Microsoft’s huge April Patch Tuesday contains one issue that has already been openly disclosed and one that has already been used in the wild.
Microsoft, known for products like Microsoft 365 corrected over 100 issues, including Ten serious RCE vulnerabilities.
But first, CVE-2022-24521, which was disclosed to Microsoft by U.S. National Security Agency and security experts, is being actively exploited. It’s an elevation-of-privilege flaw that affects the Windows Common Log File System Driver.
Whereas its severity ranking was not as extreme as some — it obtained a 7.8 CVSS score, which is equivalent to “essential” — Microsoft known for products like Microsoft Teams claimed that the assault complexity is modest. It may be used by malicious software and users to get administrative access on a logged-in PC.
As a result of this, and the fact that it is already being aggressively exploited, it ought to be “near the top of the priority list in April,” as per the head of cyber threat research at a cyber skills platform. “Because it is the type of vulnerability for escalation privileges — this would suggest that a malicious attacker is now using it to assist lateral movement in order to capitalize on a pre-existing foothold,” he explained.
The director further remarked on the large number of privilege escalation vulnerabilities identified by Microsoft as “more probable to be exploited.”
“This illustrates its growing popularity as a technique, allowing for lateral migration to crucial and high-value areas after hackers gain first access,” said the director.
CVE-2022-24521 has been exploited, although the attack code is not publicly available, as per the company. CVE-2022-26904, a companion privilege-escalation vulnerability, has had its attack publicly reported, albeit no malevolent exploit is known to have occurred as of now.
This bug in Windows User Profile Service has a CVSS severity score of 7.0, indicating that it is critical, and Microsoft rated its assault complexity as severe because “effective utilization of this vulnerability needs a hacker to survive a race condition.” That could clarify why no one has used it yet. It can be misused to increase a normal user’s privileges.
According to the Zero Day Initiative post, there is not only a proof-of-concept attack for this flaw but also a Metasploit module. As a result, most of the groundwork has been done for potential hackers. The criteria for exploitation are rather complicated.
A remote procedure call runtime Remote code execution vulnerability (CVE-2022-26809) and two Windows Network File System Remote code execution vulns are among several prominent high-severity issues in Microsoft’s this month’s patch-a-thon (CVE-2022-24491 and CVE-2022-24497).
All 3 of these Remote code execution vulnerabilities obtained a CVSS ranking of 9.8, indicating that they are among the worst of the worst.
CVE-2022-26809 is a low-complexity vulnerability identified in Microsoft’s SMB function. An intruder would transmit a specially designed RPC to a remote procedure call host system to exploit this flaw, according to the company. As per the security assessment, this could result in remote code execution on the server-side with roughly the same capabilities as the RPC service. The company also advocated restricting TCP port 445 at the perimeter firewall to avoid new internet-based threats.
Moreover, the two Windows Network File System vulnerabilities (CVE-2022-24491 and CVE-2022-24497) obtained a 9.8 CVSS score, and the corporation stated that exploitation is “more probable.”
On systems with the Windows Network File System role activated, a malicious hacker might launch their code on an impacted system with high privileges and without user involvement, once more, all of this starts to add up to a wormable flaw – at least across Windows Network File System servers.
These vulnerabilities would’ve been enticing to ransomware perpetrators since they have the ability to reveal sensitive information, according to the director.