The Microsoft May 2022 Security Updates includes patches and advisories for 73 vulnerabilities, seven of those rated Critical severity and one zero-day flaw.
A remote attacker could exploit some of these vulnerabilities to take control of unpatched systems.
In all, the Microsoft security updates address vulnerabilities in the following products, features and roles:
- .NET and Visual Studio
- Microsoft Exchange Server
- Microsoft Graphics Component
- Microsoft Local Security Authority Server (lsasrv)
- Microsoft Office
- Microsoft Office Excel
- Microsoft Office SharePoint
- Microsoft Windows ALPC
- Remote Desktop Client
- Role: Windows Fax Service
- Role: Windows Hyper-V
- Self-hosted Integration Runtime
- Tablet Windows User Interface
- Visual Studio
- Visual Studio Code
- Windows Active Directory
- Windows Address Book
- Windows Authentication Methods
- Windows BitLocker
- Windows Cluster Shared Volume (CSV)
- Windows Failover Cluster Automation Server
- Windows Kerberos
- Windows Kernel
- Windows LDAP – Lightweight Directory Access Protocol
- Windows Media
- Windows Network File System
- Windows NTFS
- Windows Point-to-Point Tunneling Protocol
- Windows Print Spooler Components
- Windows Push Notifications
- Windows Remote Access Connection Manager
- Windows Remote Desktop
- Windows Remote Procedure Call Runtime
- Windows Server Service
- Windows Storage Spaces Controller
- Windows WLAN Auto Config Service
Microsoft addressed one zero-day Windows LSA Spoofing Vulnerability CVE-2022-26925.
“An unauthenticated attacker could call a method on the LSARPC interface and coerce the domain controller to authenticate to the attacker using NTLM. This security update detects anonymous connection attempts in LSARPC and disallows it,” Microsoft warned in the advisory.
Although this issue was not rated Critical, Microsoft confirmed that “exploitation was detected.”
Moreover, Threatpost wrote in a blog post that when CVE-2022-26925 is chained with a new technology LAN manager (NTLM) relay attack, the CVSS score for the attack chain is raised to 9.8. The analysis was provided by Allan Liska, a senior security architect at Recorded Future, in an e-mail to Threatpost.
Microsoft also addressed five Critical remote code execution (RCE) vulnerabilities.
One of the patched RCEs is a Magnitude Simba Amazon Redshift ODBC Driver vulnerability CVE-20220-29972 that affects Azure Data Factory and Azure Synapse Pipelines.
“The vulnerability was found in the third-party ODBC data connector used to connect to Amazon Redshift, in Integration Runtime (IR) in Azure Synapse Pipelines, and Azure Data Factory. The vulnerability could have allowed an attacker to execute remote commands across Integration Runtimes,” Microsoft wrote in a security advisory ADV220001 and blog post.
In addition, Microsoft also addressed these four Critical RCEs:
- CVE-2022-21972: Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability (CVSS 8.1)
- CVE-2022-22017: Remote Desktop Client Remote Code Execution Vulnerability (CVSS 8.8)
- CVE-2022-23270: Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability (CVSS 8.1)
- CVE-2022-26937: Windows Network File System Remote Code Execution Vulnerability (CVSS 9.8)
Microsoft also warned that “exploitation is more likely” for CVE-2022-22017, CVE-2022-23270, and CVE-2022-26937.
The tech giant also said the highest rated RCE, by CVSS score, CVE-2022-26937 “could be exploited over the network by making an unauthenticated, specially crafted call to a Network File System (NFS) service to trigger a Remote Code Execution (RCE).”
In addition to the Critical RCEs, Microsoft also addressed two Critical Elevation of Privilege (EoP) vulnerabilities:
- CVE-2022-26923: Active Directory Domain Services Elevation of Privilege Vulnerability (CVSS 8.8)
- CVE-2022-26931: Windows Kerberos Elevation of Privilege Vulnerability (CVSS 7.5).
Microsoft stated in the advisory CVE-2022-26923 is also “more likely” to be exploited and further clarified “an authenticated user could manipulate attributes on computer accounts they own or manage, and acquire a certificate from Active Directory Certificate Services that would allow elevation of privilege.”
In addition to the Critical RCEs, EoPs and zero-day vulnerabilities, Microsoft also patched an additional 65 vulnerabilities on May 10, 2022 across multiple products rated “Important” or “Moderate.” The tech giant also addressed 36 Microsoft Edge (Chromium-based) vulnerabilities.