Microsoft closes Windows LSA hole under active attack

Plus many more flaws. And Adobe, Android, SAP join the bug-squashing frenzy


Microsoft patched 74 security flaws in its May Patch Tuesday batch of updates. That's seven critical bugs, 66 deemed important, and one ranked low severity.

At least one of the vulnerabilities disclosed is under active attack with public exploit code, according to Redmond, while two others are listed as having public exploit code.

After April's astonishing 100-plus vulnerabilities, May's patching event seems tame by comparison. However, "this month makes up for it in severity and infrastructure headaches," Chris Hass, director of security at Automox, told The Register. "The big news is the critical vulnerabilities that need to be highlighted for immediate action."

The bug that's being exploited in the wild is a Windows LSA (Local Security Authority) spoofing vulnerability tracked as CVE-2022-26925. According to Microsoft, an unauthenticated attacker could "coerce the domain controller to authenticate to the attacker using NTLM." 

Miscreants could pull this off via a man-in-the-middle attack, in which they inject themselves into the logical network path between the target and the resource requested. While the software giant classified the attack complexity as "high," it also noted that the vuln is under active attack. So "someone must have figured out how to make that happen," wrote Trend Micro's Dustin Childs on the Zero Day Initiative blog. The security hole was reported to Microsoft by, we're told, Raphael John of the Bertelsmann Printing Group.

Additionally, while the bug received a 8.3 CVSS severity score, if chained with last year's NTLM Relay Attacks, the combined CVSS score would be 9.8, according to Microsoft. In addition to applying the patch, Redmond advises reviewing the KB5005413 support document for more information about protecting networks against NTLM Relay Attacks. And if it wasn't already clear, prioritize patching CVE-2022-26925 now.

Finally, we're told the patch affects backups and Server 2008 SP2, so check the above support file for help on that.

And we are curious why, after making a huge fuss over a lone local privilege escalation vuln in the Linux world last month and giving it the catchy codename Nimbuspwn, Redmond didn't name the above flaw nor any of the other 20 or so LPEs it patched this month? May we suggest Nadellapwn for starters Or LoSAh?

Two publicly disclosed bugs

Two other bugs in this month's Patch Tuesday bunch are listed as having publicly disclosed exploit code. Of the two, Microsoft says exploitation of CVE-2022-29972 is more likely. This is a vulnerability in Azure Data Factory and Azure Synapse pipelines that's specific to the third-party Open Database Connectivity (ODBC) driver used to connect to Amazon Redshift in Azure Synapse pipelines and Azure Data Factory Integration Runtime (IR).

An attacker could exploit this bug to "perform remote command execution across IR infrastructure not limited to a single tenant," Microsoft wrote in a security alert.

The second publicly disclosed bug, CVE-2022-22713, is a denial-of-service vulnerability in Windows Hyper-V. Microsoft says exploitation of this one is less likely and requires an attacker to win a race condition.

Another interesting bug in this month's bunch is a Windows Network File System (NFS) remote code execution vulnerability that received a 9.8 CVSS score. It's tracked as CVE-2022-26937, and it can be exploited by a remote, unauthenticated user to craft a call to an NFS service and then execute malicious code. 

It's worth noting that the default configuration for Windows devices is not vulnerable, Kevin Breen, director of cyber threat research at Immersive Labs, told The Register. That is to say, the vulnerable NFS functionality is not on by default.

Still, "these types of vulnerabilities will potentially appeal to ransomware operators as they could lead to the kind of exposure of critical data often part of a ransom attempt," he added.

Another eye-catching bug is CVE-2022-26923, a privilege-escalation flaw in Active Directory Domain Services, discovered by Oliver Lyak of the Institut for Cyber Risk in Denmark and reported through the ZDI. Essentially, any domain-authenticated user can become a domain admin if the vulnerable services are running on the domain, which is scary. You'll want to patch this, too, IT peeps.

