Multiple Windows Zero-Days Identified (CVE-2022-24521, CVE-2022-26904 and CVE-2022-26809)

We would like to bring to your attention, that Windows recently has addressed a total of 128 security vulnerabilities. 10 of these 128 vulnerabilities are rated with the severity Critical. Security patches for these vulnerabilities were made available by Microsoft. In the following sections, we are commenting on the ones that stuck out the most and have serious impact and risk to organizations.


2 Critical Zero-Days that lead to Privilege Escalation


Description


The actively exploited flaw identified by CVE-2022-24521 was found in the Windows Common Log File System (CLFS) and leads to Privilege Escalation on successful exploitation.


The second flaw exploited in the wild is identified by CVE-2022-26904 and leads to the elevation of privileges in the Windows User Profile Service. To successfully exploit this flaw the attacker needs access to the local system and to win a race condition. Other requirements to exploit this flaw are the following:

  • The credentials of another user on the system, different from the user the attacker is logged in as

  • A domain the second user belongs to

Proof of Concept code is publicly available for this vulnerability.


Mitigation


We recommend applying the latest available security patches to mitigate these vulnerabilities.

Vulnerabilities in the Windows RPC Runtime lead to Remote Code Execution


Description


The Windows RPC Runtime was found to be vulnerable to 3 Remote Code Execution vulnerabilities identified by CVE-2022-24528, CVE-2022-24492 and CVE-2022-26809. The CVE-2022-26809 is most likely to be exploited in the wild. Any Windows machine that exposes the port 445 without a security patch for the RPC runtime library in place is vulnerable for exploitation.


Mitigation


We recommend applying the latest available security patches to mitigate these vulnerabilities. To strengthen the general security posture it is also advised to block connections to the RPC Runtime (default port 445) externally when not specifically required by an application or process in place. To mitigate exploitation from the internal network, ensure that only required servers have access to these ports, as it could otherwise allow attackers to laterally move through the environment. Microsoft has released a guide to further secure smb traffic.


Who is affected?


All mentioned vulnerabilities are present across several Windows versions. This includes Windows 7, 8, 10 and 11, as well as Windows Server 2008, 2012, 2016, 2019 and 2022.


Keeping the environment up to date with Windows Autopatch


In regards to keeping the Windows environment up to date, Microsoft is releasing a new ‘Autopatch’ feature in July 2022, which aims to help organizations maintaining the newest versions for installations across the perimeter.


References