Windows 11 patches

Microsoft’s massive 145-vulnerability Patch Tuesday fixes 10 critical exploits

This month's round of patches is now available with some exploits proving to be particularly dangerous
Pro
Image: Getty via Dennis

13 April 2022

Microsoft has patched considerably more than 100 security vulnerabilities this week, as part of its monthly Patch Tuesday, including 10 rated ‘critical’.

The 145 now-fixed vulnerabilities were dominated by privilege escalation flaws and remote code execution (RCE) vulnerabilities, a total of 55 and 47 respectively. Denial of service, information disclosure, and spoofing flaws comprised the majority of the remainder.

Of the 10 critical-rated vulnerabilities, three of them scored nearly maximum marks (9.8), representing a serious threat to organisations.

 

advertisement



 

All three 9.8-rated vulnerabilities are RCE flaws that require a low degree of attack complexity in order to exploit, two of which are wormable, according to Zero Day Initiative (ZDI).

The first of the two wormable flaws is CVE-2022-26809, a flaw that could allow an attacker to execute arbitrary code on a machine with high privileges. The static port used in this exploit (TCP port 135) is usually blocked at the network perimeter, ZDI said, but it’s still a highly dangerous vulnerability that should be patched swiftly.

The second wormable attack can be exploited through a combination of two vulnerabilities amounting to a critical rating, both affecting the Windows Network File System (NFS) and tracked as CVE-2022-24491 and CVE-2022-24497.

“On systems where the NFS role is enabled, a remote attacker could execute their code on an affected system with high privileges and without user interaction,” said ZDI. “Again, that adds up to a wormable bug – at least between NFS servers.

“Similar to RPC, this is often blocked at the network perimeter. However, Microsoft does provide guidance on how the RPC port multiplexer (port 2049) ‘is firewall-friendly and simplifies deployment of NFS.’ Check your installations and roll out these patches rapidly.”

Another of the more notable vulnerabilities was CVE-2022-26904. Found jointly by CrowdStrike and the US National Security Agency, it’s a privilege escalation issue that can be exploited if an attacker can win a race condition.

Microsoft categorised the flaw as ‘high’ complexity in order to exploit it and there is functional proof-of-concept (PoC) code available that works in most situations where the vulnerability exists, it said.

Its CVSS v3 score is comparatively lower than the aforementioned critical vulnerabilities, scoring 7.0, but ZDI also noted that there is a functional Metasploit module also available for CVE-2022-26904. This means the widely abused penetration testing software now has pre-built functionality to exploit the security vulnerability, making attacks easier for cyber criminals.

As with all security vulnerabilities and especially zero-day exploits, businesses are urged to apply the patches as soon as possible to prevent cyber attacks and potential data loss. Now that these vulnerabilities are published, prospective attackers can analyse the exploit methodology and use it to their advantage.

Full details of this week’s round of patches can be found in Microsoft’s detailed rundown.

Future Publishing

Read More:


Back to Top ↑

TechCentral.ie