Report Name: Microsoft Patch Tuesday, May 2022
Generated: 2022-05-25 16:32:54

Product Name	Prevalence	U	C	H	M	L	Comment
Kerberos	1				1		Kerberos
Active Directory	0.9				1		Active Directory is a directory service developed by Microsoft for Windows domain networks
Remote Procedure Call Runtime	0.9			1			Remote Procedure Call Runtime
Windows Kernel	0.9				3		Windows Kernel
Windows LDAP	0.9			10			Windows LDAP
.NET Framework	0.8				1		.NET Framework
BitLocker	0.8				1		A full volume encryption feature included with Microsoft Windows versions starting with Windows Vista
Microsoft Edge	0.8		1		22	13	Web browser
Microsoft Exchange	0.8				1		Exchange
Microsoft Windows	0.8			1			Windows component
Tablet Windows User Interface Application	0.8				1		Windows component
Windows ALPC	0.8				1		Windows component
Windows Address Book	0.8			1			Windows component
Windows Authentication	0.8			1			Windows component
Windows Clustered Shared Volume	0.8			1	7		Windows component
Windows Digital Media Receiver	0.8				1		Windows component
Windows Failover Cluster	0.8				1		Windows component
Windows Fax Service	0.8			1			Windows component
Windows Graphics Component	0.8			1	3		Windows component
Windows Hyper-V Shared Virtual Disk	0.8				1		Windows component
Windows LSA	0.8			1			Windows component
Windows NTFS	0.8				1		The default file system of the Windows NT family
Windows Network File System	0.8			1			Windows component
Windows PlayToManager	0.8				1		Windows component
Windows Print Spooler	0.8				4		Windows component
Windows Push Notifications Apps	0.8				1		Windows component
Windows Remote Access	0.8				2		Windows component
Windows Remote Desktop	0.8				1		Windows component
Windows Remote Desktop Client	0.8			1			Remote Desktop Protocol Client
Windows Remote Desktop Protocol	0.8				1		Windows component
Windows Server Service	0.8				1		Windows component
Windows WLAN AutoConfig Service	0.8				2		Windows сomponent
.NET	0.7				3		.NET
Microsoft SharePoint	0.7			1			Microsoft SharePoint
Point-to-Point Tunneling Protocol	0.7			2			The Point to Point Tunneling Protocol (PPTP) is a network protocol used to create VPN tunnels between public networks
Storage Spaces Direct	0.7				3		Storage Spaces Direct is a feature of Azure Stack HCI and Windows Server that enables you to cluster servers with internal storage into a software-defined storage solution
Magnitude Simba Amazon Redshift ODBC Driver	0.6			1			Magnitude Simba Amazon Redshift ODBC Driver
Microsoft Excel	0.6			2			MS Office product
Microsoft Office	0.6				1		Microsoft Office
Windows Hyper-V	0.6			1	1		Hardware virtualization component of the client editions of Windows NT
Visual Studio	0.3				1		Integrated development environment
Visual Studio Code	0.3				1		Integrated development environment

Vulnerability Type	Criticality	U	C	H	M	L	Comment
Remote Code Execution	1.0			23	2		Remote Code Execution
Security Feature Bypass	0.9			1	3		Security Feature Bypass
Denial of Service	0.7			1	5		Denial of Service
Memory Corruption	0.6		1		19		Memory Corruption
Elevation of Privilege	0.5				23		Elevation of Privilege
Information Disclosure	0.4			1	16		Information Disclosure
Spoofing	0.4			1	1		Spoofing
Unknown Vulnerability Type	0					13	Unknown Vulnerability Type

Urgent (0)

Critical (1)

1. Memory Corruption - Microsoft Edge (CVE-2022-1364) - Critical [637]

Description: Chromium: CVE-2022-1364: Type Confusion in V8. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. Google is aware that an exploit for CVE-2022-1364 exists in the wild.

MS PT Extended: CVE-2022-1364 was published before May 2022 Patch Tuesday from 2022-04-13 to 2022-05-09

High (27)

2. Spoofing - Windows LSA (CVE-2022-26925) - High [583]

Description: Windows LSA Spoofing Vulnerability.

qualys: Microsoft Patch Tuesday Summary Microsoft has fixed 75 vulnerabilities in the May 2022 update, including one advisory ( ADV2200011 ) for Azure in response to CVE-2022-29972, a publicly exposed Zero-Day Remote Code Execution (RCE) Vulnerability, and eight (8) vulnerabilities classified as Critical as they allow Remote Code Execution (RCE) or Elevation of Privileges. This month’s Patch Tuesday release includes fixes for two (2) other zero-day vulnerabilities as well: one known to be actively exploited (CVE-2022-26925) and the other for being publicly exposed (CVE-2022-22713). Microsoft has fixed several flaws in its software, including Denial of Service (DoS), Elevation of Privilege, Information Disclosure, Remote Code Execution (RCE), Security Feature Bypass, and Spoofing vulnerabilities.

qualys: Notable Microsoft Vulnerabilities Patched This month’s advisory covers multiple Microsoft product families, including Azure, Developer Tools, Extended Security Update (ESU), Exchange Server, Microsoft Office, and Windows. A total of 97 unique Microsoft products/versions are affected. Downloads include Monthly Rollup, Security Only, Security Update, and ServicingStackUpdate. The most urgent bug Microsoft addressed this month is CVE-2022-26925, a weakness in a central component of Windows security (the “Local Security Authority” (LSARPC) process within Windows). CVE-2022-26925 has been publicly disclosed and it is now actively being exploited in the wild.

qualys: CVE-2022-26925 | Windows LSA Spoofing Vulnerability This vulnerability has a CVSSv3.1 score of 8.1/10. Please note that the combined CVSS score would be 9.8 when this vulnerability is chained with the noted NTLM Relay Attacks on Active Directory Certificate Services (AD CS). Please see ADV210003 Mitigating NTLM Relay Attacks on Active Directory Certificate Services (AD CS) for additional information. The vulnerability affects Windows 7 through 10 and Windows Server 2008 through 2022. While this vulnerability affects all servers, domain controllers should be prioritized in terms of applying security updates. After applying the security updates, please see KB5005413 for more information on further steps that you need to take to protect your system. An unauthenticated attacker could call a method on the LSARPC interface and coerce the domain controller to authenticate to the attacker using NTLM. This security update detects anonymous connection attempts in LSARPC and disallows it. According to the CVSS metric, the attack complexity is high. The attacker must inject themselves into the logical network path between the target and the resource requested by the victim in order to read or modify network communications. This is called a man-in-the-middle (MITM) attack. Exploitability Assessment: Exploitation Detected

tenable: CVE-2022-26925 is a spoofing vulnerability in the Windows Local Security Authority (LSA) that received a CVSSv3 score of 8.1. However, when chained with a new technology LAN manager (NTLM) relay attack, the combined CVSSv3 score for the attack chain is 9.8. According to the advisory from Microsoft, it has been exploited in the wild as a zero-day. An unauthenticated attacker could coerce domain controllers to authenticate to an attacker-controller server using NTLM. Microsoft provides two pieces of documentation for further protecting systems against these attacks. Microsoft recommends that organizations prioritize patching domain controllers for this vulnerability.

rapid7: There is one 0-day this month: CVE-2022-26925, a Spoofing vulnerability in the Windows Local Security Authority (LSA) subsystem, which allows attackers able to perform a man-in-the-middle attack to force domain controllers to authenticate to the attacker using NTLM authentication. This is very bad news when used in conjunction with an NTLM relay attack, potentially leading to remote code execution (RCE). This bug affects all supported versions of Windows, but Domain Controllers should be patched on a priority basis before updating other servers.

zdi: CVE-2022-26925 – Windows LSA Spoofing Vulnerability. This complex-sounding vulnerability could allow an unauthenticated attacker to force a domain controller to authenticate against another server using NTLM. The threat actor would need to be in the logical network path between the target and the resource requested (e.g., Man-in-the-Middle), but since this is listed as under active attack, someone must have figured out how to make that happen. Microsoft notes this would be a CVSS 9.8 if combined with NTLM relay attacks, making this even more severe. In addition to this patch, sysadmins should review KB5005413 and Advisory ADV210003 to see what additional measures can be taken to prevent NTLM relay attacks. Also note this patch affects some backup functionality on Server 2008 SP2. If you’re running that OS, read this one carefully to ensure your backups can still be used to restore.

kaspersky: CVE-2022-26925 – the most dangerous of the addressed vulnerabilities

kaspersky: Apparently, the most dangerous vulnerability addressed in this update pack is CVE-2022-26925, which is contained in the Windows Local Security Authority. However, the vulnerability scores 8.1 on the CVSS scale, which is relatively low. Nevertheless, Microsoft representatives believe that when this vulnerability is used in NTLM Relay attacks on Active Directory Certificate Services, the severity level of this bundle rises to CVSS 9.8. The reason for the increased severity level is that in such a scenario CVE-2022-26925 could allow an attacker to authenticate on a domain controller.

kaspersky: The vulnerability can affect all Windows operating systems from Windows 7 (Windows Server 2008 for server systems) and later. Microsoft didn’t go into the details of the exploitation of this vulnerability; however, judging by the description of the problem, unknown attackers are already actively using exploits for CVE-2022-26925 in the wild. The good news is that, according to experts, exploiting this vulnerability in real attacks is quite difficult.

kaspersky: In addition to CVE-2022-26925, the latest update fixes several other vulnerabilities with a “critical” severity level. Among them are the CVE-2022-26937 RCE vulnerability in the Windows Network File System (NFS), as well as CVE-2022-22012 and CVE-2022-29130 – two RCE vulnerabilities in the LDAP service.

3. Remote Code Execution - Windows LDAP (CVE-2022-22012) - High [508]

Description: Windows LDAP Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-22013, CVE-2022-22014, CVE-2022-29128, CVE-2022-29129, CVE-2022-29130, CVE-2022-29131, CVE-2022-29137, CVE-2022-29139, CVE-2022-29141.

qualys: CVE-2022-22012 and CVE-2022-29130 | Windows LDAP Remote Code Execution (RCE) Vulnerability This vulnerability has a CVSSv3.1 score of 9.8/10. An unauthenticated attacker could send a specially crafted request to a vulnerable server. Successful exploitation could result in the attacker’s code running in the context of the SYSTEM account. This vulnerability is only exploitable if the MaxReceiveBuffer LDAP policy is set to a value higher than the default value. Systems with the default value of this policy would not be vulnerable. For more information, please see Microsoft’s LDAP policies. Exploitability Assessment: Exploitation Less Likely.

tenable: Two of the CVEs, CVE-2022-29130 and CVE-2022-22012 received CVSSv3 scores of 9.8 and the remainder of the flaws each were scored at 8.8. Microsoft has rated all of these vulnerabilities as “Exploitation Less Likely.” While both CVE-2022-29130 and CVE-2022-22012 received higher CVSS scores, both vulnerability descriptions provide the same caveat that the vulnerability only exists if the “MaxReceiveBuffer” LDAP policy is configured to a higher value than the default value (i.e. a higher maximum number of threads LDAP requests can contain per processor). A system with the default value for the policy would not be affected. With the exception of CVE-2022-29130, CVE-2022-22012 and CVE-2022-29139, the vulnerabilities each require authentication in order to exploit. Exploitation of CVE-2022-29139 requires an attacker to convince a vulnerable LDAP client machine to connect to a malicious LDAP server.

rapid7: A host of Lightweight Directory Access Protocol (LDAP) vulnerabilities were also addressed this month, including CVE-2022-22012 and CVE-2022-29130 – both RCEs that, thankfully, are only exploitable if the MaxReceiveBuffer LDAP policy is set to a value higher than the default value.

kaspersky: In addition to CVE-2022-26925, the latest update fixes several other vulnerabilities with a “critical” severity level. Among them are the CVE-2022-26937 RCE vulnerability in the Windows Network File System (NFS), as well as CVE-2022-22012 and CVE-2022-29130 – two RCE vulnerabilities in the LDAP service.

