May 2022 Patch Tuesday: Windows LSA Spoofing Illustrates Why Patching Is Sometimes Not Enough

Don’t let big celebrity vulnerabilities suck all the oxygen out of the room. When news about CVE-2022-1388 with a 9.8 severity affecting F5’s BIG-IP appliances started making the rounds, I had a lot of SMB’s asking if they should be worried. Considering these appliances can cost hundreds of thousands of dollars it’s safe to assume that most small and medium businesses won’t be affected, but the question they were asking needed an answer, not an assumption.
This is why knowing your estate and being subscribed to alerts from your software and hardware vendors is so important. A team that’s using resources figuring out the implications of a vulnerability for a system they aren’t even using just isn’t efficient. There’s a reason why hardware and software asset-tracking are usually the first controls called for in security frameworks. You can’t defend what you don’t know about.
While CVE-2022-1388 is a significant vulnerability, most teams’ attention needs to be on remediating vulnerabilities like CVE-2022-26925, a Windows LSA Spoofing vulnerability that targets a NTLM relay attack vector that potentially affects all misconfigured Windows servers, that’s already seeing active exploitation. Microsoft is providing additional mitigation instructions for this vulnerability as something that allows exploitation of the vulnerability that is a default configuration for Windows servers with specific roles enabled. If you manage Windows servers, be sure to read Microsoft’s info on applying mitigations.
This Patch Tuesday is a reminder that sometimes just applying a patch isn’t enough. Sometimes it takes extra measures like updating firmware, rebuilding configurations, or applying other mitigations. Proper Patch Management is an important part of your vulnerability remediation and mitigation but it’s not the only part.
Microsoft Patch Tuesday Vulnerability Prioritization
With a total of 75 vulnerabilities being addressed and one zero-day under active exploitation, there aren’t a lot of individual vulnerabilities that are going to require much attention. Approving CUs, Critical and Important severity patches, will get through the bulk. There are of course those that will require a little more effort from your patching team since they have additional mitigations advised by Microsoft that will take extra labor to implement this month.
It is important to not just prioritize vulnerabilities based on their severity but also their exploitation likelihood. Vulnerabilities marked as Exploitation More Likely are as important, and some may say even more important, to address quickly due to their increased likelihood to cause actual impacts to an environment. These CVEs from Microsoft should be top of the list as they are all marked as Exploitation More Likely, Exploitation Detected, or Critical.
CVE |
Description |
Exploitability |
Severity |
Windows LSA Spoofing |
Exploitation Detected |
Important |
|
Active Directory Domain Services Elevation of Privilege |
Exploitation More Likely |
Critical |
|
Windows ALPC Elevation of Privilege |
Exploitation More Likely |
Important |
|
Windows Kernel Elevation of Privilege |
Exploitation More Likely |
Important |
|
Windows Print Spooler Elevation of Privilege |
Exploitation More Likely |
Important |
|
Microsoft SharePoint Server Remote Code Execution |
Exploitation More Likely |
Important |
|
Windows Print Spooler Elevation of Privilege |
Exploitation More Likely |
Important |
|
Remote Desktop Client Remote Code Execution |
Exploitation More Likely |
Critical |
|
Windows Network File System Remote Code Execution |
Exploitation More Likely |
Critical |
|
Point-to-Point Tunneling Protocol Remote Code Execution |
Exploitation More Likely |
Critical |
|
Insight Software: CVE-2022-29972 Magnitude Simba Amazon Redshift ODBC Driver |
Exploitation More Likely |
Critical |
|
Windows Kerberos Elevation of Privilege |
Exploitation More Likely |
Critical |
|
Windows Network File System Remote Code Execution |
Exploitation Less Likely |
Critical |
|
Point-to-Point Tunneling Protocol RCE |
Exploitation Less Likely |
Critical |
Cumulative Updates
May marks the second cumulative update available for Windows 11 with KB5013943. This CU provides fixes for screen flickering and a fix for certain apps using older .Net Framework 3.5 not running. However, it appears that this CU has introduced new complications preventing other .Net Framework 3.5 applications from running as well as other applications crashing due to certain GPUs. These complications may warrant more robust testing and caution before applying to production environments.
KB5013942 and KB5013945 were also released. Some complications similar to KB5013943’s are also seen in these CUs along with some additional issues such as Snip and Sketch app failures. While none of these complications should be hard stops against applying these CUs, due care and testing is warranted before applying to production.
Known Complications of Note
Aside from the previously mentioned CU issues and the need to apply additional mitigations in response to CVE-2022-26925, this month’s Patch Tuesday brings complications for Windows AD servers. When installed on domain controllers, the May 10 updates are causing active directory authentication failures. Since this is only affecting domain controllers, it should not influence the decision making on installing the updates to non-DC servers or workstations.
The Patch Tuesday Megathread
On occasion I get asked where I discover all this information that is included in these Patch Tuesday blogs. One source is directly from Microsoft themselves through the Security Update Guide. Another is the Patch Tuesday Megathread on Reddit. It is a great place to get immediate feedback about complications or surprises presented by Patch Tuesday from a community of your peers instead of vendors. There are a few brave souls in those threads who push out updates to thousands of endpoints as soon as they are released and share the lessons they learn with the community. If there are any major issues arising because of Patch Tuesday, you’ll likely hear it there first.
Summary
This Patch Tuesday has illustrated how quickly things can get a lot more complicated when patches don’t provide full mitigation for a vulnerability, requiring additional mitigations and resources. Even though patch management solutions make the job easier, every once in a while the team responsible for patching may need a little additional resources to contend with months like this.
As always, make sure you have established patching processes for evaluation, testing and pushing into production. If you have traditionally only dealt with patches by applying them based on their severity consider including prioritization of patches for Zero-Days, Exploitation Detected, and Exploitation More Likely vulnerabilities in your Patch Management routines.
Lewis Pope is the Head Security Nerd at N‑able. You can follow him on Twitter: @cybersec_nerd
LinkedIn: thesecuritypope
Twitch: cybersec_nerd
© N‑able Solutions ULC and N‑able Technologies Ltd. All rights reserved.
This document is provided for informational purposes only and should not be relied upon as legal advice. N‑able makes no warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information contained herein.
The N-ABLE, N-CENTRAL, and other N‑able trademarks and logos are the exclusive property of N‑able Solutions ULC and N‑able Technologies Ltd. and may be common law marks, are registered, or are pending registration with the U.S. Patent and Trademark Office and with other countries. All other trademarks mentioned herein are used for identification purposes only and are trademarks (and may be registered trademarks) of their respective companies.