Threat Research

Hyper-V and Active Directory Front and Center for May Patch Tuesday

Organizations should look at last month’s and this month’s bulletins and put their Hyper-V and Active Directory servers and infrastructure at the top of the priority list.

The May 2022 Patch Tuesday release is moderate in volume but relatively light in severity. Microsoft patches 74 vulnerabilities this month. The vast majority of those are rated Important, and 60 of the 74 bugs affect Windows.

Interestingly, two of the critical vulnerabilities this month are elevation of privilege issues related to Active Directory and Kerberos. Given the potential for vulnerabilities like this to be exploited as part of lateral movement attacks in network attacks, these should be treated with priority—along with the six other critical bugs, which fall into the more typical combination of critical severity with remote code execution impact.  

By the Numbers 

    • Total new Microsoft CVEs: 74
    • Publicly disclosed: 3
    • Publicly exploited: 1
    • Exploitation more likely: 11 (both older and newer)
    • Severity:
      • Critical: 7
      • Important: 66
      • Low: 1
    • Impact
      • Remote code execution: 25
      • Elevation of privilege: 21
      • Information disclosure: 17
      • Denial of service: 6
      • Security feature bypass: 4
      • Spoofing: 1

 

    • Products
      • Microsoft Windows: 62
      • Visual Studio and .NET: 6
      • Microsoft Office: 3
      • Microsoft Exchange: 1
      • Self-Hosted Integrated Runtime: 1
      • SharePoint: 1

Notable Vulnerabilities 

Windows Hyper-V Denial of Service Vulnerability 

This vulnerability, CVE-2022-22713, is notable as it’s listed as “Publicly Disclosed but not Exploited” at time of release. It’s also listed as “Exploitation Less Likely.” It’s one of three vulnerabilities this month related to Hyper-V. All three Hyper-V vulnerabilities are rated Important. The other two are an elevation of privilege (EoP) and a security feature bypass. 

CVE-2022-26923 Active Directory Domain Services Elevation of Privilege Vulnerability and CVE-2022-26931 Windows Kerberos Elevation of Privilege Vulnerability 

These two vulnerabilities are notable as EoP vulnerabilities rated “Critical.” The Active Directory vulnerability, CVE-2022-26923, is also notable as one of the “Exploitation More Likely” vulnerabilities this month. While these are EoP rather than remove code execution (RCE) vulnerabilities, they’re definitely worth prioritizing because of the risks that these could be used as part of a network attack to gain control of the Active Directory environment and create high-privilege accounts that can be used to maintain persistence, engage in lateral movement and launch additional attacks on the network. 

LDAP Remote Code Execution Vulnerabilities 

These vulnerabilities are notable as RCE vulnerabilities affecting LDAP, which is a part of the Active Directory infrastructure. This month sees a total of 10 LDAP RCEs all rated as important. None of these are publicly disclosed or exploited and are marked “Exploitation Less Likely.”  It’s also worth noting these vulnerabilities in conjunction with the previously mentioned Active Directory and Kerberos vulnerabilities. It’s also worth remembering last month’s clutch of LDAP, Active Directory, and DNS vulnerabilities. 

Taken altogether, these past two months’ patch releases indicate that organizations should take special care to test and prioritize patches for their Active Directory servers and infrastructure. 

Sophos protection  

Vulnerability 

Sophos Intercept X / Endpoint IPS

Sophos XGS Firewall

CVE-2022-26925

AV: ATK/PetitP-A 

 

CVE-2022-29104 

AV: Exp/2229104-A 

 

CVE-2022-23270

IPS: 2307166

IPS: 2307166

CVE-2022-26937

IPS: 2307169, 2307170

IPS: 2307169, 2307170

 

As you can do every month, if you don’t want to wait for your system to pull down the updates itself, you can download them manually from the Windows Update Catalog website. Run the winver.exe tool to determine which build of Windows 10 or 11 you’re running, then download the Cumulative Update package for your particular system’s architecture and build number.