4. Remote Code Execution - Windows LDAP (CVE-2022-29130) - High [508]

Description: Windows LDAP Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-22012, CVE-2022-22013, CVE-2022-22014, CVE-2022-29128, CVE-2022-29129, CVE-2022-29131, CVE-2022-29137, CVE-2022-29139, CVE-2022-29141.

qualys: CVE-2022-22012 and CVE-2022-29130 | Windows LDAP Remote Code Execution (RCE) Vulnerability This vulnerability has a CVSSv3.1 score of 9.8/10. An unauthenticated attacker could send a specially crafted request to a vulnerable server. Successful exploitation could result in the attacker’s code running in the context of the SYSTEM account. This vulnerability is only exploitable if the MaxReceiveBuffer LDAP policy is set to a value higher than the default value. Systems with the default value of this policy would not be vulnerable. For more information, please see Microsoft’s LDAP policies. Exploitability Assessment: Exploitation Less Likely.

tenable: Two of the CVEs, CVE-2022-29130 and CVE-2022-22012 received CVSSv3 scores of 9.8 and the remainder of the flaws each were scored at 8.8. Microsoft has rated all of these vulnerabilities as “Exploitation Less Likely.” While both CVE-2022-29130 and CVE-2022-22012 received higher CVSS scores, both vulnerability descriptions provide the same caveat that the vulnerability only exists if the “MaxReceiveBuffer” LDAP policy is configured to a higher value than the default value (i.e. a higher maximum number of threads LDAP requests can contain per processor). A system with the default value for the policy would not be affected. With the exception of CVE-2022-29130, CVE-2022-22012 and CVE-2022-29139, the vulnerabilities each require authentication in order to exploit. Exploitation of CVE-2022-29139 requires an attacker to convince a vulnerable LDAP client machine to connect to a malicious LDAP server.

rapid7: A host of Lightweight Directory Access Protocol (LDAP) vulnerabilities were also addressed this month, including CVE-2022-22012 and CVE-2022-29130 – both RCEs that, thankfully, are only exploitable if the MaxReceiveBuffer LDAP policy is set to a value higher than the default value.

kaspersky: In addition to CVE-2022-26925, the latest update fixes several other vulnerabilities with a “critical” severity level. Among them are the CVE-2022-26937 RCE vulnerability in the Windows Network File System (NFS), as well as CVE-2022-22012 and CVE-2022-29130 – two RCE vulnerabilities in the LDAP service.

5. Remote Code Execution - Remote Procedure Call Runtime (CVE-2022-22019) - High [494]

Description: Remote Procedure Call Runtime Remote Code Execution Vulnerability.

6. Remote Code Execution - Windows LDAP (CVE-2022-22013) - High [494]

Description: Windows LDAP Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-22012, CVE-2022-22014, CVE-2022-29128, CVE-2022-29129, CVE-2022-29130, CVE-2022-29131, CVE-2022-29137, CVE-2022-29139, CVE-2022-29141.

7. Remote Code Execution - Windows LDAP (CVE-2022-22014) - High [494]

Description: Windows LDAP Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-22012, CVE-2022-22013, CVE-2022-29128, CVE-2022-29129, CVE-2022-29130, CVE-2022-29131, CVE-2022-29137, CVE-2022-29139, CVE-2022-29141.

8. Remote Code Execution - Windows LDAP (CVE-2022-29128) - High [494]

Description: Windows LDAP Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-22012, CVE-2022-22013, CVE-2022-22014, CVE-2022-29129, CVE-2022-29130, CVE-2022-29131, CVE-2022-29137, CVE-2022-29139, CVE-2022-29141.

9. Remote Code Execution - Windows LDAP (CVE-2022-29129) - High [494]

Description: Windows LDAP Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-22012, CVE-2022-22013, CVE-2022-22014, CVE-2022-29128, CVE-2022-29130, CVE-2022-29131, CVE-2022-29137, CVE-2022-29139, CVE-2022-29141.

10. Remote Code Execution - Windows LDAP (CVE-2022-29131) - High [494]

Description: Windows LDAP Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-22012, CVE-2022-22013, CVE-2022-22014, CVE-2022-29128, CVE-2022-29129, CVE-2022-29130, CVE-2022-29137, CVE-2022-29139, CVE-2022-29141.

11. Remote Code Execution - Windows LDAP (CVE-2022-29137) - High [494]

Description: Windows LDAP Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-22012, CVE-2022-22013, CVE-2022-22014, CVE-2022-29128, CVE-2022-29129, CVE-2022-29130, CVE-2022-29131, CVE-2022-29139, CVE-2022-29141.

12. Remote Code Execution - Windows LDAP (CVE-2022-29139) - High [494]

Description: Windows LDAP Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-22012, CVE-2022-22013, CVE-2022-22014, CVE-2022-29128, CVE-2022-29129, CVE-2022-29130, CVE-2022-29131, CVE-2022-29137, CVE-2022-29141.

tenable: Two of the CVEs, CVE-2022-29130 and CVE-2022-22012 received CVSSv3 scores of 9.8 and the remainder of the flaws each were scored at 8.8. Microsoft has rated all of these vulnerabilities as “Exploitation Less Likely.” While both CVE-2022-29130 and CVE-2022-22012 received higher CVSS scores, both vulnerability descriptions provide the same caveat that the vulnerability only exists if the “MaxReceiveBuffer” LDAP policy is configured to a higher value than the default value (i.e. a higher maximum number of threads LDAP requests can contain per processor). A system with the default value for the policy would not be affected. With the exception of CVE-2022-29130, CVE-2022-22012 and CVE-2022-29139, the vulnerabilities each require authentication in order to exploit. Exploitation of CVE-2022-29139 requires an attacker to convince a vulnerable LDAP client machine to connect to a malicious LDAP server.

13. Remote Code Execution - Windows LDAP (CVE-2022-29141) - High [494]

Description: Windows LDAP Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-22012, CVE-2022-22013, CVE-2022-22014, CVE-2022-29128, CVE-2022-29129, CVE-2022-29130, CVE-2022-29131, CVE-2022-29137, CVE-2022-29139.

14. Remote Code Execution - Windows Network File System (CVE-2022-26937) - High [489]

Description: Windows Network File System Remote Code Execution Vulnerability.

qualys: CVE-2022-26937 | Windows Network File System Remote Code Execution Vulnerability This vulnerability has a CVSSv3.1 score of 9.8/10. This vulnerability could be exploited over the network by making an unauthenticated, specially crafted call to a Network File System (NFS) service to trigger a Remote Code Execution (RCE). This vulnerability is not exploitable in NFSV4.1. Prior to updating your version of Windows that protects against this vulnerability, you can mitigate an attack by disabling NFSV2 and NFSV3. This may adversely affect your ecosystem and should only be used as a temporary mitigation. Exploitability Assessment: Exploitation More Likely.

tenable: CVE-2022-26937 is a RCE vulnerability impacting the Windows Network File System (NFS) which can be exploited by a remote, unauthenticated attacker using a specially crafted call to a NFS service to achieve code execution. Microsoft assigned a 9.8 CVSSv3 score and rated this as “Exploitation More Likely” according to Microsoft’s Exploitability Index. NFS version 4.1 is not impacted by this vulnerability and Microsoft provides the recommended workaround of disabling NFS versions 2 and 3 for those users who are not able to immediately apply the patch. However the workaround does warn that it may “adversely affect your ecosystem” and is only a temporary measure until patching can be completed.

rapid7: CVE-2022-26937 carries a CVSSv3 score of 9.8 and affects services using the Windows Network File System (NFS). This can be mitigated by disabling NFSV2 and NFSV3 on the server; however, this may cause compatibility issues, and upgrading is highly recommended.

zdi: CVE-2022-26937 – Windows Network File System Remote Code Execution Vulnerability. This CVSS 9.8-rated bug could allow remote, unauthenticated attackers to execute code in the context of the Network File System (NFS) service on affected systems. NFS isn’t on by default, but it’s prevalent in environments where Windows systems are mixed with other OSes such as Linux or Unix. If this describes your environment, you should definitely test and deploy this patch quickly. Microsoft notes NFSv4.1 is not exploitable, so upgrade from NFSv2 or NFSv3 if possible.

kaspersky: In addition to CVE-2022-26925, the latest update fixes several other vulnerabilities with a “critical” severity level. Among them are the CVE-2022-26937 RCE vulnerability in the Windows Network File System (NFS), as well as CVE-2022-22012 and CVE-2022-29130 – two RCE vulnerabilities in the LDAP service.

15. Remote Code Execution - Windows Graphics Component (CVE-2022-26927) - High [475]

Description: Windows Graphics Component Remote Code Execution Vulnerability.

16. Remote Code Execution - Windows Remote Desktop Client (CVE-2022-22017) - High [475]

Description: Remote Desktop Client Remote Code Execution Vulnerability.

qualys: CVE-2022-22017 | Remote Desktop Client Remote Code Execution Vulnerability This vulnerability has a CVSSv3.1 score of 8.8/10. An attacker would have to convince a targeted user to connect to a malicious RDP server. Upon connecting, the malicious server could execute code on the victim’s system in the context of the targeted user. Exploitability Assessment: Exploitation More Likely.

rapid7: CVE-2022-22017 is yet another client-side Remote Desktop Protocol (RDP) vulnerability. While not as worrisome as when an RCE affects RDP servers, if a user can be enticed to connect to a malicious RDP server via social engineering tactics, an attacker will gain RCE on their system.

17. Remote Code Execution - Microsoft Windows (CVE-2022-29105) - High [462]

Description: Microsoft Windows Media Foundation Remote Code Execution Vulnerability.

18. Remote Code Execution - Windows Address Book (CVE-2022-26926) - High [462]

Description: Windows Address Book Remote Code Execution Vulnerability.

19. Remote Code Execution - Windows Fax Service (CVE-2022-29115) - High [462]

Description: Windows Fax Service Remote Code Execution Vulnerability.

