Microsoft released 74 new patches addressing CVEs in Microsoft Windows and Windows Components, .NET and Visual Studio, Microsoft Edge (Chromium-based), Microsoft Exchange Server, Office and Office Components, Windows Hyper-V, Windows Authentication Methods, BitLocker, Windows Cluster Shared Volume (CSV), Remote Desktop Client, Windows Network File System, NTFS, and Windows Point-to-Point Tunnelling Protocol. This is in addition to the 36 CVEs patched by Microsoft Edge (Chromium-based) in late April.

Executive Summary

Microsoft released critical security updates for all supported versions of Windows.

Microsoft released updates for other company products, including .NET and Visual Studio, Microsoft Exchange Server, Microsoft Office, and Visual Studio and Visual Studio Code.

The following Windows client editions have known issues: Windows 7, Windows 8.1, Windows 10 version 1607, Windows 10 version 20H2, 21H1 and 21H2, Windows 11

The following Windows server editions have known issues: Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows Server 2022

Windows 10 version 20H2 is reaching end of servicing today.

Windows 10 version 1909 is also reaching end of servicing today.

Of the 74 CVEs released today, seven are rated Critical, 66 are rated Important, and one is rated Low in severity. A total of seven of these bugs came through the ZDI program. Historically speaking, this volume is in line with May releases in the past, with 19 more than May 2021, but 5 less than May 2019. The entire 2020 release volume was somewhat of an anomaly, so comparisons there aren’t as useful.

One of the bugs released today is listed as publicly known and under active attack, while two others are listed as publicly known at the time of release. Let’s take a closer look at some of the more interesting updates for this month, starting with the vulnerability currently being exploited:

 CVE-2022-26925 – Windows LSA Spoofing Vulnerability
This complex-sounding vulnerability could allow an unauthenticated attacker to force a domain controller to authenticate against another server using NTLM. The threat actor would need to be in the logical network path between the target and the resource requested (e.g., Man-in-the-Middle), but since this is listed as under active attack, someone must have figured out how to make that happen. Microsoft notes this would be a CVSS 9.8 if combined with NTLM relay attacks, making this even more severe. In addition to this patch, sysadmins should review KB5005413 and Advisory ADV210003 to see what additional measures can be taken to prevent NTLM relay attacks. Also note this patch affects some backup functionality on Server 2008 SP2. If you’re running that OS, read this one carefully to ensure your backups can still be used to restore.

 CVE-2022-26923 – Active Directory Domain Services Elevation of Privilege Vulnerability
This bug was submitted through the ZDI program by Oliver Lyak (@ly4k_) of the Institute for Cyber Risk. The specific flaw exists within the issuance of certificates. By including crafted data in a certificate request, an attacker can obtain a certificate that allows the attacker to authenticate to a domain controller with a high level of privilege. In essence, any domain authenticated user can become a domain admin if Active Directory Certificate Services are running on the domain. This is a very common deployment. Considering the severity of this bug and the relative ease of exploit, it would not surprise me to see active attacks using this technique sooner rather than later.

 CVE-2022-26937 – Windows Network File System Remote Code Execution Vulnerability
This CVSS 9.8-rated bug could allow remote, unauthenticated attackers to execute code in the context of the Network File System (NFS) service on affected systems. NFS isn’t on by default, but it’s prevalent in environments where Windows systems are mixed with other OSes such as Linux or Unix. If this describes your environment, you should test and deploy this patch quickly. Microsoft notes NFSv4.1 is not exploitable, so upgrade from NFSv2 or NFSv3 if possible.

 CVE-2022-29972 – Insight Software: Magnitude Simba Amazon Redshift ODBC Driver
This update was actually released yesterday and is complicated enough for Microsoft to blog about the bug and how it affects multiple Microsoft services. Microsoft also released its first advisory of the year, ADV220001, with additional information about the vulnerability. The flaw exists in the third-party ODBC data connector used to connect to Amazon Redshift, in Integration Runtime (IR) in Azure Synapse Pipelines, and Azure Data Factory, and could allow an attacker to execute remote commands across Integration Runtimes. If you use these services, review the blog and advisory to ensure you understand the risks to your services.

Operating System Distribution

Windows Client family.

