Microsoft’s April 2022 Patch Tuesday Addresses 117 CVEs (CVE-2022-24521)

Read Time:6 Minute, 13 Second

Microsoft’s April 2022 Patch Tuesday Addresses 117 CVEs (CVE-2022-24521)

Microsoft addresses 117 CVEs in its April 2022 Patch Tuesday release, including two zero-day vulnerabilities, one of which was exploited in the wild and reported to Microsoft by the National Security Agency.

9Critical
108Important
0Moderate
0Low

Microsoft patched 117 CVEs in its April 2022 Patch Tuesday release, with 9 rated as critical and 108 rated as important.

This month’s update includes patches for:

.NET Framework
Active Directory Domain Services
Azure SDK
Azure Site Recovery
LDAP – Lightweight Directory Access Protocol
Microsoft Bluetooth Driver
Microsoft Dynamics
Microsoft Edge (Chromium-based)
Microsoft Graphics Component
Microsoft Local Security Authority Server (lsasrv)
Microsoft Office Excel
Microsoft Office SharePoint
Microsoft Windows ALPC
Microsoft Windows Codecs Library
Microsoft Windows Media Foundation
Power BI
Role: DNS Server
Role: Windows Hyper-V
Skype for Business
Visual Studio
Visual Studio Code
Windows Ancillary Function Driver for WinSock
Windows App Store
Windows AppX Package Manager
Windows Cluster Client Failover
Windows Cluster Shared Volume (CSV)
Windows Common Log File System Driver
Windows Defender
Windows DWM Core Library
Windows Endpoint Configuration Manager
Windows Fax Compose Form
Windows Feedback Hub
Windows File Explorer
Windows File Server
Windows Installer
Windows iSCSI Target Service
Windows Kerberos
Windows Kernel
Windows Local Security Authority Subsystem Service
Windows Media
Windows Network File System
Windows PowerShell
Windows Print Spooler Components
Windows RDP
Windows Remote Procedure Call Runtime
Windows schannel
Windows SMB
Windows Telephony Server
Windows Upgrade Assistant
Windows User Profile Service
Windows Win32K
Windows Work Folder Service
YARP reverse proxy

Elevation of privilege (EoP) vulnerabilities accounted for 39.3% of the vulnerabilities patched this month, followed by remote code execution (RCE) vulnerabilities at 39.3%.

Important

CVE-2022-24521 and CVE-2022-24481 | Windows Common Log File System Driver Elevation of Privilege Vulnerabilities

CVE-2022-24521 is an EoP vulnerability in the Windows Common Log File System (CLFS) driver for Microsoft Windows. EoP flaws like this one are leveraged post-authentication, after an attacker has successfully accessed a vulnerable system, to gain higher permissions. According to Microsoft, this flaw has been exploited in the wild as a zero-day, though we do not have any additional details about its exploitation. We do know that it was reported to Microsoft by the National Security Agency along with researchers at CrowdStrike. Organizations should ensure they apply the available patches as soon as possible. CVE-2022-24481 is another EoP in the CLFS driver that received the same CVSSv3 score of 7.8 and was rated “Exploitation More Likely” according to Microsoft’s Exploitability Index. However, it is not a zero-day.

Important

CVE-2022-26904 | Windows User Profile Service Elevation of Privilege Vulnerability

CVE-2022-26904 is an EoP vulnerability in the Windows User Profile service. It received a CVSSv3 score of 7.0, which rates its severity as important. The attack complexity for this flaw is considered high because it “requires an attacker to win a race condition.” Despite the higher complexity, it is still considered as “Exploitation More Likely.” This is the second of two zero-days addressed this month, as details about this vulnerability were publicly disclosed prior to a patch being made available.

Critical

CVE-2022-24491 | Windows Network File System Remote Code Execution Vulnerability

CVE-2022-24491 is a critical RCE vulnerability in the Windows Network File System (NFS) that received a CVSSv3 score of 9.8 and a rating of “Exploitation More Likely.” An unauthenticated, remote attacker could exploit this vulnerability by sending specially crafted NFS protocol network messages to a vulnerable system. Only systems with the NFS role enabled are at risk for exploitation; however, organizations should still apply the patch to all systems to ensure they are protected.

Critical

CVE-2022-26809 | Remote Procedure Call Runtime Remote Code Execution Vulnerability

CVE-2022-26809 is a critical RCE vulnerability in the Remote Procedure Call (RPC) runtime. It received a CVSSv3 score of 9.8. An unauthenticated, remote attacker could exploit this vulnerability by sending “a specially crafted RPC call to an RPC host.” Patching is the best approach to fully address this vulnerability; however, if patching is not feasible, Microsoft recommends blocking TCP port 445 on the perimeter firewall to mitigate attempts to exploit this flaw. Despite applying this mitigation, systems could “still be vulnerable to attacks from within their enterprise perimeter.”

