Microsoft’s latest round of patches addresses 74 vulnerabilities including 7 critical. Classified as important and with a CVSS score of 8.1, the CVE-2022-26925 Windows LSA Spoofing flaw is urgently fixed.
Companies must continually update their IT systems to limit the risk of compromise. Especially those running on Windows systems, applications and services as Microsoft’s latest Tuesday patch shows. The latest salvo of patches indeed corrects 74 flaws, including seven critical and one being exploited. Identified as CVE-2022-26925 and with a CVSS score of 8.1, the latter – classified as important – provides the ability for an unauthenticated user to force a domain controller to authenticate with another server at using the NTLM authentication protocol, used in various Windows network services.
Note that the security update offered by Microsoft detects anonymous connection attempts to the Local Security Authority Remote Procedure Call (LSARPC) interface – used in Microsoft/Windows environments to perform management tasks on security policies from a remote machine – and prohibits them. The attack vector is man-in-the-middle, requiring the attacker to inject malicious code into the logical network path between the target and the resource requested by the victim in order to read or modify communications network.
Avoid reliving a PetitPotam attack scenario
In addition to this patch, Microsoft strongly recommends referring to advisories KB5005413 and ADV210003 to assess additional measures to be put in place to prevent NTLM relay attacks, as was the case for example a few months ago with PetitPotam. “Also note that this hotfix affects some backup functionality on Server 2008 SP2. If you use this operating system, read this one carefully to ensure that your backups can still be used for recovery,” security researchers from the Zero Day Initiative (ZDI) also warned.
Unexploited but critical and made public, the CVE-2022-29972 (critical) flaw affecting the Magnitude Simba Amazon Redshift ODBC driver used in Azure Synapse Pipelines and Azure Data Factory integration runtimes, must also be taken very seriously . It can effectively help a hacker to execute malicious commands remotely in these environments. Other updates to be made of equally critical flaws: the one presenting a risk of elevation of privileges in Active Directory domain services (CVE-2022-26923) or the CVE-2022-26937 of a ceiling CVSS score (9.8 ) that could be exploited on the network by making an unauthenticated call and specifically targeting a Network File System (NFS) service to trigger remote malicious code execution. “NFS is not enabled by default, but it is prevalent in environments where Windows systems are mixed with other operating systems such as Linux or Unix. If this matches your environment, you should definitely test and deploy this patch soon. Microsoft notes that NFSv4.1 is not exploitable, so upgrade from NFSv2 or NFSv3 if possible,” the ZDI researchers also warn.