Windows 7 (extended support only): 27 vulnerabilities: 3 critical and 24 important

Point-to-Point Tunnelling Protocol Remote Code Execution Vulnerability — CVE-2022-21972

Point-to-Point Tunnelling Protocol Remote Code Execution Vulnerability — CVE-2022-23270

Windows Kerberos Elevation of Privilege Vulnerability — CVE-2022-26931

Windows 8.1: 34 vulnerabilities: 4 critical and 30 important

Point-to-Point Tunnelling Protocol Remote Code Execution Vulnerability — CVE-2022-21972

Point-to-Point Tunnelling Protocol Remote Code Execution Vulnerability — CVE-2022-23270

Windows Kerberos Elevation of Privilege Vulnerability — CVE-2022-26931

Active Directory Domain Services Elevation of Privilege Vulnerability — CVE-2022-26923

Windows 10 version 1909: 43 vulnerabilities: 4 critical and 39 important

Point-to-Point Tunnelling Protocol Remote Code Execution Vulnerability — CVE-2022-21972

Point-to-Point Tunnelling Protocol Remote Code Execution Vulnerability — CVE-2022-23270

Windows Kerberos Elevation of Privilege Vulnerability — CVE-2022-26931

Active Directory Domain Services Elevation of Privilege Vulnerability — CVE-2022-26923

Windows 10 version 20H2, 21H1 and 21H2 : 44 vulnerabilities, 4 critical and 40 important

Point-to-Point Tunnelling Protocol Remote Code Execution Vulnerability — CVE-2022-21972

Point-to-Point Tunnelling Protocol Remote Code Execution Vulnerability — CVE-2022-23270

Windows Kerberos Elevation of Privilege Vulnerability — CVE-2022-26931

Active Directory Domain Services Elevation of Privilege Vulnerability — CVE-2022-26923

Windows 11:  44 vulnerabilities, 5 critical and 39 important

Point-to-Point Tunnelling Protocol Remote Code Execution Vulnerability — CVE-2022-21972

Point-to-Point Tunnelling Protocol Remote Code Execution Vulnerability — CVE-2022-23270

Windows Kerberos Elevation of Privilege Vulnerability — CVE-2022-26931

Active Directory Domain Services Elevation of Privilege Vulnerability — CVE-2022-26923

Windows Network File System Remote Code Execution Vulnerability — CVE-2022-26937

Remote Desktop Client Remote Code Execution Vulnerability — CVE-2022-22017

Windows Server family.

Windows Server 2008 R2 (extended support only): 28 vulnerabilities: 3 critical and 25 important

Point-to-Point Tunnelling Protocol Remote Code Execution Vulnerability — CVE-2022-21972

Point-to-Point Tunnelling Protocol Remote Code Execution Vulnerability — CVE-2022-23270

Windows Kerberos Elevation of Privilege Vulnerability — CVE-2022-26931

Windows Server 2012 R2: 44 vulnerabilities: 5 critical and 39 important

Point-to-Point Tunnelling Protocol Remote Code Execution Vulnerability — CVE-2022-21972

Point-to-Point Tunnelling Protocol Remote Code Execution Vulnerability — CVE-2022-23270

Windows Kerberos Elevation of Privilege Vulnerability — CVE-2022-26931

Active Directory Domain Services Elevation of Privilege Vulnerability — CVE-2022-26923

Windows Network File System Remote Code Execution Vulnerability — CVE-2022-26937

Windows Server 2016: 51 vulnerabilities: 5 critical and 46 important

Point-to-Point Tunnelling Protocol Remote Code Execution Vulnerability — CVE-2022-21972

Point-to-Point Tunnelling Protocol Remote Code Execution Vulnerability — CVE-2022-23270

Windows Kerberos Elevation of Privilege Vulnerability — CVE-2022-26931

Active Directory Domain Services Elevation of Privilege Vulnerability — CVE-2022-26923

Windows Network File System Remote Code Execution Vulnerability — CVE-2022-26937

Windows Server 2019: 56 vulnerabilities: 5 critical and 51 important

Point-to-Point Tunnelling Protocol Remote Code Execution Vulnerability — CVE-2022-21972

Point-to-Point Tunnelling Protocol Remote Code Execution Vulnerability — CVE-2022-23270