20. Remote Code Execution - Microsoft SharePoint (CVE-2022-29108) - High [456]

Description: Microsoft SharePoint Server Remote Code Execution Vulnerability.

qualys: CVE-2022-29108 | Microsoft SharePoint Server Remote Code Execution Vulnerability This vulnerability has a CVSSv3.1 score of 8.8/10. The attacker must be authenticated and possess the permissions for page creation to be able to exploit this vulnerability. Exploitability Assessment: Exploitation More Likely.

rapid7: Sharepoint Server administrators should be aware of CVE-2022-29108, a post-authentication RCE fixed today. Exchange admins have CVE-2022-21978 to worry about, which could allow an attacker with elevated privileges on an Exchange server to gain the rights of a Domain Administrator.

21. Remote Code Execution - Point-to-Point Tunneling Protocol (CVE-2022-21972) - High [443]

Description: Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-23270.

rapid7: All told, 74 CVEs were fixed this month, the vast majority of which affect functionality within the Windows operating system. Other notable vulnerabilities include CVE-2022-21972 and CVE-2022-23270, critical RCEs in the Point-to-Point Tunneling Protocol. Exploitation requires attackers to win a race condition, which increases the complexity, but if you have any RAS servers in your environment, patch sooner rather than later.

22. Remote Code Execution - Point-to-Point Tunneling Protocol (CVE-2022-23270) - High [443]

Description: Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-21972.

rapid7: All told, 74 CVEs were fixed this month, the vast majority of which affect functionality within the Windows operating system. Other notable vulnerabilities include CVE-2022-21972 and CVE-2022-23270, critical RCEs in the Point-to-Point Tunneling Protocol. Exploitation requires attackers to win a race condition, which increases the complexity, but if you have any RAS servers in your environment, patch sooner rather than later.

23. Denial of Service - Windows Hyper-V (CVE-2022-22713) - High [428]

Description: Windows Hyper-V Denial of Service Vulnerability.

qualys: Microsoft Patch Tuesday Summary Microsoft has fixed 75 vulnerabilities in the May 2022 update, including one advisory ( ADV2200011 ) for Azure in response to CVE-2022-29972, a publicly exposed Zero-Day Remote Code Execution (RCE) Vulnerability, and eight (8) vulnerabilities classified as Critical as they allow Remote Code Execution (RCE) or Elevation of Privileges. This month’s Patch Tuesday release includes fixes for two (2) other zero-day vulnerabilities as well: one known to be actively exploited (CVE-2022-26925) and the other for being publicly exposed (CVE-2022-22713). Microsoft has fixed several flaws in its software, including Denial of Service (DoS), Elevation of Privilege, Information Disclosure, Remote Code Execution (RCE), Security Feature Bypass, and Spoofing vulnerabilities.

tenable: CVE-2022-22713 is a DoS vulnerability impacting Windows Hyper-V. According to Microsoft’s description, exploitation of the vulnerability requires an attacker to win a race condition giving it a high complexity rating and a CVSSv3 score of 5.6. While it’s extremely unlikely that this vulnerability will see exploitation in the wild, Microsoft does note that the vulnerability was publicly disclosed. It is credited to Joe Bialek on Microsoft Security Response Center’s Vulnerabilities and Mitigations Team.

rapid7: Two other CVEs were also publicly disclosed before today’s releases, though they have not yet been seen exploited in the wild. CVE-2022-22713 is a denial-of-service vulnerability that affects Hyper-V servers running relatively recent versions of Windows (20H2 and later). CVE-2022-29972 is a Critical RCE that affects the Amazon Redshift ODBC driver used by Microsoft’s Self-hosted Integration Runtime (a client agent that enables on-premises data sources to exchange data with cloud services such as Azure Data Factory and Azure Synapse Pipelines). This vulnerability also prompted Microsoft to publish their first guidance-based advisory of the year, ADV220001, indicating their plans to strengthen tenant isolation in their cloud services without actually providing any specific details or actions to be taken by customers.

kaspersky: Two other vulnerabilities were also already known to the public at the time the patches were published: CVE-2022-29972 – a bug in Insight Software’s Magnitude Simba Amazon Redshift driver, and CVE-2022-22713 – a DoS vulnerability in Windows Hyper-V. However, no attempts to exploit them have been detected to date.

24. Security Feature Bypass - Windows Authentication (CVE-2022-26913) - High [428]

Description: Windows Authentication Security Feature Bypass Vulnerability.

qualys: CVE-2022-26913 | Windows Authentication Security Feature Bypass Vulnerability This vulnerability has a CVSSv3.1 score of 7.4/10. An attacker who successfully exploited this vulnerability could carry out a Man-in-the-Middle (MITM) attack and could decrypt and read or modify TLS traffic between the client and server. There is no impact to the availability of the attacked machine. Exploitability Assessment: Exploitation Less Likely.

25. Remote Code Execution - Magnitude Simba Amazon Redshift ODBC Driver (CVE-2022-29972) - High [424]

Description: An argument injection vulnerability in the browser-based authentication component of the Magnitude Simba Amazon Redshift ODBC Driver (1.4.14 through 1.4.21.1001 and 1.4.22 through 1.4.x before 1.4.52) may allow a local user to execute arbitrary code.

MS PT Extended: CVE-2022-29972 was published before May 2022 Patch Tuesday from 2022-04-13 to 2022-05-09

qualys: Microsoft Patch Tuesday Summary Microsoft has fixed 75 vulnerabilities in the May 2022 update, including one advisory ( ADV2200011 ) for Azure in response to CVE-2022-29972, a publicly exposed Zero-Day Remote Code Execution (RCE) Vulnerability, and eight (8) vulnerabilities classified as Critical as they allow Remote Code Execution (RCE) or Elevation of Privileges. This month’s Patch Tuesday release includes fixes for two (2) other zero-day vulnerabilities as well: one known to be actively exploited (CVE-2022-26925) and the other for being publicly exposed (CVE-2022-22713). Microsoft has fixed several flaws in its software, including Denial of Service (DoS), Elevation of Privilege, Information Disclosure, Remote Code Execution (RCE), Security Feature Bypass, and Spoofing vulnerabilities.

rapid7: Two other CVEs were also publicly disclosed before today’s releases, though they have not yet been seen exploited in the wild. CVE-2022-22713 is a denial-of-service vulnerability that affects Hyper-V servers running relatively recent versions of Windows (20H2 and later). CVE-2022-29972 is a Critical RCE that affects the Amazon Redshift ODBC driver used by Microsoft’s Self-hosted Integration Runtime (a client agent that enables on-premises data sources to exchange data with cloud services such as Azure Data Factory and Azure Synapse Pipelines). This vulnerability also prompted Microsoft to publish their first guidance-based advisory of the year, ADV220001, indicating their plans to strengthen tenant isolation in their cloud services without actually providing any specific details or actions to be taken by customers.

zdi: CVE-2022-29972 – Insight Software: Magnitude Simba Amazon Redshift ODBC Driver. This update was actually released yesterday and is complicated enough for Microsoft to blog about the bug and how it affects multiple Microsoft services. Microsoft also released its first advisory of the year, ADV220001, with additional information about the vulnerability. The flaw exists in the third-party ODBC data connector used to connect to Amazon Redshift, in Integration Runtime (IR) in Azure Synapse Pipelines, and Azure Data Factory, and could allow an attacker to execute remote commands across Integration Runtimes. If you use these services, review the blog and advisory to ensure you understand the risks to your services.

zdi: There is one new advisory for May covering improvements to Azure Data Factory and Azure Synapse Pipeline. This was previously mentioned (above) and is in response to CVE-2022-29972. While certainly not new, the latest servicing stack updates can be found in the revised ADV990001.

kaspersky: Two other vulnerabilities were also already known to the public at the time the patches were published: CVE-2022-29972 – a bug in Insight Software’s Magnitude Simba Amazon Redshift driver, and CVE-2022-22713 – a DoS vulnerability in Windows Hyper-V. However, no attempts to exploit them have been detected to date.

26. Remote Code Execution - Microsoft Excel (CVE-2022-29109) - High [424]

Description: Microsoft Excel Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-29110.

rapid7: Although there are no browser vulnerabilities this month, two RCEs affecting Excel (CVE-2022-29109 and CVE-2022-29110) and one Security Feature Bypass affecting Office (CVE-2022-29107) mean there is still some endpoint application patching to do.

27. Remote Code Execution - Microsoft Excel (CVE-2022-29110) - High [424]

Description: Microsoft Excel Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-29109.

rapid7: Although there are no browser vulnerabilities this month, two RCEs affecting Excel (CVE-2022-29109 and CVE-2022-29110) and one Security Feature Bypass affecting Office (CVE-2022-29107) mean there is still some endpoint application patching to do.

28. Information Disclosure - Windows Clustered Shared Volume (CVE-2022-29123) - High [418]

Description: Windows Clustered Shared Volume Information Disclosure Vulnerability. This CVE ID is unique from CVE-2022-29120, CVE-2022-29122, CVE-2022-29134.

Medium (69)

29. Elevation of Privilege - Kerberos (CVE-2022-26931) - Medium [398]

Description: Windows Kerberos Elevation of Privilege Vulnerability.

30. Elevation of Privilege - Active Directory (CVE-2022-26923) - Medium [393]

Description: Active Directory Domain Services Elevation of Privilege Vulnerability.

qualys: CVE-2022-26923 | Active Directory Domain Services Elevation of Privilege Vulnerability This vulnerability has a CVSSv3.1 score of 8.8/10. An authenticated user could manipulate attributes on computer accounts they own or manage, and acquire a certificate from Active Directory Certificate Services that would allow elevation of privilege. Exploitability Assessment: Exploitation More Likely.

zdi: CVE-2022-26923 – Active Directory Domain Services Elevation of Privilege Vulnerability. This bug was submitted through the ZDI program by Oliver Lyak (@ly4k_) of the Institut for Cyber Risk. The specific flaw exists within the issuance of certificates. By including crafted data in a certificate request, an attacker can obtain a certificate that allows the attacker to authenticate to a domain controller with a high level of privilege. In essence, any domain authenticated user can become a domain admin if Active Directory Certificate Services are running on the domain. This is a very common deployment. Considering the severity of this bug and the relative ease of exploit, it would not surprise me to see active attacks using this technique sooner rather than later.

31. Elevation of Privilege - Windows Kernel (CVE-2022-29133) - Medium [393]

Description: Windows Kernel Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-29142.

qualys: CVE-2022-29133 | Windows Kernel Elevation of Privilege Vulnerability This vulnerability has a CVSSv3.1 score of 8.8/10. In this case, a successful attack could be performed from a low privilege AppContainer. The attacker could elevate their privileges and execute code or access resources at a higher integrity level than that of the AppContainer execution environment. Exploitability Assessment: Exploitation Less Likely.

32. Denial of Service - Windows WLAN AutoConfig Service (CVE-2022-29121) - Medium [387]

Description: Windows WLAN AutoConfig Service Denial of Service Vulnerability.

33. Security Feature Bypass - BitLocker (CVE-2022-29127) - Medium [387]

Description: BitLocker Security Feature Bypass Vulnerability.

34. Denial of Service - .NET (CVE-2022-23267) - Medium [382]

Description: .NET and Visual Studio Denial of Service Vulnerability. This CVE ID is unique from CVE-2022-29117, CVE-2022-29145.