Adobe fixes 18 CVEs

Meanwhile, Adobe released five security updates for 18 CVEs in its Adobe Character Animator, Adobe ColdFusion, Adobe InDesign, Adobe Framemaker and Adobe InCopy products.

Ten of these occur in Adobe Framemaker, and nine of the ten are critical with 7.8 CVSS scores. Out-of-bounds write (OOB) flaws and the use of previously-freed memory could lead to remote code execution in all ten.

Google patches escalation-of-privilege vulns

In its May patching round, Google fixed 36 Android flaws earlier this month. The most severe bug, which the cloud giant deemed a "high-security vulnerability," occurs in the Android Framework component and could lead to local escalation of privilege by rogue apps.

Google issued a patch for this and three other high-security escalation of privilege vulns in Framework, plus one moderate-security information disclosure bug.

SAP joins the patch party

And finally, SAP released 17 new and updated security fixes this month. This includes six patches to fix the critical remote code execution Spring4Shell vulnerability in SAP applications.

Additionally, SAP Security Note #3145046 patches a cross-site scripting vulnerability that received an 8.3 CVSS score. Onapsis Research Labs helped on this flaw, and said it exists in the administration user interface (UI) of ICM in SAP Application Server ABAP/Java, and in the administration UI for SAP Web Dispatcher, both stand-alone and (A)SCS instance embedded. 

"The only thing that prevents this vulnerability from being tagged with a higher CVSS is the fact that an attacker must entice a victim to log on to the administration UI using a browser and that the attack is highly complex," the researchers wrote. ®


Other stories you might like

  • Stolen university credentials up for sale by Russian crooks, FBI warns
    Forget dark-web souks, thousands of these are already being traded on public bazaars

    Russian crooks are selling network credentials and virtual private network access for a "multitude" of US universities and colleges on criminal marketplaces, according to the FBI.

    According to a warning issued on Thursday, these stolen credentials sell for thousands of dollars on both dark web and public internet forums, and could lead to subsequent cyberattacks against individual employees or the schools themselves.

    "The exposure of usernames and passwords can lead to brute force credential stuffing computer network attacks, whereby attackers attempt logins across various internet sites or exploit them for subsequent cyber attacks as criminal actors take advantage of users recycling the same credentials across multiple accounts, internet sites, and services," the Feds' alert [PDF] said.

    Continue reading
  • Big Tech loves talking up privacy – while trying to kill privacy legislation
    Study claims Amazon, Apple, Google, Meta, Microsoft work to derail data rules

    Amazon, Apple, Google, Meta, and Microsoft often support privacy in public statements, but behind the scenes they've been working through some common organizations to weaken or kill privacy legislation in US states.

    That's according to a report this week from news non-profit The Markup, which said the corporations hire lobbyists from the same few groups and law firms to defang or drown state privacy bills.

    The report examined 31 states when state legislatures were considering privacy legislation and identified 445 lobbyists and lobbying firms working on behalf of Amazon, Apple, Google, Meta, and Microsoft, along with industry groups like TechNet and the State Privacy and Security Coalition.

    Continue reading
  • SEC probes Musk for not properly disclosing Twitter stake
    Meanwhile, social network's board rejects resignation of one its directors

    America's financial watchdog is investigating whether Elon Musk adequately disclosed his purchase of Twitter shares last month, just as his bid to take over the social media company hangs in the balance. 

    A letter [PDF] from the SEC addressed to the tech billionaire said he "[did] not appear" to have filed the proper form detailing his 9.2 percent stake in Twitter "required 10 days from the date of acquisition," and asked him to provide more information. Musk's shares made him one of Twitter's largest shareholders. 

    Musk quickly moved to try and buy the whole company outright in a deal initially worth over $44 billion. Musk sold a chunk of his shares in Tesla worth $8.4 billion and bagged another $7.14 billion from investors to help finance the $21 billion he promised to put forward for the deal. The remaining $25.5 billion bill was secured via debt financing by Morgan Stanley, Bank of America, Barclays, and others. But the takeover is not going smoothly.

    Continue reading

Biting the hand that feeds IT © 1998–2022