Windows Kerberos Elevation of Privilege Vulnerability — CVE-2022-26931

Active Directory Domain Services Elevation of Privilege Vulnerability — CVE-2022-26923

Windows Network File System Remote Code Execution Vulnerability — CVE-2022-26937

Windows Server 2022: 55 vulnerabilities: 6 critical and 49 important

Point-to-Point Tunnelling Protocol Remote Code Execution Vulnerability — CVE-2022-21972

Point-to-Point Tunnelling Protocol Remote Code Execution Vulnerability — CVE-2022-23270

Windows Kerberos Elevation of Privilege Vulnerability — CVE-2022-26931

Active Directory Domain Services Elevation of Privilege Vulnerability — CVE-2022-26923

Windows Network File System Remote Code Execution Vulnerability — CVE-2022-26937

Remote Desktop Client Remote Code Execution Vulnerability — CVE-2022-22017

CVE

Title

Severity

CVSS

Public

Exploited

Type

CVE-2022-26925

Windows LSA Spoofing Vulnerability

Important

8.1

Yes

Yes

Spoofing

CVE-2022-29972

Insight Software: CVE-2022-29972 Magnitude Simba Amazon Redshift ODBC Driver

Critical

N/A

Yes

No

RCE

CVE-2022-22713

Windows Hyper-V Denial of Service Vulnerability

Important

5.6

Yes

No

DoS

CVE-2022-26923

Active Directory Domain Services Elevation of Privilege Vulnerability

Critical

8.8

No

No

EoP

CVE-2022-21972

Point-to-Point Tunnelling Protocol Remote Code Execution Vulnerability

Critical

8.1

No

No

RCE

CVE-2022-23270

Point-to-Point Tunnelling Protocol Remote Code Execution Vulnerability

Critical

8.1

No

No

RCE

CVE-2022-22017

Remote Desktop Client Remote Code Execution Vulnerability

Critical

8.8

No

No

RCE

CVE-2022-26931

Windows Kerberos Elevation of Privilege Vulnerability

Critical

7.5

No

No

EoP

CVE-2022-26937

Windows Network File System Remote Code Execution Vulnerability

Critical

9.8

No

No

RCE

CVE-2022-23267

.NET and Visual Studio Denial of Service Vulnerability

Important

7.5

No

No

DoS

CVE-2022-29117

.NET and Visual Studio Denial of Service Vulnerability

Important

7.5

No

No

DoS

CVE-2022-29145

.NET and Visual Studio Denial of Service Vulnerability

Important

7.5

No

No

DoS

CVE-2022-29127

BitLocker Security Feature Bypass Vulnerability

Important

4.2

No

No

SFB

CVE-2022-29109

Microsoft Excel Remote Code Execution Vulnerability

Important

7.8

No

No

RCE

CVE-2022-29110

Microsoft Excel Remote Code Execution Vulnerability

Important

7.8

No

No

RCE

CVE-2022-21978

Microsoft Exchange Server Elevation of Privilege Vulnerability

Important

8.2

No

No

EoP

CVE-2022-29107

Microsoft Office Security Feature Bypass Vulnerability

Important

5.5

No

No

SFB

CVE-2022-29108

Microsoft SharePoint Server Remote Code Execution Vulnerability

Important

8.8

No

No

RCE

CVE-2022-29105

Microsoft Windows Media Foundation Remote Code Execution Vulnerability

Important

7.8

No

No

RCE

CVE-2022-26940

Remote Desktop Protocol Client Information Disclosure Vulnerability

Important

6.5

No

No

Info

CVE-2022-22019

Remote Procedure Call Runtime Remote Code Execution Vulnerability

Important

8.8

No

No

RCE

CVE-2022-26932

Storage Spaces Direct Elevation of Privilege Vulnerability

Important

8.2

No

No

EoP

CVE-2022-26938

Storage Spaces Direct Elevation of Privilege Vulnerability

Important

7

No

No

EoP

CVE-2022-26939

Storage Spaces Direct Elevation of Privilege Vulnerability

Important

7

No

No

EoP

CVE-2022-29126

Tablet Windows User Interface Application Core Elevation of Privilege Vulnerability

Important

7

No

No

EoP

CVE-2022-30129

Visual Studio Code Remote Code Execution Vulnerability

Important

8.8

No

No

RCE

CVE-2022-29148