Head Nerds
Gerenciamento de patches
Segurança

March 2022 Patch Tuesday: Time to cover the basics

Patch Tuesday for March of 2022 arrives during a shifting landscape of geopolitical machinations that have cybersecurity defenders on edge. Microsoft issued 71 security fixes this month with CVE-2022-24508 and CVE-2022-23277 being worthy of making it to the top of your priority lists, but you shouldn’t stop there. Now is a great time to audit environments to make sure you don’t have unpatched or unsupported appliances or software still in production.

C-suites and other decision makers might have a newfound interest in pushing for cybersecurity improvements; be mindful not to let this new pressure compel cramming months of security and infrastructure improvements into a few days. A sound foundation of the basics to build on first (MFA, an endpoint detection and response solution on all workstations and servers, and robust patch management) can significantly improve defensive capabilities of environments in a timelier manner.

Microsoft Vulnerabilities

March offers another month of relatively tame security fixes from Microsoft—71 in total with 3 Zero-days, and 10 marked as “Exploitation More Likely”. Even though none of these are marked as “Exploitation Detected”, don’t rest on your laurels. Use this opportunity to play catchup on any outstanding patches, upgrades, or firmware updates across your estate. Most current malicious threat actor campaigns right now aren’t using unknown vulnerabilities; they are using tried and true methods against vulnerabilities that have had updates, fixes, or mitigation workarounds for months or years.

As mentioned above CVE-2022-24508 and CVE-2022-23277 are two vulnerabilities of note for this month. CVE-2022-24508 is for Windows SMBv3 so exposure is potentially wide-ranging for anyone supporting a PC environment. It is also marked as “Exploitation More Likely” and an existing proof of concept for attacks is available. CVE-2022-23277 is an RCE affecting Microsoft Exchange Server 2013, 2016, and 2019. With Exchange being a favorite target over the past year and SMBv3 being so pervasive, there is a good chance these will be the first vulnerabilities being addressed this month to see successful attacks in the wild.

Related Product

N‑sight RMM

Comece a operar rapidamente, contando com o RMM, projetado para MSPs e departamentos de TI de pequeno porte.

Vulnerability Prioritization

It is important to not just prioritize vulnerabilities based on their severity but also their exploitation likelihood. Vulnerabilities marked as “Exploitation More Likely” are as important, and some may say even more important, to address quickly due to their increased likelihood to cause actual impacts to an environment. These CVEs from Microsoft should be top of the list as they are all marked as “Exploitation More Likely”, “Exploitation Detected”, or “Critical”.

CVE

Description

Exploitability

Severity

CVE-2022-23277

Microsoft Exchange Server RCE

Exploitation More Likely

Critical

CVE-2022-22006

HEVC Video Extensions RCE

Exploitation Less Likely

Critical

CVE-2022-24501

VP9 Video Extensions RCE

Exploitation Less Likely

Critical

CVE-2022-24508

Windows SMBv3 Client/Server RCE

Exploitation More Likely

Important

CVE-2022-23286

Windows Cloud Files Mini Filter Driver Elevation of Privilege

Exploitation More Likely

Important

CVE-2022-23285

Remote Desktop Client Remote Code Execution Vulnerability

Exploitation More Likely

Important

CVE-2022-23253

Point-to-Point Tunneling Protocol Denial of Service Vulnerability

Exploitation More Likely

Important

CVE-2022-24507

Windows Ancillary Function Driver for WinSock Elevation of Privilege

Exploitation More Likely

Important

CVE-2022-24502

Windows HTML Platforms Security Feature Bypass

Exploitation More Likely

Important

CVE-2022-23299

Windows PDEV Elevation of Privilege

Exploitation More Likely

Important

CVE-2022-23294

Windows Event Tracing RCE

Exploitation More Likely

Important

CVE-2022-21990

Remote Desktop Client RCE

Exploitation More Likely

Important

Cumulative Updates

KB5011487 (OS Builds 19042.1586, 19043.1586, and 19044.1586) and KB5011485 (OS Build 18363.2158) have an assortment of bug fixes for Microsoft Edge Internet Explorer mode and a Windows reset bug that did not delete all OneDrive data when a computer was reset with the “Remove Everything” option.

Related Product

N‑central

Manage large networks or scale IT operations with RMM made for growing service providers.

Summary

Make sure that if you’re feeling the pressure to react to global concerns by stake holders, you’re addressing security basics and following the NIST Cybersecurity Framework, CIS 18 Controls, or another collection of recognized security controls. Also keep things in perspective. Spending days of labor and capex to put an expensive lock on an attic window doesn’t do you any good if your front door is always open. Make sure the basics are being covered.

As always, make sure you have established patching processes for evaluation, testing, and pushing into production. If you have traditionally only dealt with patches by applying them based on their severity consider including prioritization of patches for zero days, “Exploitation Detected”, and “Exploitation More Likely” vulnerabilities in your patch management routines.

Lewis Pope is the head security nerd at N‑able. You can follow him on:

Twitter: @cybersec_nerd

LinkedIn: thesecuritypope

Twitch: cybersec_nerd

© N‑able Solutions ULC e N‑able Technologies Ltd. Todos os direitos reservados.

Este documento é fornecido apenas para fins informativos e não deve servir de base para aconselhamento jurídico. A N‑able não oferece nenhuma garantia, expressa ou implícita, nem assume qualquer responsabilidade legal ou responsabilidade pela precisão, integralidade ou utilidade de qualquer informação nele contido.

As marcas N-ABLE, N-CENTRAL e outras marcas registradas e logotipos N‑able são de propriedade exclusiva da N‑able Solutions ULC e da N‑able Technologies Ltd e podem ser marcas legais comuns, registradas ou de registro pendente com o Escritório de Marcas e Patentes dos EUA e com outros países. Todas as outras marcas comerciais mencionadas neste documento são usadas apenas para fins de identificação e são marcas comerciais (e poderão ser marcas registradas) de suas respectivas empresas.