Head Nerds
Gestione delle patch
Sicurezza

May 2022 Patch Tuesday: Windows LSA Spoofing Illustrates Why Patching Is Sometimes Not Enough

Don’t let big celebrity vulnerabilities suck all the oxygen out of the room. When news about CVE-2022-1388 with a 9.8 severity affecting F5’s BIG-IP appliances started making the rounds, I had a lot of SMB’s asking if they should be worried. Considering these appliances can cost hundreds of thousands of dollars it’s safe to assume that most small and medium businesses won’t be affected, but the question they were asking needed an answer, not an assumption.

This is why knowing your estate and being subscribed to alerts from your software and hardware vendors is so important. A team that’s using resources figuring out the implications of a vulnerability for a system they aren’t even using just isn’t efficient. There’s a reason why hardware and software asset-tracking are usually the first controls called for in security frameworks. You can’t defend what you don’t know about.

While CVE-2022-1388 is a significant vulnerability, most teams’ attention needs to be on remediating vulnerabilities like CVE-2022-26925, a Windows LSA Spoofing vulnerability that targets a NTLM relay attack vector that potentially affects all misconfigured Windows servers, that’s already seeing active exploitation. Microsoft is providing additional mitigation instructions for this vulnerability as something that allows exploitation of the vulnerability that is a default configuration for Windows servers with specific roles enabled. If you manage Windows servers, be sure to read Microsoft’s info on applying mitigations.

This Patch Tuesday is a reminder that sometimes just applying a patch isn’t enough. Sometimes it takes extra measures like updating firmware, rebuilding configurations, or applying other mitigations. Proper Patch Management is an important part of your vulnerability remediation and mitigation but it’s not the only part.

Microsoft Patch Tuesday Vulnerability Prioritization

With a total of 75 vulnerabilities being addressed and one zero-day under active exploitation, there aren’t a lot of individual vulnerabilities that are going to require much attention. Approving CUs, Critical and Important severity patches, will get through the bulk. There are of course those that will require a little more effort from your patching team since they have additional mitigations advised by Microsoft that will take extra labor to implement this month.

It is important to not just prioritize vulnerabilities based on their severity but also their exploitation likelihood. Vulnerabilities marked as Exploitation More Likely are as important, and some may say even more important, to address quickly due to their increased likelihood to cause actual impacts to an environment.  These CVEs from Microsoft should be top of the list as they are all marked as Exploitation More Likely, Exploitation Detected, or Critical.

CVE

Description

Exploitability

Severity

CVE-2022-26925

Windows LSA Spoofing

Exploitation Detected

Important

CVE-2022-26923

Active Directory Domain Services Elevation of Privilege

Exploitation More Likely

Critical

CVE-2022-23279

Windows ALPC Elevation of Privilege

Exploitation More Likely

Important

CVE-2022-29142

Windows Kernel Elevation of Privilege

Exploitation More Likely

Important

CVE-2022-29132

Windows Print Spooler Elevation of Privilege

Exploitation More Likely

Important

CVE-2022-29108

Microsoft SharePoint Server Remote Code Execution

Exploitation More Likely

Important

CVE-2022-29104

Windows Print Spooler Elevation of Privilege

Exploitation More Likely

Important

CVE-2022-22017

Remote Desktop Client Remote Code Execution

Exploitation More Likely

Critical

CVE-2022-26937

Windows Network File System Remote Code Execution

Exploitation More Likely

Critical

CVE-2022-23270

Point-to-Point Tunneling Protocol Remote Code Execution

Exploitation More Likely

Critical

CVE-2022-29972

Insight Software: CVE-2022-29972 Magnitude Simba Amazon Redshift ODBC Driver

Exploitation More Likely

Critical

CVE-2022-26931

Windows Kerberos Elevation of Privilege

Exploitation More Likely

Critical

CVE-2022-26937

Windows Network File System Remote Code Execution

Exploitation Less Likely

Critical

CVE-2022-21972

Point-to-Point Tunneling Protocol RCE

Exploitation Less Likely

Critical

Related Product

N‑central

Manage large networks or scale IT operations with RMM made for growing service providers.

Cumulative Updates

May marks the second cumulative update available for Windows 11 with KB5013943. This CU provides fixes for screen flickering and a fix for certain apps using older .Net Framework 3.5 not running. However, it appears that this CU has introduced new complications preventing other .Net Framework 3.5 applications from running as well as other applications crashing due to certain GPUs. These complications may warrant more robust testing and caution before applying to production environments.

KB5013942 and KB5013945 were also released. Some complications similar to KB5013943’s are also seen in these CUs along with some additional issues such as Snip and Sketch app failures. While none of these complications should be hard stops against applying these CUs, due care and testing is warranted before applying to production.

Known Complications of Note

Aside from the previously mentioned CU issues and the need to apply additional mitigations in response to CVE-2022-26925, this month’s Patch Tuesday brings complications for Windows AD servers. When installed on domain controllers, the May 10 updates are causing active directory authentication failures. Since this is only affecting domain controllers, it should not influence the decision making on installing the updates to non-DC servers or workstations.

Related Product

N‑sight RMM

Inizia a utilizzare rapidamente la soluzione RMM progettata per MSP e reparti IT di piccole dimensioni.

The Patch Tuesday Megathread

On occasion I get asked where I discover all this information that is included in these Patch Tuesday blogs. One source is directly from Microsoft themselves through the Security Update Guide. Another is the Patch Tuesday Megathread on Reddit. It is a great place to get immediate feedback about complications or surprises presented by Patch Tuesday from a community of your peers instead of vendors. There are a few brave souls in those threads who push out updates to thousands of endpoints as soon as they are released and share the lessons they learn with the community. If there are any major issues arising because of Patch Tuesday, you’ll likely hear it there first.

Summary

This Patch Tuesday has illustrated how quickly things can get a lot more complicated when patches don’t provide full mitigation for a vulnerability, requiring additional mitigations and resources. Even though patch management solutions make the job easier, every once in a while the team responsible for patching may need a little additional resources to contend with months like this.

As always, make sure you have established patching processes for evaluation, testing and pushing into production. If you have traditionally only dealt with patches by applying them based on their severity consider including prioritization of patches for Zero-Days, Exploitation Detected, and Exploitation More Likely vulnerabilities in your Patch Management routines.

Lewis Pope is the Head Security Nerd at N‑able. You can follow him on Twitter: @cybersec_nerd

LinkedIn: thesecuritypope

Twitch: cybersec_nerd

© N‑able Solutions ULC e N‑able Technologies Ltd. Tutti i diritti riservati.

Il presente documento viene fornito per puro scopo informativo e i suoi contenuti non vanno considerati come una consulenza legale. N‑able non rilascia alcuna garanzia, esplicita o implicita, né si assume alcuna responsabilità legale per quanto riguarda l’accuratezza, la completezza o l’utilità delle informazioni qui contenute.

N-ABLE, N-CENTRAL e gli altri marchi e loghi di N‑able sono di esclusiva proprietà di N‑able Solutions ULC e N‑able Technologies Ltd. e potrebbero essere marchi di common law, marchi registrati o in attesa di registrazione presso l’Ufficio marchi e brevetti degli Stati Uniti e di altri paesi. Tutti gli altri marchi menzionati qui sono utilizzati esclusivamente a scopi identificativi e sono marchi (o potrebbero essere marchi registrati) delle rispettive aziende.