35. Denial of Service - .NET (CVE-2022-29117) - Medium [382]

Description: .NET and Visual Studio Denial of Service Vulnerability. This CVE ID is unique from CVE-2022-23267, CVE-2022-29145.

36. Denial of Service - .NET (CVE-2022-29145) - Medium [382]

Description: .NET and Visual Studio Denial of Service Vulnerability. This CVE ID is unique from CVE-2022-23267, CVE-2022-29117.

37. Remote Code Execution - Visual Studio Code (CVE-2022-30129) - Medium [381]

Description: Visual Studio Code Remote Code Execution Vulnerability.

38. Security Feature Bypass - Microsoft Office (CVE-2022-29107) - Medium [377]

Description: Microsoft Office Security Feature Bypass Vulnerability.

rapid7: Although there are no browser vulnerabilities this month, two RCEs affecting Excel (CVE-2022-29109 and CVE-2022-29110) and one Security Feature Bypass affecting Office (CVE-2022-29107) mean there is still some endpoint application patching to do.

39. Remote Code Execution - Visual Studio (CVE-2022-29148) - Medium [367]

Description: Visual Studio Remote Code Execution Vulnerability.

40. Elevation of Privilege - Windows Kernel (CVE-2022-29142) - Medium [366]

Description: Windows Kernel Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-29133.

41. Spoofing - Microsoft Edge (CVE-2022-29147) - Medium [364]

Description: Microsoft Edge (Chromium-based) Spoofing Vulnerability

MS PT Extended: CVE-2022-29147 was published before May 2022 Patch Tuesday from 2022-04-13 to 2022-05-09

42. Elevation of Privilege - Microsoft Edge (CVE-2022-29144) - Medium [360]

Description: Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability

MS PT Extended: CVE-2022-29144 was published before May 2022 Patch Tuesday from 2022-04-13 to 2022-05-09

qualys: Microsoft Last But Not Least On April 28, 2022, Microsoft released 36 vulnerabilities for Microsoft Edge (Chromium-based) including CVE-2022-29144 which is classified as Important, and CVE-2022-29146 which is classified as Moderate. Both flaws are Elevation of Privilege vulnerabilities and have been assigned a CVSSv3.1 score of 8.3/10. On May 6, 2022, Microsoft Build announced that there are some Site compatibility-impacting changes coming to Microsoft Edge for developers. This article lists differences between the schedule of changes for Microsoft Edge versus the Chromium project, and high-impact changes that the Microsoft Edge team is tracking especially closely.

43. Elevation of Privilege - Microsoft Edge (CVE-2022-29146) - Medium [360]

Description: Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability

MS PT Extended: CVE-2022-29146 was published before May 2022 Patch Tuesday from 2022-04-13 to 2022-05-09

qualys: Microsoft Last But Not Least On April 28, 2022, Microsoft released 36 vulnerabilities for Microsoft Edge (Chromium-based) including CVE-2022-29144 which is classified as Important, and CVE-2022-29146 which is classified as Moderate. Both flaws are Elevation of Privilege vulnerabilities and have been assigned a CVSSv3.1 score of 8.3/10. On May 6, 2022, Microsoft Build announced that there are some Site compatibility-impacting changes coming to Microsoft Edge for developers. This article lists differences between the schedule of changes for Microsoft Edge versus the Chromium project, and high-impact changes that the Microsoft Edge team is tracking especially closely.

44. Elevation of Privilege - Microsoft Exchange (CVE-2022-21978) - Medium [360]

Description: Microsoft Exchange Server Elevation of Privilege Vulnerability.

qualys: CVE-2022-21978 | Microsoft Exchange Server Elevation of Privilege Vulnerability This vulnerability has a CVSSv3.1 score of 8.2/10. Successful exploitation of this vulnerability requires the attacker to be authenticated to the Exchange Server as a member of a high privileged group. Exploitability Assessment: Exploitation Less Likely.

tenable: CVE-2022-21978 is an EoP vulnerability in Exchange Server that received a CVSSv3 score of 8.2 and was rated “Exploitation Less Likely.” CVE-2022-21978 was discovered by Joonas Tuomisto of Fujitsu Finland. An attacker must already be authenticated to a vulnerable Exchange Server “as a member of a high privileged group” to exploit this vulnerability but could use it to elevate themselves to domain administrator access. While these prerequisites might make it less likely for attackers to adopt this vulnerability, Exchange Server vulnerabilities have been prime targets for attackers. Vulnerabilities that can give attackers domain administrator permissions are particularly valuable.

rapid7: Sharepoint Server administrators should be aware of CVE-2022-29108, a post-authentication RCE fixed today. Exchange admins have CVE-2022-21978 to worry about, which could allow an attacker with elevated privileges on an Exchange server to gain the rights of a Domain Administrator.

45. Elevation of Privilege - Windows Digital Media Receiver (CVE-2022-29113) - Medium [360]

Description: Windows Digital Media Receiver Elevation of Privilege Vulnerability.

46. Elevation of Privilege - Windows Print Spooler (CVE-2022-29104) - Medium [360]

Description: Windows Print Spooler Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-29132.

tenable: CVE-2022-29132 and CVE-2022-29104 are EoP vulnerabilities in Windows Print Spooler that received a CVSSv3 score of 7.8 and were rated “Exploitation More Likely.” CVE-2022-29132 was disclosed by g0st1 and CVE-2022-29104 by Oliver Lyak from the Institut for Cyber Risk on behalf of Trend Micro Zero Day Initiative. These are just the latest in a long line of EoP vulnerabilities Microsoft has addressed in Print Spooler over the last year, several of which have been exploited in attacks.

tenable: CVE-2022-30138 is another EoP vulnerability in the Windows Print Spooler. This vulnerability was patched as part of Patch Tuesday on May 10. However, information about this flaw was not made public until May 12. Similar to CVE-2022-29132 and CVE-2022-29104, it received a CVSSv3 score of 7.8. However, Microsoft rates this vulnerability as “Exploitation Less Likely” compared to the previous two EoP flaws in Print Spooler. While the publication of this CVE was made on May 12, customers that have already applied the Patch Tuesday updates do not need to take any additional steps to address this vulnerability.

47. Elevation of Privilege - Windows Print Spooler (CVE-2022-29132) - Medium [360]

Description: Windows Print Spooler Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-29104.

tenable: CVE-2022-29132 and CVE-2022-29104 are EoP vulnerabilities in Windows Print Spooler that received a CVSSv3 score of 7.8 and were rated “Exploitation More Likely.” CVE-2022-29132 was disclosed by g0st1 and CVE-2022-29104 by Oliver Lyak from the Institut for Cyber Risk on behalf of Trend Micro Zero Day Initiative. These are just the latest in a long line of EoP vulnerabilities Microsoft has addressed in Print Spooler over the last year, several of which have been exploited in attacks.

tenable: CVE-2022-30138 is another EoP vulnerability in the Windows Print Spooler. This vulnerability was patched as part of Patch Tuesday on May 10. However, information about this flaw was not made public until May 12. Similar to CVE-2022-29132 and CVE-2022-29104, it received a CVSSv3 score of 7.8. However, Microsoft rates this vulnerability as “Exploitation Less Likely” compared to the previous two EoP flaws in Print Spooler. While the publication of this CVE was made on May 12, customers that have already applied the Patch Tuesday updates do not need to take any additional steps to address this vulnerability.

48. Elevation of Privilege - Windows Remote Access (CVE-2022-29103) - Medium [360]

Description: Windows Remote Access Connection Manager Elevation of Privilege Vulnerability.

49. Security Feature Bypass - Windows Hyper-V (CVE-2022-24466) - Medium [350]

Description: Windows Hyper-V Security Feature Bypass Vulnerability.

50. Elevation of Privilege - Tablet Windows User Interface Application (CVE-2022-29126) - Medium [347]

Description: Tablet Windows User Interface Application Core Elevation of Privilege Vulnerability.

51. Elevation of Privilege - Windows ALPC (CVE-2022-23279) - Medium [347]

Description: Windows ALPC Elevation of Privilege Vulnerability.

52. Elevation of Privilege - Windows Clustered Shared Volume (CVE-2022-29135) - Medium [347]

Description: Windows Cluster Shared Volume (CSV) Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-29150, CVE-2022-29151.

53. Elevation of Privilege - Windows Clustered Shared Volume (CVE-2022-29138) - Medium [347]

Description: Windows Clustered Shared Volume Elevation of Privilege Vulnerability.

54. Elevation of Privilege - Windows Clustered Shared Volume (CVE-2022-29150) - Medium [347]

Description: Windows Cluster Shared Volume (CSV) Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-29135, CVE-2022-29151.

55. Elevation of Privilege - Windows Clustered Shared Volume (CVE-2022-29151) - Medium [347]

Description: Windows Cluster Shared Volume (CSV) Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-29135, CVE-2022-29150.

56. Elevation of Privilege - Windows Hyper-V Shared Virtual Disk (CVE-2022-29106) - Medium [347]

Description: Windows Hyper-V Shared Virtual Disk Elevation of Privilege Vulnerability.

57. Elevation of Privilege - Windows PlayToManager (CVE-2022-22016) - Medium [347]

Description: Windows PlayToManager Elevation of Privilege Vulnerability.

58. Elevation of Privilege - Windows Push Notifications Apps (CVE-2022-29125) - Medium [347]

Description: Windows Push Notifications Apps Elevation of Privilege Vulnerability.

59. Elevation of Privilege - Storage Spaces Direct (CVE-2022-26932) - Medium [341]

Description: Storage Spaces Direct Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-26938, CVE-2022-26939.

60. Denial of Service - .NET Framework (CVE-2022-30130) - Medium [333]

Description: .NET Framework Denial of Service Vulnerability.

61. Elevation of Privilege - Storage Spaces Direct (CVE-2022-26938) - Medium [328]

Description: Storage Spaces Direct Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-26932, CVE-2022-26939.

62. Elevation of Privilege - Storage Spaces Direct (CVE-2022-26939) - Medium [328]

Description: Storage Spaces Direct Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-26932, CVE-2022-26938.

63. Information Disclosure - Windows Clustered Shared Volume (CVE-2022-29120) - Medium [327]

Description: Windows Clustered Shared Volume Information Disclosure Vulnerability. This CVE ID is unique from CVE-2022-29122, CVE-2022-29123, CVE-2022-29134.

64. Information Disclosure - Windows Clustered Shared Volume (CVE-2022-29122) - Medium [327]

Description: Windows Clustered Shared Volume Information Disclosure Vulnerability. This CVE ID is unique from CVE-2022-29120, CVE-2022-29123, CVE-2022-29134.

65. Information Disclosure - Windows Clustered Shared Volume (CVE-2022-29134) - Medium [327]

Description: Windows Clustered Shared Volume Information Disclosure Vulnerability. This CVE ID is unique from CVE-2022-29120, CVE-2022-29122, CVE-2022-29123.

66. Information Disclosure - Windows Graphics Component (CVE-2022-26934) - Medium [327]

Description: Windows Graphics Component Information Disclosure Vulnerability. This CVE ID is unique from CVE-2022-22011, CVE-2022-29112.

