Coldfusion blog

Microsoft closes Windows LSA hole under active attack • The Register

Microsoft has fixed 74 security flaws in its batch of May Patch Tuesday updates. This represents seven critical bugs, 66 rated important and one rated low severity.

According to Redmond, at least one of the disclosed vulnerabilities is under active attack with public exploit code, while two others are listed as having public exploit code.

After April’s astonishing 100 vulnerabilities, May’s patch event looks tame by comparison. However, “this month offsets the gravity and the infrastructure headaches,” said Chris Hass, chief security officer at Automox. The register. “The big news is the critical vulnerabilities that need to be highlighted for immediate action.”

The bug that is being exploited in the wild is a Windows LSA (Local Security Authority) spoofing vulnerability tracked as CVE-2022-26925. According to Microsoft, an unauthenticated attacker could “coerce the domain controller into authenticating to the attacker using NTLM”.

Malefactors could achieve this via a man-in-the-middle attack, in which they inject themselves into the logical network path between the target and the requested resource. While the software giant rated the complexity of the attack as “high”, it also noted that the vuln was under active attack. So “someone must have figured out how to do this,” Trend Micro’s Dustin Childs wrote on the Zero Day Initiative blog. The security breach was reported to Microsoft by, we are told, Raphael John of the Bertelsmann Printing Group.

Additionally, although the bug received a CVSS severity score of 8.3, if chained with last year’s NTLM relay attacks, the combined CVSS score would be 9.8, according to Microsoft. In addition to applying the patch, Redmond recommends consulting support document KB5005413 for more information on protecting networks against NTLM relay attacks. And if it wasn’t already clear, prioritize the CVE-2022-26925 fix now.

Finally, we’re told the fix affects backups and Server 2008 SP2, so see the support file above for help with that.

And we’re curious why, after making a huge fuss over a single local privilege escalation vulnerability in the Linux world last month and giving it the catchy codename Nimbuspwn, Redmond didn’t name the flaw. above nor any of the approximately 20 other LPEs. patched this month? Can we suggest Nadellapwn to start Or LoSAh?

Two publicly disclosed bugs

Two other bugs in this month’s Patch Tuesday group are listed as having publicly leaked exploit code. Of the two, Microsoft says exploiting CVE-2022-29972 is more likely. This is a vulnerability in Azure Data Factory and Azure Synapse pipelines that is specific to the third-party Open Database Connectivity (ODBC) driver used to connect to Amazon Redshift in Azure Synapse and Azure Data Factory Integration Runtime (IR) pipelines .

An attacker could exploit this bug to “perform remote command execution on IR infrastructure not limited to a single tenant,” Microsoft wrote in a security alert.

The second publicly disclosed bug, CVE-2022-22713, is a denial of service vulnerability in Windows Hyper-V. Microsoft says exploiting this is less likely and requires an attacker to win a race condition.

Another interesting bug in this month’s group is a Windows Network File System (NFS) remote code execution vulnerability that received a CVSS score of 9.8. It is tracked as CVE-2022-26937, and it can be exploited by an unauthenticated remote user to create a call to an NFS service and then execute malicious code.

It should be noted that the default configuration of Windows devices is not vulnerable, said Kevin Breen, director of cyber threat research at Immersive Labs. The register. That is, the vulnerable NFS feature is not enabled by default.

Still, “these types of vulnerabilities will potentially attract ransomware operators because they could lead to the kind of critical data exposure that is often part of a ransom attempt,” he added.

Another eye-catching bug is CVE-2022-26923, a privilege escalation flaw in Active Directory Domain Services, discovered by Oliver Lyak of the Institute for Cyber ​​Risk in Denmark and reported via ZDI. Essentially, any domain-authenticated user can become a domain admin if the vulnerable services are running on the domain, which is scary. You’ll want to patch that too, IT folks.

Adobe fixes 18 CVEs

Meanwhile, Adobe released five security updates for 18 CVEs across its Adobe Character Animator, Adobe ColdFusion, Adobe InDesign, Adobe Framemaker, and Adobe InCopy products.

Ten of them occur in Adobe Framemaker, and nine out of ten are critical with CVSS scores of 7.8. Out-of-bounds (OOB) write flaws and previously freed memory usage could lead to remote code execution within ten.

Google fixes privilege escalation vulnerabilities

During its May patch round, Google patched 36 Android flaws earlier this month. The most serious bug, which the cloud giant called a “high security vulnerability,” occurs in the Android Framework component and could lead to local elevation of privileges by malicious apps.

Google released a patch for this and three other high security privilege escalation vulnerabilities in Framework, as well as a moderate security information disclosure bug.

SAP joins the patch party

And finally, SAP released 17 new and updated security patches this month. This includes six patches to fix the critical Spring4Shell remote code execution vulnerability in SAP applications.

Additionally, SAP security advisory #3145046 addresses a cross-site scripting vulnerability that has been assigned a CVSS score of 8.3. Onapsis Research Labs helped on this flaw and said it exists in the ICM administration user interface (UI) in SAP Application Server ABAP/Java, and in the administration user interface of SAP Web Dispatcher , both standalone and embedded (A)SCS instance.

“The only thing preventing this vulnerability from being marked with a higher CVSS is the fact that an attacker must trick a victim into logging into the admin UI using a browser and that the attack is very complex,” the researchers wrote. ®