Patch Newsday May – NTLM relays, RDP again and the ongoing specter of Print Spooler
Security admins need to watch out for several vulnerabilities in this month’s Patch Tuesday, including one vulnerability that could allow attackers to gain high-level access to privileges. CVE-2022-26925 Identity-based vulnerability CVE-2022-26925 is at the top of the list of priorities this month. Already actively exploited in the wild, this vulnerability allows attackers to authenticate as approved…
Security admins need to watch out for several vulnerabilities in this month’s Patch Tuesday, including one vulnerability that could allow attackers to gain high-level access to privileges.
Identity-based vulnerability CVE-2022-26925 is at the top of the list of priorities this month. Already actively exploited in the wild, this vulnerability allows attackers to authenticate as approved users as part of an NTLM relay attack - letting threat actors gain access to the hashes of authentication protocols.
The advisory gives this a CVSS of 7.1, but the score jumps to a 9.8 when the vulnerability is used as part of an NTLM attack. While all servers are affected, domain controllers should be the priority. That’s because, once exploited, CVE-2022-26925 provides high-level access to privileges, often known as “the keys to the kingdom.”
Focus on Remote Desktop Client
CVE-2022-22017, a Remote Code Execution vulnerability in Remote Desktop Client, also warrants prioritization. With more people than ever working remotely, enterprises need to put anything affecting RDP on the watch list – especially given its popularity with ransomware actors and access brokers.
A Trio of Vulnerabilities for Print Spooler
Print Spooler shows that it remains an Achilles’ heel in the enterprise security team’s infrastructure with this trio of vulnerabilities: CVE-2022-29104, 29114 and 29132. An often-forgotten – but still default – component on all Windows devices, servers and desktops, Print Spooler remains an attractive target for attackers.
SharePoint Flaw Could Open Door to Wider Attacks
CVE-2022-29108, a remotely executable flaw in SharePoint, would likely be abused by an attacker seeking to move laterally throughout an organization. Requiring authenticated access to exploit, this flaw could be used by a threat actor to steal confidential information or inject documents with malicious code or macros that could be part of a wider attack chain.
LDAP Threats – Your Priorities Might Vary
With a headline score of 9.8, a set of 10 remote code execution vulnerabilities in LDAP appears particularly threatening. However, these have been marked by Microsoft as “exploitation less likely,” because they require a default configuration that’s unlikely to exist in most environments. That’s not to say there is no need to patch these – rather, consider this a reminder that context is important when prioritizing patches.
Potential for a Ransom Attempt
Marked by Microsoft as “exploitation more likely,” an RCE in Windows NFS – CVE-2022-26937 – also has the potential to be damaging. These types of vulnerabilities will potentially appeal to ransomware operators because they could lead to the kind of exposure of critical data that is often part of an attempted ransom attack. It is also important for security teams to note that NFS Role is not a default configuration for Windows devices.
13 May 2022
Director of Cyber Threat Research,