67. Information Disclosure - Windows Graphics Component (CVE-2022-29112) - Medium [327]

Description: Windows Graphics Component Information Disclosure Vulnerability. This CVE ID is unique from CVE-2022-22011, CVE-2022-26934.

68. Information Disclosure - Windows Remote Desktop (CVE-2022-22015) - Medium [327]

Description: Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability.

69. Information Disclosure - Windows Remote Desktop Protocol (CVE-2022-26940) - Medium [327]

Description: Remote Desktop Protocol Client Information Disclosure Vulnerability.

70. Information Disclosure - Windows Server Service (CVE-2022-26936) - Medium [327]

Description: Windows Server Service Information Disclosure Vulnerability.

71. Information Disclosure - Windows WLAN AutoConfig Service (CVE-2022-26935) - Medium [327]

Description: Windows WLAN AutoConfig Service Information Disclosure Vulnerability.

72. Information Disclosure - Windows Kernel (CVE-2022-29116) - Medium [318]

Description: Windows Kernel Information Disclosure Vulnerability.

73. Information Disclosure - Windows Failover Cluster (CVE-2022-29102) - Medium [313]

Description: Windows Failover Cluster Information Disclosure Vulnerability.

74. Information Disclosure - Windows Graphics Component (CVE-2022-22011) - Medium [313]

Description: Windows Graphics Component Information Disclosure Vulnerability. This CVE ID is unique from CVE-2022-26934, CVE-2022-29112.

75. Information Disclosure - Windows NTFS (CVE-2022-26933) - Medium [313]

Description: Windows NTFS Information Disclosure Vulnerability.

76. Information Disclosure - Windows Print Spooler (CVE-2022-29114) - Medium [313]

Description: Windows Print Spooler Information Disclosure Vulnerability. This CVE ID is unique from CVE-2022-29140.

tenable: In addition to the two EoP vulnerabilities, Microsoft also patched two information disclosure vulnerabilities in Print Spooler this month: CVE-2022-29140 and CVE-2022-29114.

77. Information Disclosure - Windows Print Spooler (CVE-2022-29140) - Medium [313]

Description: Windows Print Spooler Information Disclosure Vulnerability. This CVE ID is unique from CVE-2022-29114.

tenable: In addition to the two EoP vulnerabilities, Microsoft also patched two information disclosure vulnerabilities in Print Spooler this month: CVE-2022-29140 and CVE-2022-29114.

78. Information Disclosure - Windows Remote Access (CVE-2022-26930) - Medium [313]

Description: Windows Remote Access Connection Manager Information Disclosure Vulnerability.

79. Memory Corruption - Microsoft Edge (CVE-2022-1305) - Medium [272]

Description: Chromium: CVE-2022-1305 Use after free in storage. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2022-1305 was published before May 2022 Patch Tuesday from 2022-04-13 to 2022-05-09

80. Memory Corruption - Microsoft Edge (CVE-2022-1308) - Medium [272]

Description: Chromium: CVE-2022-1308 Use after free in BFCache. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2022-1308 was published before May 2022 Patch Tuesday from 2022-04-13 to 2022-05-09

81. Memory Corruption - Microsoft Edge (CVE-2022-1310) - Medium [272]

Description: Chromium: CVE-2022-1310 Use after free in regular expressions. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2022-1310 was published before May 2022 Patch Tuesday from 2022-04-13 to 2022-05-09

82. Memory Corruption - Microsoft Edge (CVE-2022-1312) - Medium [272]

Description: Chromium: CVE-2022-1312 Use after free in storage. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2022-1312 was published before May 2022 Patch Tuesday from 2022-04-13 to 2022-05-09

83. Memory Corruption - Microsoft Edge (CVE-2022-1313) - Medium [272]

Description: Chromium: CVE-2022-1313 Use after free in tab groups. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2022-1313 was published before May 2022 Patch Tuesday from 2022-04-13 to 2022-05-09

84. Memory Corruption - Microsoft Edge (CVE-2022-1314) - Medium [272]

Description: Chromium: CVE-2022-1314 Type Confusion in V8. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2022-1314 was published before May 2022 Patch Tuesday from 2022-04-13 to 2022-05-09

85. Memory Corruption - Microsoft Edge (CVE-2022-1477) - Medium [272]

Description: Chromium: CVE-2022-1477 Use after free in Vulkan. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2022-1477 was published before May 2022 Patch Tuesday from 2022-04-13 to 2022-05-09

86. Memory Corruption - Microsoft Edge (CVE-2022-1478) - Medium [272]

Description: Chromium: CVE-2022-1478 Use after free in SwiftShader. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2022-1478 was published before May 2022 Patch Tuesday from 2022-04-13 to 2022-05-09

87. Memory Corruption - Microsoft Edge (CVE-2022-1479) - Medium [272]

Description: Chromium: CVE-2022-1479 Use after free in ANGLE. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2022-1479 was published before May 2022 Patch Tuesday from 2022-04-13 to 2022-05-09

88. Memory Corruption - Microsoft Edge (CVE-2022-1480) - Medium [272]

Description: Chromium: CVE-2022-1480 Use after free in Device API. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2022-1480 was published before May 2022 Patch Tuesday from 2022-04-13 to 2022-05-09

89. Memory Corruption - Microsoft Edge (CVE-2022-1481) - Medium [272]

Description: Chromium: CVE-2022-1481 Use after free in Sharing. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2022-1481 was published before May 2022 Patch Tuesday from 2022-04-13 to 2022-05-09

90. Memory Corruption - Microsoft Edge (CVE-2022-1483) - Medium [272]

Description: Chromium: CVE-2022-1483 Heap buffer overflow in WebGPU. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2022-1483 was published before May 2022 Patch Tuesday from 2022-04-13 to 2022-05-09

91. Memory Corruption - Microsoft Edge (CVE-2022-1484) - Medium [272]

Description: Chromium: CVE-2022-1484 Heap buffer overflow in Web UI Settings. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2022-1484 was published before May 2022 Patch Tuesday from 2022-04-13 to 2022-05-09

92. Memory Corruption - Microsoft Edge (CVE-2022-1485) - Medium [272]

Description: Chromium: CVE-2022-1485 Use after free in File System API. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2022-1485 was published before May 2022 Patch Tuesday from 2022-04-13 to 2022-05-09

93. Memory Corruption - Microsoft Edge (CVE-2022-1486) - Medium [272]

Description: Chromium: CVE-2022-1486 Type Confusion in V8. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2022-1486 was published before May 2022 Patch Tuesday from 2022-04-13 to 2022-05-09

94. Memory Corruption - Microsoft Edge (CVE-2022-1487) - Medium [272]

Description: Chromium: CVE-2022-1487 Use after free in Ozone. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2022-1487 was published before May 2022 Patch Tuesday from 2022-04-13 to 2022-05-09

95. Memory Corruption - Microsoft Edge (CVE-2022-1490) - Medium [272]

Description: Chromium: CVE-2022-1490 Use after free in Browser Switcher. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2022-1490 was published before May 2022 Patch Tuesday from 2022-04-13 to 2022-05-09

96. Memory Corruption - Microsoft Edge (CVE-2022-1491) - Medium [272]

Description: Chromium: CVE-2022-1491 Use after free in Bookmarks. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2022-1491 was published before May 2022 Patch Tuesday from 2022-04-13 to 2022-05-09

97. Memory Corruption - Microsoft Edge (CVE-2022-1493) - Medium [272]

Description: Chromium: CVE-2022-1493 Use after free in Dev Tools. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2022-1493 was published before May 2022 Patch Tuesday from 2022-04-13 to 2022-05-09

Low (13)

98. Unknown Vulnerability Type - Microsoft Edge (CVE-2022-1306) - Low [151]

Description: {'ms_cve_data_all': 'Chromium: CVE-2022-1306 Inappropriate implementation in compositing. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.\n', 'nvd_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.', 'combined_cve_data_all': ''}

MS PT Extended: CVE-2022-1306 was published before May 2022 Patch Tuesday from 2022-04-13 to 2022-05-09

99. Unknown Vulnerability Type - Microsoft Edge (CVE-2022-1307) - Low [151]

Description: {'ms_cve_data_all': 'Chromium: CVE-2022-1307 Inappropriate implementation in full screen. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.\n', 'nvd_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.', 'combined_cve_data_all': ''}

MS PT Extended: CVE-2022-1307 was published before May 2022 Patch Tuesday from 2022-04-13 to 2022-05-09

100. Unknown Vulnerability Type - Microsoft Edge (CVE-2022-1309) - Low [151]

Description: {'ms_cve_data_all': 'Chromium: CVE-2022-1309 Insufficient policy enforcement in developer tools. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.\n', 'nvd_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.', 'combined_cve_data_all': ''}

MS PT Extended: CVE-2022-1309 was published before May 2022 Patch Tuesday from 2022-04-13 to 2022-05-09

101. Unknown Vulnerability Type - Microsoft Edge (CVE-2022-1482) - Low [151]

Description: {'ms_cve_data_all': 'Chromium: CVE-2022-1482 Inappropriate implementation in WebGL. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.\n', 'nvd_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.', 'combined_cve_data_all': ''}

MS PT Extended: CVE-2022-1482 was published before May 2022 Patch Tuesday from 2022-04-13 to 2022-05-09

102. Unknown Vulnerability Type - Microsoft Edge (CVE-2022-1488) - Low [151]

Description: {'ms_cve_data_all': 'Chromium: CVE-2022-1488 Inappropriate implementation in Extensions API. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.\n', 'nvd_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.', 'combined_cve_data_all': ''}

MS PT Extended: CVE-2022-1488 was published before May 2022 Patch Tuesday from 2022-04-13 to 2022-05-09

103. Unknown Vulnerability Type - Microsoft Edge (CVE-2022-1492) - Low [151]

Description: {'ms_cve_data_all': 'Chromium: CVE-2022-1492 Insufficient data validation in Blink Editing. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.\n', 'nvd_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.', 'combined_cve_data_all': ''}

MS PT Extended: CVE-2022-1492 was published before May 2022 Patch Tuesday from 2022-04-13 to 2022-05-09

104. Unknown Vulnerability Type - Microsoft Edge (CVE-2022-1494) - Low [151]

Description: {'ms_cve_data_all': 'Chromium: CVE-2022-1494 Insufficient data validation in Trusted Types. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.\n', 'nvd_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.', 'combined_cve_data_all': ''}

MS PT Extended: CVE-2022-1494 was published before May 2022 Patch Tuesday from 2022-04-13 to 2022-05-09

105. Unknown Vulnerability Type - Microsoft Edge (CVE-2022-1495) - Low [151]

Description: {'ms_cve_data_all': 'Chromium: CVE-2022-1495 Incorrect security UI in Downloads. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.\n', 'nvd_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.', 'combined_cve_data_all': ''}

MS PT Extended: CVE-2022-1495 was published before May 2022 Patch Tuesday from 2022-04-13 to 2022-05-09

106. Unknown Vulnerability Type - Microsoft Edge (CVE-2022-1497) - Low [151]

Description: {'ms_cve_data_all': 'Chromium: CVE-2022-1497 Inappropriate implementation in Input. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.\n', 'nvd_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.', 'combined_cve_data_all': ''}

