Head Nerds
Administración de parches
Seguridad

March 2022 Patch Tuesday: Time to cover the basics

Patch Tuesday for March of 2022 arrives during a shifting landscape of geopolitical machinations that have cybersecurity defenders on edge. Microsoft issued 71 security fixes this month with CVE-2022-24508 and CVE-2022-23277 being worthy of making it to the top of your priority lists, but you shouldn’t stop there. Now is a great time to audit environments to make sure you don’t have unpatched or unsupported appliances or software still in production.

C-suites and other decision makers might have a newfound interest in pushing for cybersecurity improvements; be mindful not to let this new pressure compel cramming months of security and infrastructure improvements into a few days. A sound foundation of the basics to build on first (MFA, an endpoint detection and response solution on all workstations and servers, and robust patch management) can significantly improve defensive capabilities of environments in a timelier manner.

Microsoft Vulnerabilities

March offers another month of relatively tame security fixes from Microsoft—71 in total with 3 Zero-days, and 10 marked as “Exploitation More Likely”. Even though none of these are marked as “Exploitation Detected”, don’t rest on your laurels. Use this opportunity to play catchup on any outstanding patches, upgrades, or firmware updates across your estate. Most current malicious threat actor campaigns right now aren’t using unknown vulnerabilities; they are using tried and true methods against vulnerabilities that have had updates, fixes, or mitigation workarounds for months or years.

As mentioned above CVE-2022-24508 and CVE-2022-23277 are two vulnerabilities of note for this month. CVE-2022-24508 is for Windows SMBv3 so exposure is potentially wide-ranging for anyone supporting a PC environment. It is also marked as “Exploitation More Likely” and an existing proof of concept for attacks is available. CVE-2022-23277 is an RCE affecting Microsoft Exchange Server 2013, 2016, and 2019. With Exchange being a favorite target over the past year and SMBv3 being so pervasive, there is a good chance these will be the first vulnerabilities being addressed this month to see successful attacks in the wild.

Related Product

N‑sight RMM

Comience a trabajar con rapidez con una solución RMM diseñada para departamentos de TI y MSP pequeños.

Vulnerability Prioritization

It is important to not just prioritize vulnerabilities based on their severity but also their exploitation likelihood. Vulnerabilities marked as “Exploitation More Likely” are as important, and some may say even more important, to address quickly due to their increased likelihood to cause actual impacts to an environment. These CVEs from Microsoft should be top of the list as they are all marked as “Exploitation More Likely”, “Exploitation Detected”, or “Critical”.

CVE

Description

Exploitability

Severity

CVE-2022-23277

Microsoft Exchange Server RCE

Exploitation More Likely

Critical

CVE-2022-22006

HEVC Video Extensions RCE

Exploitation Less Likely

Critical

CVE-2022-24501

VP9 Video Extensions RCE

Exploitation Less Likely

Critical

CVE-2022-24508

Windows SMBv3 Client/Server RCE

Exploitation More Likely

Important

CVE-2022-23286

Windows Cloud Files Mini Filter Driver Elevation of Privilege

Exploitation More Likely

Important

CVE-2022-23285

Remote Desktop Client Remote Code Execution Vulnerability

Exploitation More Likely

Important

CVE-2022-23253

Point-to-Point Tunneling Protocol Denial of Service Vulnerability

Exploitation More Likely

Important

CVE-2022-24507

Windows Ancillary Function Driver for WinSock Elevation of Privilege

Exploitation More Likely

Important

CVE-2022-24502

Windows HTML Platforms Security Feature Bypass

Exploitation More Likely

Important

CVE-2022-23299

Windows PDEV Elevation of Privilege

Exploitation More Likely

Important

CVE-2022-23294

Windows Event Tracing RCE

Exploitation More Likely

Important

CVE-2022-21990

Remote Desktop Client RCE

Exploitation More Likely

Important

Cumulative Updates

KB5011487 (OS Builds 19042.1586, 19043.1586, and 19044.1586) and KB5011485 (OS Build 18363.2158) have an assortment of bug fixes for Microsoft Edge Internet Explorer mode and a Windows reset bug that did not delete all OneDrive data when a computer was reset with the “Remove Everything” option.

Related Product

N‑central

Gestione redes de gran tamaño o ajuste la escala de las operaciones de TI con un RMM diseñado para proveedores de servicios en crecimiento.

Summary

Make sure that if you’re feeling the pressure to react to global concerns by stake holders, you’re addressing security basics and following the NIST Cybersecurity Framework, CIS 18 Controls, or another collection of recognized security controls. Also keep things in perspective. Spending days of labor and capex to put an expensive lock on an attic window doesn’t do you any good if your front door is always open. Make sure the basics are being covered.

As always, make sure you have established patching processes for evaluation, testing, and pushing into production. If you have traditionally only dealt with patches by applying them based on their severity consider including prioritization of patches for zero days, “Exploitation Detected”, and “Exploitation More Likely” vulnerabilities in your patch management routines.

Lewis Pope is the head security nerd at N‑able. You can follow him on:

Twitter: @cybersec_nerd

LinkedIn: thesecuritypope

Twitch: cybersec_nerd

© N‑able Solutions ULC y N‑able Technologies Ltd. Todos los derechos reservados.

Este documento solo se proporciona con fines informativos. No debe utilizarse para obtener orientación legal. N‑able no ofrece ninguna garantía, implícita o explícita, ni asume ninguna responsabilidad legal o jurídica por la exactitud, integridad o utilidad de cualquier información contenida en este documento.

N-ABLE, N-CENTRAL y otras marcas comerciales y logotipos de N‑able son propiedad exclusiva de N‑able Solutions ULC y N‑able Technologies Ltd., y pueden ser marcas sujetas al derecho anglosajón, estar registradas o pendientes de registro en la Oficina de Patentes y Marcas de Estados Unidos o en otros países. El resto de marcas comerciales mencionadas en este documento solo se utilizan con fines de identificación y son marcas comerciales (o marcas comerciales registradas) de sus respectivas empresas.