Microsoft fixes three zero-days, eight critical flaws in May Patch Tuesday update

One zero-day is being actively exploited

Microsoft has released its May 2022 Patch Tuesday update, addressing a total of 75 security vulnerabilities, including three zero-days.

In addition to these bugs, Microsoft also fixed 36 security holes in its Chromium-based Edge browser on 28 April.

Of all the flaws addressed this month, eight are classified as 'Critical' in they could allow a malicious actor to remotely execute code or achieve privilege elevation on a vulnerable machine. Sixty-six vulnerabilities are rated 'Important', while one is 'Low' in severity.

Products impacted by this month's security update include the Windows OS and many of its components; Office and its components; the .NET and Visual Studio platforms; Exchange Server; BitLocker; Remote Desktop Client; and NTFS.

The May security update includes patches for 26 remote code execution (RCE) vulnerabilities, 21 elevation of privilege (EoP) bugs, 17 information disclosure bugs, six denial of service bugs, four security feature bypass bugs and one spoofing vulnerability.

Actively exploited

Among the most serious of the patched bugs is CVE-2022-26925, a zero-day with CVSS score of 8.1. This spoofing bug affects the Windows Local Security Authority (LSA), a secured subsystem that authenticates and logs users onto the local system, according to Microsoft. It is being actively exploited, making patching a priority.

Domain Controllers should be patched on a priority basis, Greg Wiseman, Level7

The flaw is 'Important' in severity and could allow a malicious actor to "call a method on the LSARPC interface and coerce the domain controller to authenticate to the attacker using NTLM."

While this vulnerability has been assigned an 8.1 CVSS score, Microsoft noted that the severity score would increase to 9.8 if the flaw is paired with NTLM relay attacks.

"This is very bad news when used in conjunction with an NTLM relay attack, potentially leading to remote code execution (RCE)," said Greg Wiseman, lead product manager at Rapid7, adding that the bug "affects all supported versions of Windows, but Domain Controllers should be patched on a priority basis before updating other servers".

Azure bugs

The two other publicly-known vulnerabilities fixed by Microsoft are CVE-2022-29972 (CVSS score: 8.2) and CVE-2022-22713 (CVSS score: 5.6).

CVE-2022-29972 affects Azure Data Factory and Azure Synapse Pipelines. According to Microsoft, it was discovered in the third-party ODBC data connector used to connect to Amazon Redshift, in Integration Runtime (IR) in Azure Synapse Pipelines, and Azure Data Factory.

An attacker might use this bug to run remote commands across Integration Runtimes.

CVE-2022-22713 is a denial-of-service issue that affects Hyper-V servers running relatively recent Windows versions (20H2 and later).

Critical RCE vulnerability in Windows NFS

A critical RCE vulnerability fixed this month is CVE-2022-26937, which has been assigned a CVSS score of 9.8, and affects services using the Windows Network File System (NFS).

"This vulnerability could be exploited over the network by making an unauthenticated, specially crafted call to a Network File System (NFS) service to trigger a Remote Code Execution (RCE)," said Debra Fezza Reed, vulnerability and threat researcher at Qualys, adding that it is not exploitable in NFSV4.1. This threat can be mitigated temporarily by disabling NFSV2 and NFSV3 if an immediate Windows is not possible.

Other RCE bugs patched by Microsoft this month include flaws in Windows Graphics (CVE-2022-26927), Windows LDAP (CVE-2022-22012, CVE-2022-29130), Windows Kernel (CVE-2022-29133), Visual Studio Code (CVE-2022-30129) and Remote Procedure Call Runtime (CVE-2022-22019).