Important

CVE-2022-26817 and CVE-2022-26814 | Windows DNS Server Remote Code Execution Vulnerabilities

CVE-2022-26817 and CVE-2022-26814 are RCE vulnerabilities in Windows DNS Server affecting Active Directory Domain Services that both received a CVSSv3 score of 6.6 and were discovered by Yuki Chen with Cyber KunLun. Exploitation of this vulnerability is rated “Less Likely” which may be tied to the higher attack complexity and required permissions. To successfully exploit this flaw, an attacker on the target network with permissions to query the domain name service must win a race condition. Only if they perfectly time exploitation of this vulnerability, can they achieve RCE. Patches have been released for supported versions for Windows Server and Windows Server Core installations.

Important

15 Elevation of Privilege Vulnerabilities in Windows Print Spooler

This month, Microsoft patched 15 EoP vulnerabilities in Print Spooler components all of which received CVSSv3 scores of 7.8. Three of the vulnerabilities were disclosed by George Hughey of Microsoft Security Response Center Vulnerabilities and Mitigations and the other 12 were disclosed by Microsoft Offensive Research and Security Engineering. While Microsoft rates these vulnerabilities as “Exploitation Less Likely,” attackers have exploited EoP flaws in Print Spooler in the past.

CVE-2022-26803

CVE-2022-26786

CVE-2022-26787

CVE-2022-26789

CVE-2022-26790

CVE-2022-26791

CVE-2022-26802

CVE-2022-26792

CVE-2022-26797

CVE-2022-26795

CVE-2022-26796

CVE-2022-26798

CVE-2022-26801

CVE-2022-26793

CVE-2022-26794

Upcoming end of support

In the coming weeks, versions of the.NET Framework and Windows 10 will stop receiving updates and support. On April 26, .NET Framework 4.5.2, 4.6, or 4.6.1 will reach end of support due to their use of the less secure Secure Hash Algorithm 1 (SHA-1). On May 10, Windows 10 version 20H2 will reach end of servicing. Users are urged to update to more recent versions to ensure they continue receiving important security updates.

Tenable Solutions

Users can create scans that focus specifically on our Patch Tuesday plugins. From a new advanced scan, in the plugins tab, set an advanced filter for Plugin Name contains April 2022.

With that filter set, click the plugin families to the left and enable each plugin that appears on the right side. Note: If your families on the left say Enabled, then all the plugins in that family are set. Disable the whole family before selecting the individual plugins for this scan. Here’s an example from Tenable.io:

A list of all the plugins released for Tenable’s April 2022 Patch Tuesday update can be found here. As always, we recommend patching systems as soon as possible and regularly scanning your environment to identify those systems yet to be patched.

Get more information

Microsoft’s April 2022 Security Updates
Tenable plugins for Microsoft April 2022 Patch Tuesday Security Updates

Join Tenable’s Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

Read More

Thoma Bravo’s $6.9B SailPoint deal brings IAM to security portfolio

Read Time:33 Second

In a move to put in place a key piece for its portfolio of cybersecurity companies, private equity firm Thoma Bravo has finalized plans to acquire IAM (identity access management) security vendor SailPoint in a go-private deal worth $6.9 billion.

When completed, the deal, announced Monday, will be the latest in a string of security focused technology acquisitions for the private equity firm, which last year purchased payment security provider Bottomline Technologies for $2.6 billion in December and cybersecurity and compliance vendor Proofpoint for $12.3 billion in August, among other transactions, some of which date back to 2016.

To read this article in full, please click here

Read More

RaidForums Gets Raided, Alleged Admin Arrested

Read Time:4 Minute, 18 Second

The U.S. Department of Justice (DOJ) said today it seized the website and user database for RaidForums, an extremely popular English-language cybercrime forum that sold access to more than 10 billion consumer records stolen in some of the world’s largest data breaches since 2015. The DOJ also charged the alleged administrator of RaidForums — 21-year-old Diogo Santos Coelho, of Portugal — with six criminal counts, including conspiracy, access device fraud and aggravated identity theft.

The “raid” in RaidForums is a nod to the community’s humble beginnings in 2015, when it was primarily an online venue for organizing and supporting various forms of electronic harassment. According to the DOJ, that early activity included ‘raiding‘ — posting or sending an overwhelming volume of contact to a victim’s online communications medium — and ‘swatting,’ the practice of making false reports to public safety agencies of situations that would necessitate a significant, and immediate armed law enforcement response.”

