Actively exploited vulnerability in Windows | Kaspersky official blog
Credit to Author: Editorial Team| Date: Wed, 11 May 2022 18:11:21 +0000
In the latest Patch Tuesday Microsoft has released updates for 74 vulnerabilities. At least one of them is already actively exploited by attackers. That said, it’s a good idea to install patches as soon as possible.
CVE-2022-26925, the most dangerous of the addressed vulnerabilities
Apparently, the most dangerous vulnerability addressed in the recent update pack is CVE-2022-26925 that is contained in the Windows Local Security Authority. The vulnerability per se scores 8.1 on CVSS scale, which is relatively low. However, company representatives believe that when this vulnerability is used in NTLM Relay attacks on Active Directory Certificate Services, the severity level of this bundle rises to CVSS 9.8. The reason for the increased severity level is that in such a scenario CVE-2022-26925 could allow an attacker to authenticate on a domain controller.
The vulnerability is relevant to operating systems starting with Windows 7 (Windows Server 2008 in case of server systems). Microsoft didn’t go into details about the exploitation of this vulnerability, however, judging by the description of the problem, unknown attackers are already actively using exploits for CVE-2022-26925 in the wild. The good news is that, according to experts, exploiting this vulnerability in real attacks is quite difficult.
The fix detects and denies anonymous connection attempts to the Local Security Authority Remote Protocol. However, according to the official FAQ, installing this update on Windows Server 2008 SP2 may affect backup software.
Other vulnerabilities
In addition to CVE-2022-26925, the latest update fixes several more vulnerabilities with the “critical” severity level. Among them are the CVE-2022-26937 RCE vulnerability in the Windows Network File System (NFS), as well as CVE-2022-22012 and CVE-2022-29130, two RCE vulnerabilities in the LDAP service.
Two other vulnerabilities were also already known to the public at the time the patches were published: CVE-2022-29972 , a bug in Insight Software’s Magnitude Simba Amazon Redshift driver, and CVE-2022-22713, a DoS vulnerability in Windows Hyper-V. However, attempts to exploit them have not yet been detected.
How to stay protected
First and foremost, install the recent updates from Microsoft. If for some reason it’s impossible in your environment, refer to FAQs, Mitigations, and Workarounds section of the Microsoft’s official May 2022 Security Updates guide. Hopefully, one of the methods described there can be used for protection from vulnerabilities that are relevant to your infrastructure.
For our part, we recommend protecting every device connected to the Internet with a reliable solution, that can detect exploitation of yet unknown vulnerabilities.