One year after the massive zero-day exploit campaign by Chinese cybergang Hafnium affecting Exchange servers, Microsoft fixes another critical flaw CVE-2022-23277 leading to remote malicious code execution. In all, 71 vulnerabilities were addressed in the publisher’s March 2022 Patch Tuesday.
Scalded cat fears cold water. The beginning of March 2021 had been hot for companies with more than 400,000 Exchange servers made vulnerable due to ProxyLogon flaws exploited by the Chinese cybergang Hafnium. Not to mention in September denying the cybercriminals behind the Conti ransomware who in turn exploited these flaws to put unpatched Exchange servers under their control.
On Tuesday, Microsoft announced during its monthly Patch Tuesday patch salvo that it has addressed a vulnerability identified as CVE-2022-23277, once again exposing organizations to a zero-day exploit. The latter leads to the execution of malicious code remotely with the possibility of elevation of privileges to compromise messaging systems and steal data and information contained in e-mails. This flaw, classified as critical and with a CVSS 3.1 score of 8.8/7.7, affects Exchange 2013, 2016 and 2019 servers, and must therefore be fixed as soon as possible.
A risk of exploit despite the authentication requirement
“It’s also listed as low complexity so it wouldn’t surprise me to see this bug exploited in the wild soon despite the authentication requirement,” warned security researcher Dustin Childs of the Zero Day Initiative. In its alert, Microsoft confirmed that an authenticated attacker could target server accounts during arbitrary or remote code execution. As an authenticated user, the attacker could attempt to trigger malicious code in the context of the server account via a network call.
In the list of patches (71) delivered this month by Microsoft, two other critical flaws have been corrected to prevent remote malicious code execution (RCE). Namely CVE-2022-2206 and CVE-2022-24501 respectively relating to HEVC and VP9 video codecs. Among the other 68 gaps filled, several require special attention. In particular, CVE-2022-24508 affecting the SMBv3 network file sharing protocol allowing – still – to execute remote malicious code on systems running at least Windows 10 (version 2004). “Authentication is required here, but since it affected both clients and servers, an attacker could use it to move laterally within a network,” Dustin Childs explained. Note that the latter considers this flaw to be critical, unlike Microsoft, but enjoins companies to act as if it were the case. Namely correct as soon as possible.