We would like to bring to your attention, that Windows recently has addressed a total of 128 security vulnerabilities. 10 of these 128 vulnerabilities are rated with the severity Critical. Security patches for these vulnerabilities were made available by Microsoft. In the following sections, we are commenting on the ones that stuck out the most and have serious impact and risk to organizations.
2 Critical Zero-Days that lead to Privilege Escalation
Description
The actively exploited flaw identified by CVE-2022-24521 was found in the Windows Common Log File System (CLFS) and leads to Privilege Escalation on successful exploitation.
The second flaw exploited in the wild is identified by CVE-2022-26904 and leads to the elevation of privileges in the Windows User Profile Service. To successfully exploit this flaw the attacker needs access to the local system and to win a race condition. Other requirements to exploit this flaw are the following:
-
The credentials of another user on the system, different from the user the attacker is logged in as
-
A domain the second user belongs to
Proof of Concept code is publicly available for this vulnerability.
Mitigation
We recommend applying the latest available security patches to mitigate these vulnerabilities.
Vulnerabilities in the Windows RPC Runtime lead to Remote Code Execution
Description
The Windows RPC Runtime was found to be vulnerable to 3 Remote Code Execution vulnerabilities identified by CVE-2022-24528, CVE-2022-24492 and CVE-2022-26809. The CVE-2022-26809 is most likely to be exploited in the wild. Any Windows machine that exposes the port 445 without a security patch for the RPC runtime library in place is vulnerable for exploitation.
Mitigation
We recommend applying the latest available security patches to mitigate these vulnerabilities. To strengthen the general security posture it is also advised to block connections to the RPC Runtime (default port 445) externally when not specifically required by an application or process in place. To mitigate exploitation from the internal network, ensure that only required servers have access to these ports, as it could otherwise allow attackers to laterally move through the environment. Microsoft has released a guide to further secure smb traffic.
Who is affected?
All mentioned vulnerabilities are present across several Windows versions. This includes Windows 7, 8, 10 and 11, as well as Windows Server 2008, 2012, 2016, 2019 and 2022.
Keeping the environment up to date with Windows Autopatch
In regards to keeping the Windows environment up to date, Microsoft is releasing a new ‘Autopatch’ feature in July 2022, which aims to help organizations maintaining the newest versions for installations across the perimeter.
References
-
https://thehackernews.com/2022/04/microsoft-issues-patches-for-2-windows.html
-
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24521
-
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26904
-
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26809
-
https://docs.microsoft.com/en-us/windows-server/storage/file-server/smb-secure-traffic
-
https://techcommunity.microsoft.com/t5/windows-it-pro-blog/windows-autopatch-faq/ba-p/3272081
K8s – Pod to Node Escape Techniques
In this article we are exploring the breakout of a pod, to gain access to a node. This is performed by attackers to elevate their privileges…
Rishikesh Bhide joins CovertSwarm as Head of Engineering
Rishikesh joins CovertSwarm to accelerate the organization’s engineering capabilities and product strategy as part of its rapid growth trajectory.
Louis Blackburn joins as Operations Director
Louis joins CovertSwarm from Lloyds Banking Group with an extensive background in red teaming, becoming the latest senior hire as part of the organization’s rapid expansion…