March 2022 Patch Tuesday: Microsoft fixes RCEs in RDP client, Exchange Server
Microsoft marks March 2022 Patch Tuesday with patches for 71 CVE-numbered vulnerabilities, including three previously unknown “critical” ones and three “important” ones that were already public (but not actively exploited by attackers).
Vulnerabilities of note
CVE-2022-21990, a publicly known Remote Desktop Client remote code execution (RCE) flaw, should be patched quickly.
“If an attacker can lure an affected RDP client to connect to their RDP server, the attacker could trigger code execution on the targeted client,” says Dustin Childs, with Trend Micro’s Zero Day Initiative.
Among the critical vulnerabilities, a RCE in Microsoft Exchange Server (CVE-2022-23277) also deserves immediate attention.
“The vulnerability would allow an authenticated attacker to execute their code with elevated privileges through a network call. This is also listed as low complexity with exploitation more likely, so it would not surprise me to see this bug exploited in the wild soon – despite the authentication requirement,” Childs opines.
CVE-2022-22006 and CVE-2022-24501, two RCEs in the HEVC and VP9 Video Extensions (respectively) might be critical because of their effect, but the updates for the apps are pushed automatically by the Microsoft Store, so customers needn’t worry about patching those – if they haven’t disabled automatic updates for the Microsoft Store, that is.
CVE-2022-24508, a Windows SMBv3 Client/Server RCE vulnerability, “also seems to be one to watch out for, especially as Microsoft has marked it ‘exploitation more likely’ and provided additional mitigations,” says Kevin Breen, Director of Cyber Threat Research at Immersive Labs.
“While successful exploitation requires valid credentials, Microsoft provides advice on limiting SMB traffic in lateral and external connections. While this is a strong step in providing defense in depth, blocking such connections can also have an adverse effect on other tools using these connections, something to be considered in mitigation attempts.”
Finally, CVE-2022-23278, a spoofing vulnerability affecting Microsoft Defender for Endpoint for all platforms, deserves a special mention even though attackers must gather information specific to the environment of the targeted component before being able to exploit it.
Microsoft has released an accompanying post explaining how the solution can be updated on various platforms and to reassure that the company is not aware of any attacks that have leveraged this vulnerability.
Nevertheless, Microsoft has released detections for possible exploit activity and a threat analytics article that delineates risk and possible exploit activity.
UPDATE (March 9, 2021, 11:10 p.m. PT):
More details about the spoofing vulnerability affecting Microsoft Defender for Endpoint:
Yesterday was Patch-Tuesday. All Microsoft Defender for Endpoint agents received a patch for a spoofing vulnerability we discovered.
This is documented in https://t.co/EZtF2qIo5C and can be tracked in MDE: https://t.co/VhM8JYZqTOA blog will follow soon detailing how we found it pic.twitter.com/X034MBvGfH
— FalconForce Official (@falconforceteam) March 9, 2022