MS PT Extended: CVE-2022-1497 was published before May 2022 Patch Tuesday from 2022-04-13 to 2022-05-09

107. Unknown Vulnerability Type - Microsoft Edge (CVE-2022-1498) - Low [151]

Description: {'ms_cve_data_all': 'Chromium: CVE-2022-1498 Inappropriate implementation in HTML Parser. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.\n', 'nvd_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.', 'combined_cve_data_all': ''}

MS PT Extended: CVE-2022-1498 was published before May 2022 Patch Tuesday from 2022-04-13 to 2022-05-09

108. Unknown Vulnerability Type - Microsoft Edge (CVE-2022-1499) - Low [151]

Description: {'ms_cve_data_all': 'Chromium: CVE-2022-1499 Inappropriate implementation in WebAuthentication. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.\n', 'nvd_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.', 'combined_cve_data_all': ''}

MS PT Extended: CVE-2022-1499 was published before May 2022 Patch Tuesday from 2022-04-13 to 2022-05-09

109. Unknown Vulnerability Type - Microsoft Edge (CVE-2022-1500) - Low [151]

Description: {'ms_cve_data_all': 'Chromium: CVE-2022-1500 Insufficient data validation in Dev Tools. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.\n', 'nvd_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.', 'combined_cve_data_all': ''}

MS PT Extended: CVE-2022-1500 was published before May 2022 Patch Tuesday from 2022-04-13 to 2022-05-09

110. Unknown Vulnerability Type - Microsoft Edge (CVE-2022-1501) - Low [151]

Description: {'ms_cve_data_all': 'Chromium: CVE-2022-1501 Inappropriate implementation in iframe. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.\n', 'nvd_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.', 'combined_cve_data_all': ''}

MS PT Extended: CVE-2022-1501 was published before May 2022 Patch Tuesday from 2022-04-13 to 2022-05-09

Exploitation in the wild detected (2)

Memory Corruption (1)

• Microsoft Edge (CVE-2022-1364)

MS PT Extended: CVE-2022-1364 was published before May 2022 Patch Tuesday from 2022-04-13 to 2022-05-09

Spoofing (1)

• Windows LSA (CVE-2022-26925)

qualys: Microsoft Patch Tuesday Summary Microsoft has fixed 75 vulnerabilities in the May 2022 update, including one advisory ( ADV2200011 ) for Azure in response to CVE-2022-29972, a publicly exposed Zero-Day Remote Code Execution (RCE) Vulnerability, and eight (8) vulnerabilities classified as Critical as they allow Remote Code Execution (RCE) or Elevation of Privileges. This month’s Patch Tuesday release includes fixes for two (2) other zero-day vulnerabilities as well: one known to be actively exploited (CVE-2022-26925) and the other for being publicly exposed (CVE-2022-22713). Microsoft has fixed several flaws in its software, including Denial of Service (DoS), Elevation of Privilege, Information Disclosure, Remote Code Execution (RCE), Security Feature Bypass, and Spoofing vulnerabilities.

qualys: Notable Microsoft Vulnerabilities Patched This month’s advisory covers multiple Microsoft product families, including Azure, Developer Tools, Extended Security Update (ESU), Exchange Server, Microsoft Office, and Windows. A total of 97 unique Microsoft products/versions are affected. Downloads include Monthly Rollup, Security Only, Security Update, and ServicingStackUpdate. The most urgent bug Microsoft addressed this month is CVE-2022-26925, a weakness in a central component of Windows security (the “Local Security Authority” (LSARPC) process within Windows). CVE-2022-26925 has been publicly disclosed and it is now actively being exploited in the wild.

qualys: CVE-2022-26925 | Windows LSA Spoofing Vulnerability This vulnerability has a CVSSv3.1 score of 8.1/10. Please note that the combined CVSS score would be 9.8 when this vulnerability is chained with the noted NTLM Relay Attacks on Active Directory Certificate Services (AD CS). Please see ADV210003 Mitigating NTLM Relay Attacks on Active Directory Certificate Services (AD CS) for additional information. The vulnerability affects Windows 7 through 10 and Windows Server 2008 through 2022. While this vulnerability affects all servers, domain controllers should be prioritized in terms of applying security updates. After applying the security updates, please see KB5005413 for more information on further steps that you need to take to protect your system. An unauthenticated attacker could call a method on the LSARPC interface and coerce the domain controller to authenticate to the attacker using NTLM. This security update detects anonymous connection attempts in LSARPC and disallows it. According to the CVSS metric, the attack complexity is high. The attacker must inject themselves into the logical network path between the target and the resource requested by the victim in order to read or modify network communications. This is called a man-in-the-middle (MITM) attack. Exploitability Assessment: Exploitation Detected

tenable: CVE-2022-26925 is a spoofing vulnerability in the Windows Local Security Authority (LSA) that received a CVSSv3 score of 8.1. However, when chained with a new technology LAN manager (NTLM) relay attack, the combined CVSSv3 score for the attack chain is 9.8. According to the advisory from Microsoft, it has been exploited in the wild as a zero-day. An unauthenticated attacker could coerce domain controllers to authenticate to an attacker-controller server using NTLM. Microsoft provides two pieces of documentation for further protecting systems against these attacks. Microsoft recommends that organizations prioritize patching domain controllers for this vulnerability.

rapid7: There is one 0-day this month: CVE-2022-26925, a Spoofing vulnerability in the Windows Local Security Authority (LSA) subsystem, which allows attackers able to perform a man-in-the-middle attack to force domain controllers to authenticate to the attacker using NTLM authentication. This is very bad news when used in conjunction with an NTLM relay attack, potentially leading to remote code execution (RCE). This bug affects all supported versions of Windows, but Domain Controllers should be patched on a priority basis before updating other servers.

zdi: CVE-2022-26925 – Windows LSA Spoofing Vulnerability. This complex-sounding vulnerability could allow an unauthenticated attacker to force a domain controller to authenticate against another server using NTLM. The threat actor would need to be in the logical network path between the target and the resource requested (e.g., Man-in-the-Middle), but since this is listed as under active attack, someone must have figured out how to make that happen. Microsoft notes this would be a CVSS 9.8 if combined with NTLM relay attacks, making this even more severe. In addition to this patch, sysadmins should review KB5005413 and Advisory ADV210003 to see what additional measures can be taken to prevent NTLM relay attacks. Also note this patch affects some backup functionality on Server 2008 SP2. If you’re running that OS, read this one carefully to ensure your backups can still be used to restore.

kaspersky: CVE-2022-26925 – the most dangerous of the addressed vulnerabilities

kaspersky: Apparently, the most dangerous vulnerability addressed in this update pack is CVE-2022-26925, which is contained in the Windows Local Security Authority. However, the vulnerability scores 8.1 on the CVSS scale, which is relatively low. Nevertheless, Microsoft representatives believe that when this vulnerability is used in NTLM Relay attacks on Active Directory Certificate Services, the severity level of this bundle rises to CVSS 9.8. The reason for the increased severity level is that in such a scenario CVE-2022-26925 could allow an attacker to authenticate on a domain controller.

kaspersky: The vulnerability can affect all Windows operating systems from Windows 7 (Windows Server 2008 for server systems) and later. Microsoft didn’t go into the details of the exploitation of this vulnerability; however, judging by the description of the problem, unknown attackers are already actively using exploits for CVE-2022-26925 in the wild. The good news is that, according to experts, exploiting this vulnerability in real attacks is quite difficult.

kaspersky: In addition to CVE-2022-26925, the latest update fixes several other vulnerabilities with a “critical” severity level. Among them are the CVE-2022-26937 RCE vulnerability in the Windows Network File System (NFS), as well as CVE-2022-22012 and CVE-2022-29130 – two RCE vulnerabilities in the LDAP service.

Public exploit exists, but exploitation in the wild is NOT detected (0)

Other Vulnerabilities (108)

Remote Code Execution (25)

• Windows LDAP (CVE-2022-22012, CVE-2022-22013, CVE-2022-22014, CVE-2022-29128, CVE-2022-29129, CVE-2022-29130, CVE-2022-29131, CVE-2022-29137, CVE-2022-29139, CVE-2022-29141)

qualys: CVE-2022-22012 and CVE-2022-29130 | Windows LDAP Remote Code Execution (RCE) Vulnerability This vulnerability has a CVSSv3.1 score of 9.8/10. An unauthenticated attacker could send a specially crafted request to a vulnerable server. Successful exploitation could result in the attacker’s code running in the context of the SYSTEM account. This vulnerability is only exploitable if the MaxReceiveBuffer LDAP policy is set to a value higher than the default value. Systems with the default value of this policy would not be vulnerable. For more information, please see Microsoft’s LDAP policies. Exploitability Assessment: Exploitation Less Likely.

tenable: Two of the CVEs, CVE-2022-29130 and CVE-2022-22012 received CVSSv3 scores of 9.8 and the remainder of the flaws each were scored at 8.8. Microsoft has rated all of these vulnerabilities as “Exploitation Less Likely.” While both CVE-2022-29130 and CVE-2022-22012 received higher CVSS scores, both vulnerability descriptions provide the same caveat that the vulnerability only exists if the “MaxReceiveBuffer” LDAP policy is configured to a higher value than the default value (i.e. a higher maximum number of threads LDAP requests can contain per processor). A system with the default value for the policy would not be affected. With the exception of CVE-2022-29130, CVE-2022-22012 and CVE-2022-29139, the vulnerabilities each require authentication in order to exploit. Exploitation of CVE-2022-29139 requires an attacker to convince a vulnerable LDAP client machine to connect to a malicious LDAP server.

rapid7: A host of Lightweight Directory Access Protocol (LDAP) vulnerabilities were also addressed this month, including CVE-2022-22012 and CVE-2022-29130 – both RCEs that, thankfully, are only exploitable if the MaxReceiveBuffer LDAP policy is set to a value higher than the default value.

kaspersky: In addition to CVE-2022-26925, the latest update fixes several other vulnerabilities with a “critical” severity level. Among them are the CVE-2022-26937 RCE vulnerability in the Windows Network File System (NFS), as well as CVE-2022-22012 and CVE-2022-29130 – two RCE vulnerabilities in the LDAP service.

