Skip links

Microsoft closes Windows LSA hole under active attack

Microsoft patched 74 security flaws in its May Patch Tuesday batch of updates. That’s seven critical bugs, 66 deemed important, and one ranked low severity.

At least one of the vulnerabilities disclosed is under active attack with public exploit code, according to Redmond, while two others are listed as having public exploit code.

After April’s astonishing 100-plus vulnerabilities, May’s patching event seems tame by comparison. However, “this month makes up for it in severity and infrastructure headaches,” Chris Hass, director of security at Automox, told The Register. “The big news is the critical vulnerabilities that need to be highlighted for immediate action.”

The bug that’s being exploited in the wild is a Windows LSA (Local Security Authority) spoofing vulnerability tracked as CVE-2022-26925. According to Microsoft, an unauthenticated attacker could “coerce the domain controller to authenticate to the attacker using NTLM.” 

Miscreants could pull this off via a man-in-the-middle attack, in which they inject themselves into the logical network path between the target and the resource requested. While the software giant classified the attack complexity as “high,” it also noted that the vuln is under active attack. So “someone must have figured out how to make that happen,” wrote Trend Micro’s Dustin Childs on the Zero Day Initiative blog. The security hole was reported to Microsoft by, we’re told, Raphael John of the Bertelsmann Printing Group.

Additionally, while the bug received a 8.3 CVSS severity score, if chained with last year’s NTLM Relay Attacks, the combined CVSS score would be 9.8, according to Microsoft. In addition to applying the patch, Redmond advises reviewing the KB5005413 support document for more information about protecting networks against NTLM Relay Attacks. And if it wasn’t already clear, prioritize patching CVE-2022-26925 now.

Finally, we’re told the patch affects backups and Server 2008 SP2, so check the above support file for help on that.

And we are curious why, after making a huge fuss over a lone local privilege escalation vuln in the Linux world last month and giving it the catchy codename Nimbuspwn, Redmond didn’t name the above flaw nor any of the other 20 or so LPEs it patched this month? May we suggest Nadellapwn for starters Or LoSAh?

Two publicly disclosed bugs

Two other bugs in this month’s Patch Tuesday bunch are listed as having publicly disclosed exploit code. Of the two, Microsoft says exploitation of CVE-2022-29972 is more likely. This is a vulnerability in Azure Data Factory and Azure Synapse pipelines that’s specific to the third-party Open Database Connectivity (ODBC) driver used to connect to Amazon Redshift in Azure Synapse pipelines and Azure Data Factory Integration Runtime (IR).

An attacker could exploit this bug to “perform remote command execution across IR infrastructure not limited to a single tenant,” Microsoft wrote in a security alert.

The second publicly disclosed bug, CVE-2022-22713, is a denial-of-service vulnerability in Windows Hyper-V. Microsoft says exploitation of this one is less likely and requires an attacker to win a race condition.

Another interesting bug in this month’s bunch is a Windows Network File System (NFS) remote code execution vulnerability that received a 9.8 CVSS score. It’s tracked as CVE-2022-26937, and it can be exploited by a remote, unauthenticated user to craft a call to an NFS service and then execute malicious code. 

It’s worth noting that the default configuration for Windows devices is not vulnerable, Kevin Breen, director of cyber threat research at Immersive Labs, told The Register. That is to say, the vulnerable NFS functionality is not on by default.

Still, “these types of vulnerabilities will potentially appeal to ransomware operators as they could lead to the kind of exposure of critical data often part of a ransom attempt,” he added.

Another eye-catching bug is CVE-2022-26923, a privilege-escalation flaw in Active Directory Domain Services, discovered by Oliver Lyak of the Institut for Cyber Risk in Denmark and reported through the ZDI. Essentially, any domain-authenticated user can become a domain admin if the vulnerable services are running on the domain, which is scary. You’ll want to patch this, too, IT peeps.

Adobe fixes 18 CVEs

Meanwhile, Adobe released five security updates for 18 CVEs in its Adobe Character Animator, Adobe ColdFusion, Adobe InDesign, Adobe Framemaker and Adobe InCopy products.

Ten of these occur in Adobe Framemaker, and nine of the ten are critical with 7.8 CVSS scores. Out-of-bounds write (OOB) flaws and the use of previously-freed memory could lead to remote code execution in all ten.

Google patches escalation-of-privilege vulns

In its May patching round, Google fixed 36 Android flaws earlier this month. The most severe bug, which the cloud giant deemed a “high-security vulnerability,” occurs in the Android Framework component and could lead to local escalation of privilege by rogue apps.

Google issued a patch for this and three other high-security escalation of privilege vulns in Framework, plus one moderate-security information disclosure bug.

SAP joins the patch party

And finally, SAP released 17 new and updated security fixes this month. This includes six patches to fix the critical remote code execution Spring4Shell vulnerability in SAP applications.

Additionally, SAP Security Note #3145046 patches a cross-site scripting vulnerability that received an 8.3 CVSS score. Onapsis Research Labs helped on this flaw, and said it exists in the administration user interface (UI) of ICM in SAP Application Server ABAP/Java, and in the administration UI for SAP Web Dispatcher, both stand-alone and (A)SCS instance embedded. 

“The only thing that prevents this vulnerability from being tagged with a higher CVSS is the fact that an attacker must entice a victim to log on to the administration UI using a browser and that the attack is highly complex,” the researchers wrote. ®