Microsoft Patch Tuesday Summary
Microsoft has fixed 75 vulnerabilities in the May 2022 update, including one (1) advisory (ADV220001) for Azure in response to CVE-2022-29972, a publicly exposed Zero-Day Remote Code Execution (RCE) Vulnerability, and eight (8) vulnerabilities classified as Critical as they allow Remote Code Execution (RCE) or Elevation of Privileges. This month’s Patch Tuesday release includes fixes for two (2) other zero-day vulnerabilities as well, one (1) known to be actively exploited (CVE-2022-26925) and the other for being publicly exposed (CVE-2022-22713).
Microsoft has fixed several flaws in its software, including Denial of Service (DoS), Elevation of Privilege, Information Disclosure, Remote Code Execution (RCE), Security Feature Bypass, and Spoofing vulnerabilities.
Notable Microsoft Vulnerabilities Patched
This month’s advisory covers multiple Microsoft product families, including Azure, Developer Tools, Extended Security Update (ESU), Exchange Server, Microsoft Office, and Windows. A total of 97 unique Microsoft products/versions are affected.
Downloads include Monthly Rollup, Security Only, Security Update, and ServicingStackUpdate.
CVE-2022-21978 | Microsoft Exchange Server Elevation of Privilege Vulnerability
This vulnerability has a CVSSv3.1 score of 8.2/10.
Successful exploitation of this vulnerability requires the attacker to be authenticated to the Exchange Server as a member of a high privileged group.
Exploitability Assessment: Exploitation Less Likely.
CVE-2022-22012 and CVE-2022-29130 | Windows LDAP Remote Code Execution (RCE) Vulnerability
This vulnerability has a CVSSv3.1 score of 9.8/10.
An unauthenticated attacker could send a specially crafted request to a vulnerable server. Successful exploitation could result in the attacker’s code running in the context of the SYSTEM account.
This vulnerability is only exploitable if the MaxReceiveBuffer LDAP policy is set to a value higher than the default value. Systems with the default value of this policy would not be vulnerable. For more information, please see LDAP policies.
Exploitability Assessment: Exploitation Less Likely.
CVE-2022-22017 | Remote Desktop Client Remote Code Execution Vulnerability
This vulnerability has a CVSSv3.1 score of 8.8/10.
An attacker would have to convince a targeted user to connect to a malicious RDP server. Upon connecting, the malicious server could execute code on the victim’s system in the context of the targeted user.
Exploitability Assessment: Exploitation More Likely.
CVE-2022-26913 | Windows Authentication Security Feature Bypass Vulnerability
This vulnerability has a CVSSv3.1 score of 7.4/10.
An attacker who successfully exploited this vulnerability could carry out a Man-in-the-Middle (MITM) attack and could decrypt and read or modify TLS traffic between the client and server. There is no impact to the availability of the attacked machine (A:N).
Exploitability Assessment: Exploitation Less Likely.
CVE-2022-26923 | Active Directory Domain Services Elevation of Privilege Vulnerability
This vulnerability has a CVSSv3.1 score of 8.8/10.
An authenticated user could manipulate attributes on computer accounts they own or manage, and acquire a certificate from Active Directory Certificate Services that would allow elevation of privilege.
Exploitability Assessment: Exploitation More Likely.
CVE-2022-26937 | Windows Network File System Remote Code Execution Vulnerability
This vulnerability has a CVSSv3.1 score of 9.8/10.
This vulnerability could be exploited over the network by making an unauthenticated, specially crafted call to a Network File System (NFS) service to trigger a Remote Code Execution (RCE).
This vulnerability is not exploitable in NFSV4.1. Prior to updating your version of Windows that protects against this vulnerability, you can mitigate an attack by disabling NFSV2 and NFSV3. This may adversely affect your ecosystem and should only be used as a temporary mitigation.
Exploitability Assessment: Exploitation More Likely.
CVE-2022-29108 | Microsoft SharePoint Server Remote Code Execution Vulnerability
This vulnerability has a CVSSv3.1 score of 8.8/10.
The attacker must be authenticated and possess the permissions for page creation to be able to exploit this vulnerability.
Exploitability Assessment: Exploitation More Likely.
CVE-2022-29133 | Windows Kernel Elevation of Privilege Vulnerability
This vulnerability has a CVSSv3.1 score of 8.8/10.
In this case, a successful attack could be performed from a low privilege AppContainer. The attacker could elevate their privileges and execute code or access resources at a higher integrity level than that of the AppContainer execution environment.
Exploitability Assessment: Exploitation Less Likely.
About Qualys Patch Tuesday
Qualys Patch Tuesday QIDs are published as Security Alerts typically late in the evening on the day of Patch Tuesday followed later by the publication of the monthly queries for the Unified Dashboard: 2022 Patch Tuesday (QID Based) Dashboard by Noon on Wednesday.
Qualys Monthly Webinar Series
The Qualys Research team hosts a monthly webinar series to help our existing customers leverage the seamless integration between Qualys Vulnerability Management Detection Response (VMDR) and Patch Management (PM). Combining these two solutions can reduce the median time to remediate critical vulnerabilities.
During the webcast, we will discuss this month’s high-impact vulnerabilities, including those that are part of this month’s Patch Tuesday alert. We will walk you through the necessary steps to address the key vulnerabilities using Qualys VMDR and Patch Management.