March 2022 Patch Tuesday: Time to cover the basics
By Lewis Pope
Patch Tuesday for March of 2022 arrives during a shifting landscape of geopolitical machinations that have cybersecurity defenders on edge. Microsoft issued 71 security fixes this month with CVE-2022-24508 and CVE-2022-23277 being worthy of making it to the top of your priority lists, but you shouldn’t stop there. Now is a great time to audit environments to make sure you don’t have unpatched or unsupported appliances or software still in production.
C-suites and other decision makers might have a newfound interest in pushing for cybersecurity improvements; be mindful not to let this new pressure compel cramming months of security and infrastructure improvements into a few days. A sound foundation of the basics to build on first (MFA, an endpoint detection and response solution on all workstations and servers, and robust patch management) can significantly improve defensive capabilities of environments in a timelier manner.
Microsoft Vulnerabilities
March offers another month of relatively tame security fixes from Microsoft—71 in total with 3 Zero-days, and 10 marked as “Exploitation More Likely”. Even though none of these are marked as “Exploitation Detected”, don’t rest on your laurels. Use this opportunity to play catchup on any outstanding patches, upgrades, or firmware updates across your estate. Most current malicious threat actor campaigns right now aren’t using unknown vulnerabilities; they are using tried and true methods against vulnerabilities that have had updates, fixes, or mitigation workarounds for months or years.
As mentioned above CVE-2022-24508 and CVE-2022-23277 are two vulnerabilities of note for this month. CVE-2022-24508 is for Windows SMBv3 so exposure is potentially wide-ranging for anyone supporting a PC environment. It is also marked as “Exploitation More Likely” and an existing proof of concept for attacks is available. CVE-2022-23277 is an RCE affecting Microsoft Exchange Server 2013, 2016, and 2019. With Exchange being a favorite target over the past year and SMBv3 being so pervasive, there is a good chance these will be the first vulnerabilities being addressed this month to see successful attacks in the wild.
Vulnerability Prioritization
It is important to not just prioritize vulnerabilities based on their severity but also their exploitation likelihood. Vulnerabilities marked as “Exploitation More Likely” are as important, and some may say even more important, to address quickly due to their increased likelihood to cause actual impacts to an environment. These CVEs from Microsoft should be top of the list as they are all marked as “Exploitation More Likely”, “Exploitation Detected”, or “Critical”.
|
CVE |
Description |
Exploitability |
Severity |
|
Microsoft Exchange Server RCE |
Exploitation More Likely |
Critical |
|
|
HEVC Video Extensions RCE |
Exploitation Less Likely |
Critical |
|
|
VP9 Video Extensions RCE |
Exploitation Less Likely |
Critical |
|
|
Windows SMBv3 Client/Server RCE |
Exploitation More Likely |
Important |
|
|
Windows Cloud Files Mini Filter Driver Elevation of Privilege |
Exploitation More Likely |
Important |
|
|
Remote Desktop Client Remote Code Execution Vulnerability |
Exploitation More Likely |
Important |
|
|
Point-to-Point Tunneling Protocol Denial of Service Vulnerability |
Exploitation More Likely |
Important |
|
|
Windows Ancillary Function Driver for WinSock Elevation of Privilege |
Exploitation More Likely |
Important |
|
|
Windows HTML Platforms Security Feature Bypass |
Exploitation More Likely |
Important |
|
|
Windows PDEV Elevation of Privilege |
Exploitation More Likely |
Important |
|
|
Windows Event Tracing RCE |
Exploitation More Likely |
Important |
|
|
Remote Desktop Client RCE |
Exploitation More Likely |
Important |
Cumulative Updates
KB5011487 (OS Builds 19042.1586, 19043.1586, and 19044.1586) and KB5011485 (OS Build 18363.2158) have an assortment of bug fixes for Microsoft Edge Internet Explorer mode and a Windows reset bug that did not delete all OneDrive data when a computer was reset with the “Remove Everything” option.
Summary
Make sure that if you’re feeling the pressure to react to global concerns by stake holders, you’re addressing security basics and following the NIST Cybersecurity Framework, CIS 18 Controls, or another collection of recognized security controls. Also keep things in perspective. Spending days of labor and capex to put an expensive lock on an attic window doesn’t do you any good if your front door is always open. Make sure the basics are being covered.
As always, make sure you have established patching processes for evaluation, testing, and pushing into production. If you have traditionally only dealt with patches by applying them based on their severity consider including prioritization of patches for zero days, “Exploitation Detected”, and “Exploitation More Likely” vulnerabilities in your patch management routines.
Lewis Pope is the head security nerd at N‑able. You can follow him on:
Twitter: @cybersec_nerd
LinkedIn: thesecuritypope
Twitch: cybersec_nerd
© N‑able Solutions ULC e N‑able Technologies Ltd. Todos os direitos reservados.
Este documento é fornecido apenas para fins informativos e não deve servir de base para aconselhamento jurídico. A N‑able não oferece nenhuma garantia, expressa ou implícita, nem assume qualquer responsabilidade legal ou responsabilidade pela precisão, integralidade ou utilidade de qualquer informação nele contido.
As marcas N-ABLE, N-CENTRAL e outras marcas registradas e logotipos N‑able são de propriedade exclusiva da N‑able Solutions ULC e da N‑able Technologies Ltd e podem ser marcas legais comuns, registradas ou de registro pendente com o Escritório de Marcas e Patentes dos EUA e com outros países. Todas as outras marcas comerciais mencionadas neste documento são usadas apenas para fins de identificação e são marcas comerciais (e poderão ser marcas registradas) de suas respectivas empresas.