icetray - Fotolia
Admins have a Windows zero-day and a public disclosure at the top of their priority list for April Patch Tuesday.
This month, Microsoft released fixes for 117 unique new vulnerabilities with nine rated critical. There were no corrections for Exchange Server.
Topping the priority list this month for administrators is a Windows zero-day, a Common Log File System Driver elevation-of-privilege vulnerability (CVE-2022-24521) rated important that affects all supported Windows desktop and server systems.
The Common Vulnerability Scoring System (CVSS) severity score is 7.8. For a successful exploit, no user interaction is required and, while authentication is needed, the attacker can use low privileges of a typical end user to gain a foothold in the network.
"In the case of an elevation-of-privilege vulnerability, it's going to be used in a chain of vulnerabilities working together," said Chris Goettl, vice president of product management at Ivanti, an IT asset and endpoint management company. "The attacker is going to use this in combination with two to three more things. And it can be used to great effect in doing so."
Microsoft recognized the National Security Agency and cybersecurity firm Crowdstrike for discovering the flaw.
The one publicly disclosed vulnerability is a Windows User Profile Service elevation-of-privilege bug (CVE-2022-26904) rated important for all supported Windows desktop and server systems. Microsoft's notes indicate the attack complexity is high; the threat actor must win a race condition to perform a successful exploit. Functional exploit code exists for this vulnerability, which increases the importance to deploy the security update as soon as possible.
"To go from a functional code sample to a weaponized exploit is probably the least difficult part of the process for threat actors," Goettl said. "It can be a little time-consuming, but they typically have the infrastructure to plug in a new vulnerability and take advantage of it."
Of the nine critical vulnerabilities in April Patch Tuesday, eight are in the Windows operating system, which makes resolving them quick work for most administrators due to the cumulative update model.
"The one bit of good news is the OS update. Prioritizing that one will take a lot of the risk off the table right away," Goettl said.
Other April Patch Tuesday security updates of note
Two hotspots for admins this month are the Windows print spooler and the Windows Domain Name Server, with a total of 15 and 18 CVEs to address respectively.
"Everybody should expect to possibly run into some printer issues after patching, so make sure and test any print experiences and your critical applications thoroughly," Goettl said.
Outside of the OS fixes, the other critical vulnerability is a Microsoft Dynamics 365 remote code execution flaw (CVE-2022-23259) for version 9.0 and 9.1 of the on-premises system. To exploit the bug, the attacker would need to run a specially crafted trusted solution file to run certain SQL commands, then escalate and run commands as the database owner.
A Remote Procedure Call (RPC) runtime remote code execution vulnerability (CVE-2022-26809) is rated critical for supported Windows desktop and server systems. This flaw hits the high-water mark for potential risk with a CVSS severity score of 9.8 out of 10. The attacker does not need authorization, just network access, to run code with high privileges following a successful exploit.
"To exploit this vulnerability, an attacker would need to send a specially crafted RPC call to an RPC host. This could result in remote code execution on the server side with the same permissions as the RPC service," Microsoft wrote in its CVE notes.
Microsoft unveils upcoming patch automation service
Microsoft released a blog on April 5 to alert admins of a new automatic update service named Windows Autopatch. The company said this free feature patches Windows 10/11 desktops and Office applications. Expected to launch in July, the service is open to organizations with a Windows Enterprise E3 subscription and above. Azure Active Directory and Microsoft Intune are also required.
"I think that younger companies in that small to medium enterprise range will absolutely find this to be a great step forward, because they've already embraced those prerequisites," Goettl said.
Windows Autopatch does not update Windows Server systems, and Microsoft currently has no plans to include the server OS. Windows Autopatch will handle Office patches, and quality and feature updates for firmware, drivers and third-party content currently in the Windows Update catalog.
Windows Autopatch uses a testing framework consisting of four rings: test, first, fast and broad. The service automates the placement of Windows 10/11 devices into these testing groups.
"The 'test ring' contains a minimum number of representative devices. The 'first' ring is slightly larger, containing about 1% of all devices under management. The 'fast' ring contains about 9% of endpoints, with the rest assigned to the 'broad' ring," the company wrote.
Windows Autopatch deploys updates to the test ring first and, after an evaluation and approval process, patches systems in the next ring and so on. A company official said Windows Autopatch should complete a deployment cycle in 21 days. Administrators will have the option to pause or roll back updates if problems occur.
Windows Autopatch builds off an existing patching technology called Windows Update for Business, but Microsoft handles the creation of the testing rings and other orchestration rather than the organization's IT staff.
Organizations warned to be on guard for SpringShell
Microsoft posted an update Monday on its security blog to alert customers that its Azure Web Application Firewall service "has enhanced protection" for the SpringShell vulnerability affecting the Spring Framework. SpringShell is also known as Spring4Shell.
Microsoft said organizations that use Azure Web Application Firewall with its Azure Application Gateway load balancer/reverse proxy have new rules to defend against three SpringShell vulnerabilities (CVE-2022-22947, CVE-2022-22963, CVE-2022-22965) and SpringShell communication attempts.
Among its recommendations, Microsoft's blog directed customers to use its Microsoft Defender for Endpoint product to scan for vulnerable systems and its Azure Firewall Premium offering that automatically updates with rulesets to mitigate the SpringShell exploit.
Systems affected by SpringShell will be running the following:
- Java Development Kit 9.0 or later;
- Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and earlier versions; and
- Apache Tomcat as servlet container.
"There are a number of SpringShell updates from different vendors, such as VMware, which had a number of products updated. Apache Tomcat was updated to resolve the known exploited vulnerability," Goettl said. "Organizations just need to be aware that those updates continue to come out and they need to make sure that they're taking care of them quickly."