{"id":19003,"date":"2022-05-10T11:20:55","date_gmt":"2022-05-10T19:20:55","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2022\/05\/10\/news-12736\/"},"modified":"2022-05-10T11:20:55","modified_gmt":"2022-05-10T19:20:55","slug":"news-12736","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2022\/05\/10\/news-12736\/","title":{"rendered":"Hyper-V and Active Directory Front and Center for May Patch Tuesday"},"content":{"rendered":"<p><strong>Credit to Author: Christopher Budd| Date: Tue, 10 May 2022 17:47:43 +0000<\/strong><\/p>\n<div class=\"entry-content lg:prose-lg mx-auto prose max-w-4xl\">\n<p>The May 2022 Patch Tuesday release is moderate in volume but relatively light in severity. Microsoft patches 74 vulnerabilities this month. The vast majority of those are rated Important, and 60 of the 74 bugs affect Windows.<\/p>\n<p><span data-contrast=\"auto\">The May 2022 Patch Tuesday release is moderate in volume but relatively light in severity. Microsoft patches 74 vulnerabilities this month. The vast majority of those are rated Important, and 60 of the 74 bugs affect Windows.<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">Interestingly, two of the critical vulnerabilities this month are <\/span><i><span data-contrast=\"auto\">elevation of privilege<\/span><\/i><span data-contrast=\"auto\"> issues related to Active Directory and Kerberos. Given the potential for vulnerabilities like this to be exploited as part of lateral movement attacks in network attacks, these should be treated with priority&#8212;along with the six other critical bugs, which fall into the more typical combination of critical severity with remote code execution impact.\u00a0<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/p>\n<p><b><span data-contrast=\"auto\">By the Numbers<\/span><\/b><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<br \/><\/span><\/p>\n<ul>\n<li style=\"list-style-type: none\">\n<ul>\n<li>Total new Microsoft CVEs: 74<\/li>\n<li>Publicly disclosed: 3<\/li>\n<li>Publicly exploited: 1<\/li>\n<li>Exploitation more likely: 11 (both older and newer)<\/li>\n<li>Severity:\n<ul>\n<li>Critical: 7<\/li>\n<li>Important: 66<\/li>\n<li>Low: 1<\/li>\n<\/ul>\n<\/li>\n<li>Impact\n<ul>\n<li>Remote code execution: 25<\/li>\n<li>Elevation of privilege: 21<\/li>\n<li>Information disclosure: 17<\/li>\n<li>Denial of service: 6<\/li>\n<li>Security feature bypass: 4<\/li>\n<li>Spoofing: 1<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/05\/2205-chart1.png\"><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full wp-image-84536\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/05\/2205-chart1.png\" alt=\"\" width=\"640\" height=\"427\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/05\/2205-chart1.png 2934w, https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/05\/2205-chart1.png?resize=300,200 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/05\/2205-chart1.png?resize=768,512 768w, https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/05\/2205-chart1.png?resize=1024,683 1024w, https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/05\/2205-chart1.png?resize=1536,1024 1536w, https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/05\/2205-chart1.png?resize=2048,1365 2048w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><\/p>\n<ul>\n<li style=\"list-style-type: none\">\n<ul>\n<li>Products\n<ul>\n<li>Microsoft Windows: 62<\/li>\n<li>Visual Studio and .NET: 6<\/li>\n<li>Microsoft Office: 3<\/li>\n<li>Microsoft Exchange: 1<\/li>\n<li>Self-Hosted Integrated Runtime: 1<\/li>\n<li>SharePoint: 1<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/05\/2205-chart2.png\"><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full wp-image-84537\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/05\/2205-chart2.png\" alt=\"\" width=\"640\" height=\"407\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/05\/2205-chart2.png 3071w, https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/05\/2205-chart2.png?resize=300,191 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/05\/2205-chart2.png?resize=768,489 768w, https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/05\/2205-chart2.png?resize=1024,652 1024w, https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/05\/2205-chart2.png?resize=1536,978 1536w, https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/05\/2205-chart2.png?resize=2048,1304 2048w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><\/p>\n<p><b><span data-contrast=\"auto\">Notable Vulnerabilities<\/span><\/b><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/p>\n<p><b><span data-contrast=\"auto\">Windows Hyper-V Denial of Service Vulnerability<\/span><\/b><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">This vulnerability, CVE-2022-22713, is notable as it\u2019s listed as \u201cPublicly Disclosed but not Exploited\u201d at time of release. It\u2019s also listed as \u201cExploitation Less Likely.