May 2022 Patch Tuesday is here, and Microsoft has marked it by releasing fixes for 74 CVE-numbered vulnerabilities, including one zero-day under active attack (CVE-2022-26925) and two publicly known vulnerabilities (CVE-2022-29972 and CVE-2022-22713).
Vulnerabilities of particular note
First and foremost, we have CVE-2022-26925, an “important” spoofing vulnerability in Windows Local Security Authority (LSA) that may turn into a “critical” one if combined with NTLM relay attacks.
“Being actively exploited in the wild, this [vulnerability] allows an attacker to authenticate as approved users as part of an NTLM relay attack – letting threat actors gain access to the hashes of authentication protocols,” noted Kevin Breen, Director of Cyber Threat Research at Immersive Labs.
“While all servers are affected – domain controllers should be a priority for protection as, once exploited, this provides high level access to privileges, often known as ‘the keys to the kingdom.'”
The complexity of exploiting CVE-2022-26925 is considered high because exploitation requires an attacker to be positioned as an attacker-in-the-middle, added Satnam Narang, staff research engineer at Tenable, and joined Microsoft in urging administrators to patch this flaw, then follow it up with a review of two documents that delineate additional measures to mitigate NTLM relay attacks against Active Directory Certificate Services.
Next we have CVE-2022-29972, a flaw in a third-party ODBC data connector used to connect to Amazon Redshift in Azure Synapse pipelines and Azure Data Factory Integration Runtime.
Discovered and reported by Orca Security, the vulnerability “could have allowed an attacker to perform remote command execution across IR infrastructure not limited to a single tenant,” according to Microsoft, but was apparently not found and exploited by anyone else except Orca’s researchers.
Microsoft has, in fact, mitigated the vulnerability almost a month ago, and has shared a detailed blog post detailing its mitigation actions, as well as actions that some customers must take to implement the provided security updates so that attackers can’t leverage the flaw to exposes their organization’s confidential data.
Dustin Childs, with Trend Micro’s Zero Day Initiative, has singled out CVE-2022-26923, an EOP bug in Active Directory Domain Services, which may allow attackers to obtain a certificate that will allow them to authenticate to a domain controller with a high level of privilege – all they need is to include crafted data in a certificate request.
“In essence, any domain authenticated user can become a domain admin if Active Directory Certificate Services are running on the domain. This is a very common deployment. Considering the severity of this bug and the relative ease of exploit, it would not surprise me to see active attacks using this technique sooner rather than later,” he noted.
Marked by Microsoft as ‘exploitation more likely,’ CVE-2022-26937 has the potential to be damaging, Breen added.
“These types of vulnerabilities will potentially appeal to ransomware operators as they could lead to the kind of exposure of critical data often part of a ransom attempt. It is also important for security teams to note that NFS Role is not a default configuration for Windows devices.”
UPDATE (May 12, 2022, 04:20 a.m. ET):
As it turns out, CVE-2022-26925 is not new:
To be clear CVE-2022-26925 is PetitPotam unauthenticated found by @topotam77 . MS reintroduced the vulnerability in some patch between Dec 2021 and March 2022
— Raphael (@raphajohnsec) May 10, 2022
The story behind CVE-2022-26925 is no advanced reverse engineering, but a lucky accident 😉
During my pentests in January and March i saw that PetitPotam worked against the DCs. 1/2
— Raphael (@raphajohnsec) May 11, 2022
Also, there’s now more information about CVE-2022-26923, the Active Directory Domain Services EoP, by Oliver Lyak, who unearthed it.
It should definitely be prioritized for patching, but the patch should also be supplemented with additional actions.