But over the years as trading in hacked databases became big business, RaidForums emerged as the go-to place for English-speaking hackers to peddle their wares. Perhaps the most bustling marketplace within RaidForums was its “Leaks Market,” which described itself as a place to buy, sell, and trade hacked databases and leaks.

The government alleges Coelho and his forum administrator identity “Omnipotent” profited from the illicit activity on the platform by charging “escalating prices for membership tiers that offered greater access and features, including a top-tier ‘God’ membership status.”

“RaidForums also sold ‘credits’ that provided members access to privileged areas of the website and enabled members to ‘unlock’ and download stolen financial information, means of identification, and data from compromised databases, among other items,” the DOJ said in a written statement. “Members could also earn credits through other means, such as by posting instructions on how to commit certain illegal acts.”

Prosecutors say Coelho also personally sold stolen data on the platform, and that Omnipotent directly facilitated illicit transactions by operating a fee-based “Official Middleman” service, a kind of escrow or insurance service that denizens of RaidForums were encouraged to use when transacting with other criminals.

Investigators described multiple instances wherein undercover federal agents or confidential informants used Omnipotent’s escrow service to purchase huge tranches of data from one of Coelho’s alternate user  identities — meaning Coelho not only sold data he’d personally hacked but also further profited by insisting the transactions were handled through his own middleman service.

Not all of those undercover buys went as planned. One incident described in an affidavit by prosecutors (PDF) appears related to the sale of tens of millions of consumer records stolen last year from T-Mobile, although the government refers to the victim only as a major telecommunications company and wireless network operator in the United States.

On Aug. 11, 2021, an individual using the moniker “SubVirt” posted on RaidForums an offer to sell Social Security numbers, dates of birth and other records on more than 120 million people in the United States (SubVirt would later edit the sales thread to say 30 million records). Just days later, T-Mobile would acknowledge a data breach affecting 40 million current, former or prospective customers who applied for credit with the company.

The government says the victim firm hired a third-party to purchase the database and prevent it from being sold to cybercriminals. That third-party ultimately paid approximately $200,000 worth of bitcoin to the seller, with the agreement that the data would be destroyed after sale. “However, it appears the co-conspirators continued to attempt to sell the databases after the third-party’s purchase,” the affidavit alleges.

The FBI’s seizure of RaidForums was first reported by KrebsOnSecurity on Mar. 23, after a federal investigator confirmed rumors that the FBI had been secretly operating the RaidForums website for weeks.

Coelho landed on the radar of U.S. authorities in June 2018, when he tried to enter the United States at the Hartsfield-Jackson International Airport in Atlanta. The government obtained a warrant to search the electronic devices Coelho had in his luggage and found text messages, files and emails showing he was the RaidForums administrator Omnipotent.

“In an attempt to retrieve his items, Coelho called the lead FBI case agent on or around August 2, 2018, and used the email address unrivalled@pm.me to email the agent,” the government’s affidavit states. Investigators found this same address was used to register rf.ws and raid.lol, which Omnipotent announced on the forum would serve as alternative domain names for RaidForums in case the site’s primary domain was seized.

The DOJ said Coelho was arrested in the United Kingdom on January 31, at the United States’ request, and remains in custody pending the resolution of his extradition hearing. A statement from the U.K.’s National Crime Agency (NCA) said the RaidForum’s takedown was the result of “Operation Tourniquet,” which was carried out by the NCA in cooperation with the United Staes, Europol and four other countries, and resulted in “a number of linked arrests.”

A copy of the indictment against Coelho is available here (PDF).

Read More

CVE-2021-0707

Read Time:15 Second

In dma_buf_release of dma-buf.c, there is a possible memory corruption due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-155756045References: Upstream kernel

Read More

CVE-2021-0694

Read Time:15 Second

In setServiceForegroundInnerLocked of ActiveServices.java, there is a possible way for a background application to regain foreground permissions due to insufficient background restrictions. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-183147114

Read More

USN-5372-1: Subversion vulnerabilities

Read Time:21 Second

Evgeny Kotkov discovered that Subversion servers did not properly follow
path-based authorization rules in certain cases. An attacker could
potentially use this issue to retrieve information about private paths.
(CVE-2021-28544)

Thomas Weißschuh discovered that Subversion servers did not properly handle
memory in certain configurations. A remote attacker could potentially use
this issue to cause a denial of service or other unspecified impact.
(CVE-2022-24070)

Read More

Post Title

Read Time:15 Second

A vulnerability has been discovered in the Linux kernel, which could allow for data overwrite in arbitrary read-only files by non-privilege users. Linux is a family of open-source Unix-like operating systems based on the Linux kernel. Successful exploitation of this vulnerability could allow for root privilege escalation.

Read More