Microsoft’s May Patch Tuesday roundup also included critical fixes for a number of flaws found in infrastructure present in many enterprise and cloud environments.

Microsoft has revealed 73 new patches for May’s monthly update of security fixes, including a patch for one flaw–a zero-day Windows LSA Spoofing Vulnerability rated as “important”—that is currently being exploited with man-in-the-middle attacks.

The software giant’s monthly update of patches that comes out every second Tuesday of the month–known as Patch Tuesday—also included fixes for seven “critical” flaws, 65 others rated as “important,” and one rated as “low.”

Given that Microsoft released a record number of patches in April, May’s patch tally is relatively low, but still includes a number of notable flaws that deserve attention, researchers said.
Infosec Insiders Newsletter

“Although this isn’t a large number, this month makes up for it in severity and infrastructure headaches,” observed Chris Hass, director of security at security firm Automox, in an email to Threatpost. “The big news is the critical vulnerabilities that need to be highlighted for immediate action.”

Of the seven critical flaws, five allow for remote code execution (RCE) and two give attackers elevation of privilege (EoP). The remainder of the flaws also include a high percentage of RCE and EoP bugs, with the former accounting for 32.9 percent of the flaws patched this month, while the latter accounted for 28.8 percent of fixes, according to a blog post by researchers at Tenable.

The Windows LSA Spoofing Vulnerability, tracked as CVE-2022-26925, in and of itself was not rated as critical. However, when chained with a new technology LAN manager (NTLM) relay attack, the combined CVSSv3 score for the attack chain is 9.8, noted Allan Liska, a senior security architect at Recorded Future, in an e-mail to Threatpost.

Moreover, the flaw—which allows an unauthenticated attacker to coerce domain controllers to authenticate to an attacker-controller server using NTLM–is being exploited in the wild as a zero-day, he said. This makes it a priority to patch, Liska added, echoing guidance from Microsoft.

Critical Infrastructure Vulnerabilities

Of the other critical RCE flaws patched by Microsoft, four are worth noting because of their presence in infrastructure that’s fairly ubiquitous in many enterprise and/or cloud environments.

One is tracked as CVE-2022-29972 and is found in Insight Software’s Magnitude Simba Amazon Redshift ODBC Driver, and would need to be patched by a cloud provider—something organizations should follow up on, Liska said.

CVE-2022-22012 and CVE-2022-29130 are RCE vulnerabilities found in Microsoft’s LDAP service that are rated as critical. However, a caveat by Microsoft in its security bulletin noted that they are only exploitable “if the MaxReceiveBuffer LDAP policy is set to a value higher than the default value.” That means that systems with the default value of this policy would not be vulnerable, the company said.

While “having the MaxReceiveBuffer set to a higher value than the default” seems an “uncommon configuration,” if an organization has this setting, it should prioritize patching these vulnerabilities, Liska observed.

Another critical RCE, CVE-2022-26937, is found in the Network File System (NFS) and has broad impact for Windows Server versions 2008 through 2022. However, this vulnerability only affects NFSV2 and NFSV3, and Microsoft has included instructions for disabling these versions of the NFS in the bulletin.

At the same time, Microsoft characterized the ease of exploitation of these vulnerabilities as “Exploitation More Likely,” as was the case with a similar vulnerability, CVE-2021-26432, an actively exploited zero day in the TCP/IP protocol stack in Windows server that was patched in August 2021.

“Given the similarities between these vulnerabilities and those of August of 2021, we could all be in store for a rough May,” Liska noted.

Another Important Flaw Fixed

Of the other flaws, another “important” one to note is CVE-2022-22019, a companion vulnerability to three previously disclosed and patched flaws found in Microsoft’s Remote Procedure Call (RPC) runtime library.

The vulnerability, discovered by Akamai researcher Ben Barnea, takes advantage of three RPC runtime library flaws that Microsoft had patched in April–CVE-2022-26809, CVE-2022-24492 and CVE-2022-24528, he revealed in a blog post Tuesday. The flaws affected Windows 7, 8, 10 and 11, and Windows Servers 2008, 2012, 2019 and 2022, and could allow a remote, unauthenticated attacker to execute code on the vulnerable machine with the privileges of the RPC service.

Akamai researchers discovered that the previous patch only partially addressed the problem, allowing the new vulnerability to create the same integer overflow that was supposed to be fixed, he explained.

“During our research, we found that right before allocating memory for the new coalesced buffer, the code adds another 24 bytes to the allocation size,” Barnea wrote in the post. “These 24 bytes are the size of a struct called ‘rpcconn_request_hdr_t,’ which serves as the buffer header.”

The previous patch performs the check for integer overflow before adding the header size, so it does not take into account this header–which can lead to the same integer overflow that the patch was attempting to mitigate, he explained.

“The new patch adds another call to validate that the addition of 24 bytes does not overflow,” mitigating the problem, Barnea wrote.