Zero-day vulnerability in Microsoft April Updates

Microsoft has released the patch Tuesday updates for the month of March and April earlier today. It has announced a couple of Zero-day vulnerabilities that affect the Windows User Profile service and the Windows Log File System Driver. Both vulnerabilities can cause ‘Elevation of Privileges’ on the target computer. The vulnerability details are listed below for a ready reference.

CVE-2022-26904 – CVSS 7 – Windows User Profile Service Elevation of Privilege vulnerability

The latest security updates contain a fix for the zero-day vulnerability in the User Profile Service on Windows operating system across the server and desktop versions. The vulnerability carries a CVSS score of 7 and has a ‘high impact’ on the associated infrastructure based on the Windows Server or Desktop operating systems. It could be exploited and lead to the elevation of privileges on the target computer ro server.

Since this vulnerability is publicly known and is more likely to be exploited, we suggest deploying the security updates for April Patch Tuesday on a priority basis.

CVE-2022-26904 affects the following versions of Windows operating systems:

  • Windows Server 2022 and Windows Server 2022 (Server Core Installation)
  • Windows Server 20H2 Server Core Installation.
  • Windows Server 2019 and Windows Server 2019 Server Core Installation
  • Windows Server 2016 and Windows Server 2016 Server Core Installation
  • Windows Server 2012, Windows Server 2012 Server Core, Windows Server 2012 R2, Windows Server 2012 R2 Server Core
  • Windows Server 2008 all versions
  • Windows 7 all versions
  • Windows 10 all versions
  • Windows 11 all versions

The security updates corresponding to each Windows operating system have been published by Microsoft for patching the zero-day vulnerability CVE-2022-26904.

CVE-2022-24521 – CVSS 7.8 – Windows Log File System Driver

CVE-2022-24521 is not publicly shared. However, Microsoft has detected that the vulnerability is being exploited by threat actors. Therefore, it is imperative to patch this ‘Elevation of Privileges’ vulnerability. It carries a CVSS score of 7.8 and has a high impact on the associated infrastructure. The vulnerability affects almost all the Windows Server and Desktop operating systems. A full list of affected Windows versions is mentioned below:

  • Windows Server 2022 and Windows Server 2022 (Server Core Installation)
  • Windows Server 20H2 Server Core Installation.
  • Windows Server 2019 and Windows Server 2019 Server Core Installation
  • Windows Server 2016 and Windows Server 2016 Server Core Installation
  • Windows Server 2012, Windows Server 2012 Server Core, Windows Server 2012 R2, Windows Server 2012 R2 Server Core
  • Windows Server 2008 all versions
  • Windows 7 all versions
  • Windows 10 all versions
  • Windows 11 all versions

Please do plan to patch this vulnerability at your earliest convenience.

Other vulnerabilities in Microsoft April Security Updates – More Likely to be Exploited

April 2022 Patch Tuesday updates see a lot of action in terms of vulnerabilities and remediation. There have been a total of 117 security vulnerabilities that have been declared by Microsoft as part of the Patch Tuesday updates.

10 of these have been identified by Microsoft as ‘More Likely to be Exploited’. We present a summary of these vulnerabilities below:

  • CVE-2022-24474 – Windows Win32k Elevation of Privilege Vulnerability – This vulnerability exists in the Win32K module and can cause ‘Elevation of Privileges’ on the target computer. It has a CVSS score of 7.8 and a high impact on the associated infrastructure.
  • CVE-2022-24481 – Windows Common Log File System Driver Elevation of Privilege Vulnerability – This vulnerability exists in the Windows Common Log File System Driver and could lead to ‘elevation of privileges’. The CVSS score is 7.8.
  • CVE-2022-24491 – Windows Network File System Remote Code Execution Vulnerability – This is a Remote Code Execution vulnerability on the Windows Network File System. It has a critical severity with a CVSS score of 9.8.
  • CVE-2022-24521 – Windows Common Log File System Driver Elevation of Privilege Vulnerability – This is the zero-day vulnerability on the Windows Common Log File System Driver that is being already exploited. It has a CVSS score of 7.8.
  • CVE-2022-26809 – Remote Procedure Call Runtime Remote Code Execution Vulnerability – This is a critical Remote Code Execution vulnerability with a CVSS score of 9.8. You can mitigate this vulnerability from external traffic by blocking TCP port 445 on the firewall. For the internal traffic, you will need to take steps to secure the SMB traffic.
  • CVE-2022-26904 – Windows User Profile Service Elevation of Privilege Vulnerability – This is the zero-day vulnerability that has already been discussed above.
  • CVE-2022-26914 – Win32k Elevation of Privilege Vulnerability – This is an Elevation of Privilege threat that exists on the Win32K module. It has a CVSS score of 7.8.
  • CVE-2022-24542 – Windows Win32k Elevation of Privilege Vulnerability – This vulnerability affects the Win32K module and could lead to ‘Elevation of Privileges’. It has a CVSS score of 7.8.
  • CVE-2022-24546 – Windows DWM Core Library Elevation of Privilege Vulnerability – This vulnerability affects the DWM core library and can lead to ‘Elevation of Privileges’ on the target system. It has a CVSS score of 7.8.
  • CVE-2022-24547 – Windows Digital Media Receiver Elevation of Privilege Vulnerability – This is an Elevation of Privilege vulnerability with a CVSS score of 7.8. It affects the Windows Digital Media Receiver on specific versions of Windows operating systems.

The zero-day vulnerability CVE-2022-26904 is also more likely to be exploited. However, no exploitation attempt has been detected by Microsoft as yet.

Other Vulnerabilities Microsoft April Updates – Critical Severity – Remote Code Execution Vulnerabilities

Over and above the vulnerabilities that we have shared above, there are a few more security threats that you need to be aware of. All these vulnerabilities can lead to ‘Remote Code Execution.

These RCE vulnerabilities have critical severity or high-level impact on your infrastructure. The vulnerabilities of interest are mentioned below for a quick summary and action points:

  • CVE-2022-26809 – CVSS 9.8 – RPC Runtime Library Remote Code Execution
  • CVE-2022-24491 – CVSS 9.8 – RCE on Windows Network File System.
  • CVE-2022-24497 – CVSS 9.8 – RCE on Windows Network File System.
  • CVE-2022-23259 – CVSS 8.8 – RCE on on-premise Microsoft Dynamics 365.
  • CVE-2022-24541 – CVSS 8.8 – RCE on Windows Server Service.
  • CVE-2022-24500 – CVSS 8.8 – RCE on Windows SMB.
  • CVE-2022-23257 – CVSS 8.6 – RCE on Windows Hyper-V.
  • CVE-2022-26919 – CVSS 8.1 – RCE on Windows LDAP.
  • CVE-2022-22008 – CVSS 7.7 – RCE on Hyper-V.
  • CVE-2022-24537 – CVSS 7.7 – RCE on Hyper-V.

These nine vulnerabilities assume critical significance on account of the nature of the threat. Remote Code Execution threats need to be taken seriously and patched on an immediate basis.

Please consider deploying the security updates or monthly rollup updates corresponding to the Windows operating system version to resolve the CVE-2022-26904 security vulnerability.