• Remote Procedure Call Runtime (CVE-2022-22019)
• Windows Network File System (CVE-2022-26937)

qualys: CVE-2022-26937 | Windows Network File System Remote Code Execution Vulnerability This vulnerability has a CVSSv3.1 score of 9.8/10. This vulnerability could be exploited over the network by making an unauthenticated, specially crafted call to a Network File System (NFS) service to trigger a Remote Code Execution (RCE). This vulnerability is not exploitable in NFSV4.1. Prior to updating your version of Windows that protects against this vulnerability, you can mitigate an attack by disabling NFSV2 and NFSV3. This may adversely affect your ecosystem and should only be used as a temporary mitigation. Exploitability Assessment: Exploitation More Likely.

tenable: CVE-2022-26937 is a RCE vulnerability impacting the Windows Network File System (NFS) which can be exploited by a remote, unauthenticated attacker using a specially crafted call to a NFS service to achieve code execution. Microsoft assigned a 9.8 CVSSv3 score and rated this as “Exploitation More Likely” according to Microsoft’s Exploitability Index. NFS version 4.1 is not impacted by this vulnerability and Microsoft provides the recommended workaround of disabling NFS versions 2 and 3 for those users who are not able to immediately apply the patch. However the workaround does warn that it may “adversely affect your ecosystem” and is only a temporary measure until patching can be completed.

rapid7: CVE-2022-26937 carries a CVSSv3 score of 9.8 and affects services using the Windows Network File System (NFS). This can be mitigated by disabling NFSV2 and NFSV3 on the server; however, this may cause compatibility issues, and upgrading is highly recommended.

zdi: CVE-2022-26937 – Windows Network File System Remote Code Execution Vulnerability. This CVSS 9.8-rated bug could allow remote, unauthenticated attackers to execute code in the context of the Network File System (NFS) service on affected systems. NFS isn’t on by default, but it’s prevalent in environments where Windows systems are mixed with other OSes such as Linux or Unix. If this describes your environment, you should definitely test and deploy this patch quickly. Microsoft notes NFSv4.1 is not exploitable, so upgrade from NFSv2 or NFSv3 if possible.

kaspersky: In addition to CVE-2022-26925, the latest update fixes several other vulnerabilities with a “critical” severity level. Among them are the CVE-2022-26937 RCE vulnerability in the Windows Network File System (NFS), as well as CVE-2022-22012 and CVE-2022-29130 – two RCE vulnerabilities in the LDAP service.

• Windows Graphics Component (CVE-2022-26927)
• Windows Remote Desktop Client (CVE-2022-22017)

qualys: CVE-2022-22017 | Remote Desktop Client Remote Code Execution Vulnerability This vulnerability has a CVSSv3.1 score of 8.8/10. An attacker would have to convince a targeted user to connect to a malicious RDP server. Upon connecting, the malicious server could execute code on the victim’s system in the context of the targeted user. Exploitability Assessment: Exploitation More Likely.

rapid7: CVE-2022-22017 is yet another client-side Remote Desktop Protocol (RDP) vulnerability. While not as worrisome as when an RCE affects RDP servers, if a user can be enticed to connect to a malicious RDP server via social engineering tactics, an attacker will gain RCE on their system.

• Microsoft Windows (CVE-2022-29105)
• Windows Address Book (CVE-2022-26926)
• Windows Fax Service (CVE-2022-29115)
• Microsoft SharePoint (CVE-2022-29108)

qualys: CVE-2022-29108 | Microsoft SharePoint Server Remote Code Execution Vulnerability This vulnerability has a CVSSv3.1 score of 8.8/10. The attacker must be authenticated and possess the permissions for page creation to be able to exploit this vulnerability. Exploitability Assessment: Exploitation More Likely.

rapid7: Sharepoint Server administrators should be aware of CVE-2022-29108, a post-authentication RCE fixed today. Exchange admins have CVE-2022-21978 to worry about, which could allow an attacker with elevated privileges on an Exchange server to gain the rights of a Domain Administrator.

• Point-to-Point Tunneling Protocol (CVE-2022-21972, CVE-2022-23270)

rapid7: All told, 74 CVEs were fixed this month, the vast majority of which affect functionality within the Windows operating system. Other notable vulnerabilities include CVE-2022-21972 and CVE-2022-23270, critical RCEs in the Point-to-Point Tunneling Protocol. Exploitation requires attackers to win a race condition, which increases the complexity, but if you have any RAS servers in your environment, patch sooner rather than later.

• Magnitude Simba Amazon Redshift ODBC Driver (CVE-2022-29972)

MS PT Extended: CVE-2022-29972 was published before May 2022 Patch Tuesday from 2022-04-13 to 2022-05-09

qualys: Microsoft Patch Tuesday Summary Microsoft has fixed 75 vulnerabilities in the May 2022 update, including one advisory ( ADV2200011 ) for Azure in response to CVE-2022-29972, a publicly exposed Zero-Day Remote Code Execution (RCE) Vulnerability, and eight (8) vulnerabilities classified as Critical as they allow Remote Code Execution (RCE) or Elevation of Privileges. This month’s Patch Tuesday release includes fixes for two (2) other zero-day vulnerabilities as well: one known to be actively exploited (CVE-2022-26925) and the other for being publicly exposed (CVE-2022-22713). Microsoft has fixed several flaws in its software, including Denial of Service (DoS), Elevation of Privilege, Information Disclosure, Remote Code Execution (RCE), Security Feature Bypass, and Spoofing vulnerabilities.

rapid7: Two other CVEs were also publicly disclosed before today’s releases, though they have not yet been seen exploited in the wild. CVE-2022-22713 is a denial-of-service vulnerability that affects Hyper-V servers running relatively recent versions of Windows (20H2 and later). CVE-2022-29972 is a Critical RCE that affects the Amazon Redshift ODBC driver used by Microsoft’s Self-hosted Integration Runtime (a client agent that enables on-premises data sources to exchange data with cloud services such as Azure Data Factory and Azure Synapse Pipelines). This vulnerability also prompted Microsoft to publish their first guidance-based advisory of the year, ADV220001, indicating their plans to strengthen tenant isolation in their cloud services without actually providing any specific details or actions to be taken by customers.

zdi: CVE-2022-29972 – Insight Software: Magnitude Simba Amazon Redshift ODBC Driver. This update was actually released yesterday and is complicated enough for Microsoft to blog about the bug and how it affects multiple Microsoft services. Microsoft also released its first advisory of the year, ADV220001, with additional information about the vulnerability. The flaw exists in the third-party ODBC data connector used to connect to Amazon Redshift, in Integration Runtime (IR) in Azure Synapse Pipelines, and Azure Data Factory, and could allow an attacker to execute remote commands across Integration Runtimes. If you use these services, review the blog and advisory to ensure you understand the risks to your services.

zdi: There is one new advisory for May covering improvements to Azure Data Factory and Azure Synapse Pipeline. This was previously mentioned (above) and is in response to CVE-2022-29972. While certainly not new, the latest servicing stack updates can be found in the revised ADV990001.

kaspersky: Two other vulnerabilities were also already known to the public at the time the patches were published: CVE-2022-29972 – a bug in Insight Software’s Magnitude Simba Amazon Redshift driver, and CVE-2022-22713 – a DoS vulnerability in Windows Hyper-V. However, no attempts to exploit them have been detected to date.

• Microsoft Excel (CVE-2022-29109, CVE-2022-29110)

rapid7: Although there are no browser vulnerabilities this month, two RCEs affecting Excel (CVE-2022-29109 and CVE-2022-29110) and one Security Feature Bypass affecting Office (CVE-2022-29107) mean there is still some endpoint application patching to do.

• Visual Studio Code (CVE-2022-30129)
• Visual Studio (CVE-2022-29148)

Security Feature Bypass (4)

• Windows Authentication (CVE-2022-26913)

qualys: CVE-2022-26913 | Windows Authentication Security Feature Bypass Vulnerability This vulnerability has a CVSSv3.1 score of 7.4/10. An attacker who successfully exploited this vulnerability could carry out a Man-in-the-Middle (MITM) attack and could decrypt and read or modify TLS traffic between the client and server. There is no impact to the availability of the attacked machine. Exploitability Assessment: Exploitation Less Likely.

• BitLocker (CVE-2022-29127)
• Microsoft Office (CVE-2022-29107)

rapid7: Although there are no browser vulnerabilities this month, two RCEs affecting Excel (CVE-2022-29109 and CVE-2022-29110) and one Security Feature Bypass affecting Office (CVE-2022-29107) mean there is still some endpoint application patching to do.

• Windows Hyper-V (CVE-2022-24466)

Denial of Service (6)

• Windows Hyper-V (CVE-2022-22713)

qualys: Microsoft Patch Tuesday Summary Microsoft has fixed 75 vulnerabilities in the May 2022 update, including one advisory ( ADV2200011 ) for Azure in response to CVE-2022-29972, a publicly exposed Zero-Day Remote Code Execution (RCE) Vulnerability, and eight (8) vulnerabilities classified as Critical as they allow Remote Code Execution (RCE) or Elevation of Privileges. This month’s Patch Tuesday release includes fixes for two (2) other zero-day vulnerabilities as well: one known to be actively exploited (CVE-2022-26925) and the other for being publicly exposed (CVE-2022-22713). Microsoft has fixed several flaws in its software, including Denial of Service (DoS), Elevation of Privilege, Information Disclosure, Remote Code Execution (RCE), Security Feature Bypass, and Spoofing vulnerabilities.

tenable: CVE-2022-22713 is a DoS vulnerability impacting Windows Hyper-V. According to Microsoft’s description, exploitation of the vulnerability requires an attacker to win a race condition giving it a high complexity rating and a CVSSv3 score of 5.6. While it’s extremely unlikely that this vulnerability will see exploitation in the wild, Microsoft does note that the vulnerability was publicly disclosed. It is credited to Joe Bialek on Microsoft Security Response Center’s Vulnerabilities and Mitigations Team.

rapid7: Two other CVEs were also publicly disclosed before today’s releases, though they have not yet been seen exploited in the wild. CVE-2022-22713 is a denial-of-service vulnerability that affects Hyper-V servers running relatively recent versions of Windows (20H2 and later). CVE-2022-29972 is a Critical RCE that affects the Amazon Redshift ODBC driver used by Microsoft’s Self-hosted Integration Runtime (a client agent that enables on-premises data sources to exchange data with cloud services such as Azure Data Factory and Azure Synapse Pipelines). This vulnerability also prompted Microsoft to publish their first guidance-based advisory of the year, ADV220001, indicating their plans to strengthen tenant isolation in their cloud services without actually providing any specific details or actions to be taken by customers.

kaspersky: Two other vulnerabilities were also already known to the public at the time the patches were published: CVE-2022-29972 – a bug in Insight Software’s Magnitude Simba Amazon Redshift driver, and CVE-2022-22713 – a DoS vulnerability in Windows Hyper-V. However, no attempts to exploit them have been detected to date.

• Windows WLAN AutoConfig Service (CVE-2022-29121)
• .NET (CVE-2022-23267, CVE-2022-29117, CVE-2022-29145)
• .NET Framework (CVE-2022-30130)

Information Disclosure (17)

• Windows Clustered Shared Volume (CVE-2022-29120, CVE-2022-29122, CVE-2022-29123, CVE-2022-29134)
• Windows Graphics Component (CVE-2022-22011, CVE-2022-26934, CVE-2022-29112)
• Windows Remote Desktop (CVE-2022-22015)
• Windows Remote Desktop Protocol (CVE-2022-26940)
• Windows Server Service (CVE-2022-26936)
• Windows WLAN AutoConfig Service (CVE-2022-26935)
• Windows Kernel (CVE-2022-29116)
• Windows Failover Cluster (CVE-2022-29102)
• Windows NTFS (CVE-2022-26933)
• Windows Print Spooler (CVE-2022-29114, CVE-2022-29140)

tenable: In addition to the two EoP vulnerabilities, Microsoft also patched two information disclosure vulnerabilities in Print Spooler this month: CVE-2022-29140 and CVE-2022-29114.

