Microsoft fixes actively exploited zero-day reported by the NSA (CVE-2022-24521)

On this April 2022 Patch Tuesday, Microsoft has released patches for 128 CVE-numbered vulnerabilities, including one zero-day exploited in the wild (CVE-2022-24521) and another (CVE-2022-26904) for which there’s already a PoC and a Metasploit module.

Vulnerabilities of note

CVE-2022-24521 is a vulnerability in the Windows Common Log File System Driver that was reported to Microsoft by the National Security Agency (NSA) and Adam Podlosky and Amir Bazine of Crowdstrike.

“Since CVE-2022-24521 only allows a privilege escalation, it is likely paired with a separate code execution bug,” noted Dustin Childs, with Trend Micro’s Zero Day Initiative. While the attack exploiting it is likely to be targeted and the exploit used not broadly available, he advised admins to patch systems before that situation changes.

There are other vulnerabilities that should be fixed before that one, though.

Childs flagged CVE-2022-26904, an EoP flaw that affects Windows User Profile Service, because it’s publicly known and there’s a Metasploit module for it already.

“Even though exploitation of this vulnerability requires an attacker to perfectly time their attack to win a race condition, Microsoft has rated it as ‘Exploitation More Likely,” says Claire Tills, senior research engineer at Tenable.

Another flaw that should be patched quickly is CVE-2022-26809, a RPC Runtime Library RCE flaw.

“This vulnerability is found in Microsoft’s Server Message Block (SMB) functionality. The SMB protocol is used primarily for file sharing and inter-process communication including Remote Procedure Calls (RPCs). RPC is communication mechanism that allows for one program to request a service or functionality from another program located on the network (internet and/or intranet). RPCs can be used in technologies like storage replica or managing shared volumes,” Danny Kim, Principal Architect at Virsec, explained.

“Using the vulnerability, an attacker can create a specially-crafted RPC to execute code on the remote server with the same permissions as the RPC service. Microsoft recommends configuring some firewall rules to help prevent this vulnerability from being exploited. However for customers who require this functionality, this guide has limited efficacy. To augment the firewall rules, enterprises should consider security controls that directly monitor and protect core software functionality and behavior.”

Childs also worries that, since no user interaction is required to exploit it and is, in effect, wormable, the bug could be used for wider attacks. Alternatively, it could be used by attackers to move laterally within a target network.

Two other “nearly wormable” bugs that should be splatted quickly are CVE-2022-24491 and CVE-2022-24497, RCEs in the Windows Network File System (NFS), he added.

“On systems where the NFS role is enabled, a remote attacker could execute their code on an affected system with high privileges and without user interaction. Again, that adds up to a wormable bug – at least between NFS servers. Similar to RPC, this is often blocked at the network perimeter. However, Microsoft does provide guidance on how the RPC port multiplexer (port 2049) ‘is firewall-friendly and simplifies deployment of NFS.’ Check your installations and roll out these patches rapidly.”

Finally, the Windows Hyper-V, DNS Server, and Windows Print Spooler updates carry a lot of fixes this month, so admins might consider getting to those sooner rather than later.

As a closing sidenote, Microsoft has recently announced the upcoming availability of Windows Autopatch, an automated, managed service by Microsoft to help enterprise IT admins keep Windows and Office always up-to-date.