\u201d It\u2019s one of three vulnerabilities this month related to Hyper-V. All three Hyper-V vulnerabilities are rated <\/span><i><span data-contrast=\"auto\">Important<\/span><\/i><span data-contrast=\"auto\">. The other two are an elevation of privilege (EoP) and a security feature bypass.<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/p>\n<p><b><span data-contrast=\"auto\">CVE-2022-26923 Active Directory Domain Services Elevation of Privilege Vulnerability and CVE-2022-26931 Windows Kerberos Elevation of Privilege Vulnerability<\/span><\/b><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">These two vulnerabilities are notable as EoP vulnerabilities rated \u201cCritical.\u201d The Active Directory vulnerability, CVE-2022-26923, is also notable as one of the \u201cExploitation More Likely\u201d vulnerabilities this month. While these are EoP rather than remove code execution (RCE) vulnerabilities, they\u2019re definitely worth prioritizing because of the risks that these could be used as part of a network attack to gain control of the Active Directory environment and create high-privilege accounts that can be used to maintain persistence, engage in lateral movement and launch additional attacks on the network.<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/p>\n<p><b><span data-contrast=\"auto\">LDAP Remote Code Execution Vulnerabilities<\/span><\/b><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">These vulnerabilities are notable as RCE vulnerabilities affecting LDAP, which is a part of the Active Directory infrastructure. This month sees a total of 10 LDAP RCEs all rated as important. None of these are publicly disclosed or exploited and are marked \u201cExploitation Less Likely.\u201d\u00a0 It\u2019s also worth noting these vulnerabilities in conjunction with the previously mentioned Active Directory and Kerberos vulnerabilities. It\u2019s also worth remembering last month\u2019s clutch of LDAP, Active Directory, and DNS vulnerabilities.<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">Taken altogether, these past two months\u2019 patch releases indicate that organizations should take special care to test and prioritize patches for their Active Directory servers and infrastructure.<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/p>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/05\/2205-chart3.png\"><img decoding=\"async\" loading=\"lazy\" class=\"size-full wp-image-84538\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/05\/2205-chart3.png\" alt=\"\" width=\"640\" height=\"426\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/05\/2205-chart3.png 2934w, https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/05\/2205-chart3.png?resize=300,200 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/05\/2205-chart3.png?resize=768,512 768w, https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/05\/2205-chart3.png?resize=1024,682 1024w, https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/05\/2205-chart3.png?resize=1536,1023 1536w, https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/05\/2205-chart3.png?resize=2048,1365 2048w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><\/p>\n<p><b><span data-contrast=\"auto\">Sophos protection<\/span><\/b><span data-contrast=\"none\">\u00a0<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/p>\n<p>&nbsp;<\/p>\n<p><span data-contrast=\"auto\">As you can do every month, if you don\u2019t want to wait for your system to pull down the updates itself, you can download them manually from the Windows Update Catalog website. Run the winver.exe tool to determine which build of Windows 10 or 11 you\u2019re running, then download the Cumulative Update package for your particular system\u2019s architecture and build number.<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/p>\n<\/p><\/div>\n<p><a href=\"https:\/\/news.sophos.com\/en-us\/2022\/05\/10\/hyper-v-and-active-directory-front-and-center-for-may-patch-tuesday\/\" target=\"bwo\" >http:\/\/feeds.feedburner.com\/sophos\/dgdY<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/05\/shutterstock_681857038.jpg\"\/><\/p>\n<p><strong>Credit to Author: Christopher Budd| Date: Tue, 10 May 2022 17:47:43 +0000<\/strong><\/p>\n<p>Organizations should look at last month\u2019s and this month\u2019s bulletins and put their Hyper-V and Active Directory servers and infrastructure at the top of the priority list.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10378,10377],"tags":[20790,10516,19245,18513,16771,10525],"class_list":["post-19003","post","type-post","status-publish","format-standard","hentry","category-security","category-sophos","tag-hyper-v","tag-microsoft","tag-patch-tuesday","tag-sophoslabs-uncut","tag-threat-research","tag-windows"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/19003","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=19003"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/19003\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=19003"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=19003"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=19003"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}