• Windows Remote Access (CVE-2022-26930)

Elevation of Privilege (23)

• Kerberos (CVE-2022-26931)
• Active Directory (CVE-2022-26923)

qualys: CVE-2022-26923 | Active Directory Domain Services Elevation of Privilege Vulnerability This vulnerability has a CVSSv3.1 score of 8.8/10. An authenticated user could manipulate attributes on computer accounts they own or manage, and acquire a certificate from Active Directory Certificate Services that would allow elevation of privilege. Exploitability Assessment: Exploitation More Likely.

zdi: CVE-2022-26923 – Active Directory Domain Services Elevation of Privilege Vulnerability. This bug was submitted through the ZDI program by Oliver Lyak (@ly4k_) of the Institut for Cyber Risk. The specific flaw exists within the issuance of certificates. By including crafted data in a certificate request, an attacker can obtain a certificate that allows the attacker to authenticate to a domain controller with a high level of privilege. In essence, any domain authenticated user can become a domain admin if Active Directory Certificate Services are running on the domain. This is a very common deployment. Considering the severity of this bug and the relative ease of exploit, it would not surprise me to see active attacks using this technique sooner rather than later.

• Windows Kernel (CVE-2022-29133, CVE-2022-29142)

qualys: CVE-2022-29133 | Windows Kernel Elevation of Privilege Vulnerability This vulnerability has a CVSSv3.1 score of 8.8/10. In this case, a successful attack could be performed from a low privilege AppContainer. The attacker could elevate their privileges and execute code or access resources at a higher integrity level than that of the AppContainer execution environment. Exploitability Assessment: Exploitation Less Likely.

• Microsoft Edge (CVE-2022-29144, CVE-2022-29146)

MS PT Extended: CVE-2022-29144 was published before May 2022 Patch Tuesday from 2022-04-13 to 2022-05-09

MS PT Extended: CVE-2022-29146 was published before May 2022 Patch Tuesday from 2022-04-13 to 2022-05-09

qualys: Microsoft Last But Not Least On April 28, 2022, Microsoft released 36 vulnerabilities for Microsoft Edge (Chromium-based) including CVE-2022-29144 which is classified as Important, and CVE-2022-29146 which is classified as Moderate. Both flaws are Elevation of Privilege vulnerabilities and have been assigned a CVSSv3.1 score of 8.3/10. On May 6, 2022, Microsoft Build announced that there are some Site compatibility-impacting changes coming to Microsoft Edge for developers. This article lists differences between the schedule of changes for Microsoft Edge versus the Chromium project, and high-impact changes that the Microsoft Edge team is tracking especially closely.

• Microsoft Exchange (CVE-2022-21978)

qualys: CVE-2022-21978 | Microsoft Exchange Server Elevation of Privilege Vulnerability This vulnerability has a CVSSv3.1 score of 8.2/10. Successful exploitation of this vulnerability requires the attacker to be authenticated to the Exchange Server as a member of a high privileged group. Exploitability Assessment: Exploitation Less Likely.

tenable: CVE-2022-21978 is an EoP vulnerability in Exchange Server that received a CVSSv3 score of 8.2 and was rated “Exploitation Less Likely.” CVE-2022-21978 was discovered by Joonas Tuomisto of Fujitsu Finland. An attacker must already be authenticated to a vulnerable Exchange Server “as a member of a high privileged group” to exploit this vulnerability but could use it to elevate themselves to domain administrator access. While these prerequisites might make it less likely for attackers to adopt this vulnerability, Exchange Server vulnerabilities have been prime targets for attackers. Vulnerabilities that can give attackers domain administrator permissions are particularly valuable.

rapid7: Sharepoint Server administrators should be aware of CVE-2022-29108, a post-authentication RCE fixed today. Exchange admins have CVE-2022-21978 to worry about, which could allow an attacker with elevated privileges on an Exchange server to gain the rights of a Domain Administrator.

• Windows Digital Media Receiver (CVE-2022-29113)
• Windows Print Spooler (CVE-2022-29104, CVE-2022-29132)

tenable: CVE-2022-29132 and CVE-2022-29104 are EoP vulnerabilities in Windows Print Spooler that received a CVSSv3 score of 7.8 and were rated “Exploitation More Likely.” CVE-2022-29132 was disclosed by g0st1 and CVE-2022-29104 by Oliver Lyak from the Institut for Cyber Risk on behalf of Trend Micro Zero Day Initiative. These are just the latest in a long line of EoP vulnerabilities Microsoft has addressed in Print Spooler over the last year, several of which have been exploited in attacks.

tenable: CVE-2022-30138 is another EoP vulnerability in the Windows Print Spooler. This vulnerability was patched as part of Patch Tuesday on May 10. However, information about this flaw was not made public until May 12. Similar to CVE-2022-29132 and CVE-2022-29104, it received a CVSSv3 score of 7.8. However, Microsoft rates this vulnerability as “Exploitation Less Likely” compared to the previous two EoP flaws in Print Spooler. While the publication of this CVE was made on May 12, customers that have already applied the Patch Tuesday updates do not need to take any additional steps to address this vulnerability.

• Windows Remote Access (CVE-2022-29103)
• Tablet Windows User Interface Application (CVE-2022-29126)
• Windows ALPC (CVE-2022-23279)
• Windows Clustered Shared Volume (CVE-2022-29135, CVE-2022-29138, CVE-2022-29150, CVE-2022-29151)
• Windows Hyper-V Shared Virtual Disk (CVE-2022-29106)
• Windows PlayToManager (CVE-2022-22016)
• Windows Push Notifications Apps (CVE-2022-29125)
• Storage Spaces Direct (CVE-2022-26932, CVE-2022-26938, CVE-2022-26939)

Spoofing (1)

• Microsoft Edge (CVE-2022-29147)

MS PT Extended: CVE-2022-29147 was published before May 2022 Patch Tuesday from 2022-04-13 to 2022-05-09

Memory Corruption (19)

• Microsoft Edge (CVE-2022-1305, CVE-2022-1308, CVE-2022-1310, CVE-2022-1312, CVE-2022-1313, CVE-2022-1314, CVE-2022-1477, CVE-2022-1478, CVE-2022-1479, CVE-2022-1480, CVE-2022-1481, CVE-2022-1483, CVE-2022-1484, CVE-2022-1485, CVE-2022-1486, CVE-2022-1487, CVE-2022-1490, CVE-2022-1491, CVE-2022-1493)

MS PT Extended: CVE-2022-1490 was published before May 2022 Patch Tuesday from 2022-04-13 to 2022-05-09

MS PT Extended: CVE-2022-1484 was published before May 2022 Patch Tuesday from 2022-04-13 to 2022-05-09

MS PT Extended: CVE-2022-1314 was published before May 2022 Patch Tuesday from 2022-04-13 to 2022-05-09

MS PT Extended: CVE-2022-1493 was published before May 2022 Patch Tuesday from 2022-04-13 to 2022-05-09

MS PT Extended: CVE-2022-1486 was published before May 2022 Patch Tuesday from 2022-04-13 to 2022-05-09

MS PT Extended: CVE-2022-1312 was published before May 2022 Patch Tuesday from 2022-04-13 to 2022-05-09

MS PT Extended: CVE-2022-1478 was published before May 2022 Patch Tuesday from 2022-04-13 to 2022-05-09

MS PT Extended: CVE-2022-1310 was published before May 2022 Patch Tuesday from 2022-04-13 to 2022-05-09

MS PT Extended: CVE-2022-1313 was published before May 2022 Patch Tuesday from 2022-04-13 to 2022-05-09

MS PT Extended: CVE-2022-1477 was published before May 2022 Patch Tuesday from 2022-04-13 to 2022-05-09

MS PT Extended: CVE-2022-1305 was published before May 2022 Patch Tuesday from 2022-04-13 to 2022-05-09

MS PT Extended: CVE-2022-1485 was published before May 2022 Patch Tuesday from 2022-04-13 to 2022-05-09

MS PT Extended: CVE-2022-1480 was published before May 2022 Patch Tuesday from 2022-04-13 to 2022-05-09

MS PT Extended: CVE-2022-1481 was published before May 2022 Patch Tuesday from 2022-04-13 to 2022-05-09

MS PT Extended: CVE-2022-1483 was published before May 2022 Patch Tuesday from 2022-04-13 to 2022-05-09

MS PT Extended: CVE-2022-1479 was published before May 2022 Patch Tuesday from 2022-04-13 to 2022-05-09

MS PT Extended: CVE-2022-1491 was published before May 2022 Patch Tuesday from 2022-04-13 to 2022-05-09

MS PT Extended: CVE-2022-1487 was published before May 2022 Patch Tuesday from 2022-04-13 to 2022-05-09

MS PT Extended: CVE-2022-1308 was published before May 2022 Patch Tuesday from 2022-04-13 to 2022-05-09

Unknown Vulnerability Type (13)

• Microsoft Edge (CVE-2022-1306, CVE-2022-1307, CVE-2022-1309, CVE-2022-1482, CVE-2022-1488, CVE-2022-1492, CVE-2022-1494, CVE-2022-1495, CVE-2022-1497, CVE-2022-1498, CVE-2022-1499, CVE-2022-1500, CVE-2022-1501)

MS PT Extended: CVE-2022-1492 was published before May 2022 Patch Tuesday from 2022-04-13 to 2022-05-09

MS PT Extended: CVE-2022-1499 was published before May 2022 Patch Tuesday from 2022-04-13 to 2022-05-09

MS PT Extended: CVE-2022-1488 was published before May 2022 Patch Tuesday from 2022-04-13 to 2022-05-09

MS PT Extended: CVE-2022-1497 was published before May 2022 Patch Tuesday from 2022-04-13 to 2022-05-09

MS PT Extended: CVE-2022-1307 was published before May 2022 Patch Tuesday from 2022-04-13 to 2022-05-09

MS PT Extended: CVE-2022-1482 was published before May 2022 Patch Tuesday from 2022-04-13 to 2022-05-09

MS PT Extended: CVE-2022-1309 was published before May 2022 Patch Tuesday from 2022-04-13 to 2022-05-09

MS PT Extended: CVE-2022-1501 was published before May 2022 Patch Tuesday from 2022-04-13 to 2022-05-09

MS PT Extended: CVE-2022-1498 was published before May 2022 Patch Tuesday from 2022-04-13 to 2022-05-09

MS PT Extended: CVE-2022-1306 was published before May 2022 Patch Tuesday from 2022-04-13 to 2022-05-09

MS PT Extended: CVE-2022-1495 was published before May 2022 Patch Tuesday from 2022-04-13 to 2022-05-09

MS PT Extended: CVE-2022-1494 was published before May 2022 Patch Tuesday from 2022-04-13 to 2022-05-09

MS PT Extended: CVE-2022-1500 was published before May 2022 Patch Tuesday from 2022-04-13 to 2022-05-09