detection rules around these vulnerabilities to the Northwave Detection Platform. We will reach out to you again if there are important updates, including if the threat posed by this activity increases. If you have any questions or require any additional information, please reach out to us by phone or email. 

Phone number: +31 (0)30-303 1244 (during business hours)

Do you have an incident right now? Call our CERT number: +31 (0)85 043 7909
Disclaimer applies, see below.

Sources

[1] https://msrc.microsoft.com/update-guide/releaseNote/2022-Apr

[2] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26809

[3] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24491

[4] https://docs.microsoft.com/en-us/windows-server/administration/server-manager/install-or-uninstall-roles-role-services-or-features#install-roles-role-services-and-features-by-using-the-add-roles-and-features-wizard

 

Disclaimer
Northwave has made every effort to make this information accurate and reliable. However, the information provided is without warranty of any kind and its use is at the sole risk of the user. Northwave does not accept any responsibility or liability for the accuracy, content, completeness, legality or reliability of the information provided. We shall not be liable for any loss or damage of whatever nature, direct or indirect, consequential or other, whether arising in contract, tort or otherwise, which may arise as a result of your use of, or inability to use, this information or any additional information provided by us in direct or indirect relation to the information provided here.