Microsoft Patch Tuesday May 2022: Edge RCE, PetitPotam LSA Spoofing, bad patches

Hello everyone! This episode will be about Microsoft Patch Tuesday for May 2022. Sorry for the delay, this month has been quite intense. As usual, I’m using my Vulristics project and going through not only the vulnerabilities that were presented on May 10th, but all the MS vulnerabilities presented by Microsoft since the previous Patch Tuesday, April 12th.

Alternative video link (for Russia): https://vk.com/video-149273431_456239089

I have set direct links in comments_links.txt for Qualys, ZDI and Kaspersky blog posts.

$ cat comments_links.txt
Qualys|May 2022 Patch Tuesday: Microsoft Releases 75 Vulnerabilities with 8 Critical; Adobe Releases 5 Advisories, 18 Vulnerabilities with 16 Critical|https://blog.qualys.com/vulnerabilities-threat-research/2022/05/10/may-2022-patch-tuesday
ZDI|THE MAY 2022 SECURITY UPDATE REVIEW|https://www.zerodayinitiative.com/blog/2022/5/10/the-may-2022-security-update-review
Kaspersky|Actively exploited vulnerability in Windows|https://www.kaspersky.com/blog/windows-actively-exploited-vulnerability-cve-2022-26925/44305/

$ python3.8 vulristics.py --report-type "ms_patch_tuesday_extended" --mspt-year 2022 --mspt-month "May" --mspt-comments-links-path "comments_links.txt"  --rewrite-flag "True"
...
MS PT Year: 2022
MS PT Month: May
MS PT Date: 2022-05-10
MS PT CVEs found: 73
Ext MS PT Date from: 2022-04-13
Ext MS PT Date to: 2022-05-09
Ext MS PT CVEs found: 38
ALL MS PT CVEs: 111
...

Let’s see the report.

  • All vulnerabilities: 110
  • Urgent: 0
  • Critical: 1
  • High: 27
  • Medium: 69
  • Low: 13

The most dangerous and the only critical vulnerability of this month was actually presented between Patch Tuesdays. Memory Corruption in Microsoft Edge/Chromium (CVE-2022-1364). Exploitation in the wild for this vulnerability was mentioned on AttackerKB website and it is also in CISA Known Exploited Vulnerabilities Catalog. “Google is aware that an exploit for this vulnerability exists in the wild”. This is a first example of the new Vulristics functionality. The CVSS Base Score for this vulnerability was added from a third party site, WhiteSource, because it was not available on NVD.

The most dangerous and most hyped vulnerability among those that were presented directly on Patch Tuesday day is Spoofing in Windows Local Security Authority (LSA) (CVE-2022-26925). The vulnerability can affect all Windows operating systems from Windows 7 (Windows Server 2008 for server systems) and later. It received a CVSSv3 score of 8.1. However, when chained with a new technology LAN manager (NTLM) relay attack, the combined CVSSv3 score for the attack chain is 9.8. According to the advisory from Microsoft, it has been exploited in the wild as a zero-day. An unauthenticated attacker could force domain controllers to authenticate to an attacker-controller server using NTLM. Raphael John, who has been credited by Microsoft for reporting this vulnerability revealed on Twitter that the vulnerability is actually the bug known as PetitPotam (CVE-2021-36942) from August 2021. “The story behind CVE-2022-26925 is no advanced reverse engineering, but a lucky accident. During my pentests in January and March, I saw that PetitPotam worked against the [domain controllers]”. It looks like Microsoft failed to properly fix the PetitPotam vulnerability.

There were 10 Remote Code Execution in Windows LDAP this month. But VM vendors specify CVE-2022-22012 and CVE-2022-29130, because of the biggest CVSS Base Scores, 9.8. An unauthenticated attacker could send a specially crafted request to a vulnerable server. Successful exploitation could result in the attacker’s code running in the context of the SYSTEM account. This vulnerability is only exploitable if the MaxReceiveBuffer LDAP policy is set to a value higher than the default value. Systems with the default value of this policy would not be vulnerable.

Remote Code Execution in Windows Network File System (CVE-2022-26937). This vulnerability could be exploited over the network by making an unauthenticated, specially crafted call to a Network File System (NFS) service to trigger a Remote Code Execution (RCE). NFS version 4.1 is not impacted by this vulnerability and Microsoft provides the recommended workaround of disabling NFS versions 2 and 3 for those users who are not able to immediately apply the patch. Exploitability Assessment: Exploitation More Likely.

Remote Code Execution in Windows Remote Desktop Client (CVE-2022-22017). An attacker would have to convince a targeted user to connect to a malicious RDP server. Upon connecting, the malicious server could execute code on the victim’s system in the context of the targeted user. Exploitability Assessment: Exploitation More Likely.

Elevation of Privilege in Windows Print Spooler (CVE-2022-29104, CVE-2022-29132). These are just the latest in a long line of EoP vulnerabilities Microsoft has addressed in Print Spooler over the last year, several of which have been exploited in attacks.

An interesting situation has developed around Elevation of Privilege in Kerberos (CVE-2022-26931) and Elevation of Privilege in Active Directory (CVE-2022-26923). Patches for these vulnerabilities caused service authentication problems when deployed on Windows Server domain controllers. But within a week the problem was resolved. Microsoft released workaround and additional updates for domain controllers.

All vulnerabilities in this episode do not have a public exploit, but there are some that have a mark about “Proof-of-Concept Exploit” in the Microsoft CVSS Temporal Score. Therefore, it is more likely that exploits for them will appear soon.

The full report is available here: ms_patch_tuesday_may2022_report

One thought on “Microsoft Patch Tuesday May 2022: Edge RCE, PetitPotam LSA Spoofing, bad patches

  1. Pingback: Microsoft Patch Tuesday June 2022: Follina RCE, NFSV4.1 RCE, LDAP RCEs and bad patches | Alexander V. Leonov

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.