icetray - Fotolia
Critical Exchange Server bug fixed for March Patch Tuesday
The vulnerability on the on-premises mail server system is one of just three critical flaws from a total of 71 bugs corrected in Microsoft products this month.
After a mild February Patch Tuesday, Exchange Server made its return to the vulnerability list on March Patch Tuesday.
In total, Microsoft corrected 71 unique flaws with three rated critical and three others publicly disclosed this month. Administrators were handed a relatively light workload on February Patch Tuesday with no critical vulnerabilities out of 51 CVEs and no corrections for Exchange Server.
Administrators who manage an on-premises mail server will want to focus on correcting an Exchange Server remote code execution vulnerability (CVE-2022-23277). The bug is rated critical and affects all supported versions. The bug has a relatively high CVSS rating of 8.8 out of 10.
Exchange Server continues to draw significant interest from malicious actors. Intrusion attempts on the messaging platform continue to evolve in sophistication, often using methods that chain multiple vulnerabilities to access the highly prized infrastructure component. By using another vulnerability to gain privilege escalation and get the right level of authentication, the attacker does not need user interaction to run malicious code to hit server accounts.
"Even though there's a few hoops for the attacker to jump through, this definitely makes that critical Exchange vulnerability a priority," said Chris Goettl, vice president of product management at Ivanti, an IT asset and endpoint management company.
Microsoft corrected another Exchange Server vulnerability (CVE-2022-24463) for March Patch Tuesday. The spoofing flaw is rated important and affects Exchange Server 2016 and 2019 systems. A malicious actor needs credentials to perform the attack.
"An authenticated attacker could make a specially crafted network call to the target Exchange Server that causes the parsing of an http request made to an attacker-controlled server. This could lead to the disclosure of files from the target Exchange Server," Microsoft wrote in its CVE notes.
Existence of proof-of-concept code should accelerate patching
Microsoft also released security updates for three publicly disclosed vulnerabilities on March Patch Tuesday. Two bugs have proof-of-concept code, which should spur administrators to quickly push the patches for these flaws.
A remote code execution vulnerability (CVE-2022-24512) is rated important for several .NET and Visual Studio products, including .NET Core 3.1, .NET 5.0, .NET 6.0 and newer Microsoft Visual Studio products. The vulnerability has a relatively low CVSS score of 6.3; a malicious actor needs user interaction and additional vulnerabilities to launch an attack.
A Windows Fax and Scan service elevation-of-privilege vulnerability (CVE-2022-24459), rated important for supported Windows desktop and server operating systems, has a 7.8 CVSS rating. There is proof-of-concept exploit code for this vulnerability, which does not require user interaction to trigger the exploit.
A Remote Desktop Protocol (RDP) client remote code execution vulnerability (CVE-2022-21990) rated important affects supported Windows desktop and server operating systems. There is proof-of-concept exploit code for this flaw.
"In the case of a Remote Desktop connection, an attacker with control of a Remote Desktop Server could trigger a remote code execution (RCE) on the RDP client machine when a victim connects to the attacking server with the vulnerable Remote Desktop Client," Microsoft wrote in the CVE notes.
Systems susceptible to the RDP vulnerability should get priority due to the availability of proof-of-concept code that could get weaponized quickly. Even though the BlueKeep and DejaBlue flaws dominated the news not too long ago, many organizations could still be at the mercy of the next round of RDP flaws.
Chris Goettl
"Even though it's 2022, we still haven't learned our lesson. Not everybody has plugged that RDP gap. There's still a lot of public-facing exposure with this vulnerability whether it's on the network or remotely exploitable within an organization's environment," Goettl said.
March Patch Tuesday corrected two more RDP client bugs: CVE-2022-23285, a remote code execution vulnerability rated important with a CVSS rating of 8.8; and CVE-2022-24503, an information disclosure vulnerability rated important with a 5.4 CVSS score.
Administrators will also want to give prompt attention to a Windows SMBv3 client/server remote code execution vulnerability rated important that affects newer Windows client and server machines. Microsoft's CVE notes provided a PowerShell command to assist administrators who might not be able to patch systems quickly with additional instructions to block TCP port 445 in the firewall.
Goettl said these types of antiquated defensive measures for older technologies have pushed enterprises to adopt newer security methods, such as the zero-trust model and Secure Access Service Edge.
Microsoft updates remediation plan for 2021 vulnerability
Microsoft recently revised an older CVE to add dates for the next steps in a multistage remediation for a Windows Distributed Component Object Model (DCOM) server security feature bypass vulnerability (CVE-2021-26414).
A June 2021 fix added protections for Windows clients, while the next update slated for June Patch Tuesday will harden DCOM servers. Administrators can disable the DCOM server hardening via a registry key change if problems occur. The last phase, due March 14, 2023, will harden DCOM servers and remove the ability to undo the protection.
Goettl said there are many layers of complexity with this type of remediation. Administrators need to communicate any application problems with the vendor to correct issues before Microsoft enforces the DCOM protections. A resolution might require a substantial amount of effort, time and money to get every affected machine to function properly.
"It could be painful, particularly for a smaller number of enterprises that reach a point where they just can't fix the issues. They will have to get off that technology or leave it exposed come March 2023," he said.
