Microsoft's massive 145-vulnerability Patch Tuesday fixes ten critical exploits

Microsoft has patched considerably more than 100 security vulnerabilities this week, as part of its monthly ‘Patch Tuesday’, including ten rated ‘critical’.

The 145 now-fixed vulnerabilities were dominated by privilege escalation flaws and remote code execution (RCE) vulnerabilities, a total of 55 and 47 respectively. Denial of service, information disclosure, and spoofing flaws comprised the majority of the remainder.

Of the ten critical-rated vulnerabilities, three of them scored nearly maximum marks (9.8), representing a serious threat to organisations.

All three 9.8-rated vulnerabilities are RCE flaws that require a low degree of attack complexity in order to exploit, two of which are wormable, according to Zero Day Initiative (ZDI).

The first of the two wormable flaws is CVE-2022-26809, a flaw that could allow an attacker to execute arbitrary code on a machine with high privileges. The static port used in this exploit (TCP port 135) is usually blocked at the network perimeter, ZDI said, but it’s still a highly dangerous vulnerability that should be patched swiftly.

The second wormable attack can be exploited through a combination of two vulnerabilities amounting to a critical rating, both affecting the Windows Network File System (NFS) and tracked as CVE-2022-24491 and CVE-2022-24497.

“On systems where the NFS role is enabled, a remote attacker could execute their code on an affected system with high privileges and without user interaction,” said ZDI. “Again, that adds up to a wormable bug – at least between NFS servers.

“Similar to RPC, this is often blocked at the network perimeter. However, Microsoft does provide guidance on how the RPC port multiplexer (port 2049) ‘is firewall-friendly and simplifies deployment of NFS.’ Check your installations and roll out these patches rapidly.”

Another of the more notable vulnerabilities was CVE-2022-26904. Found jointly by CrowdStrike and the US National Security Agency, it’s a privilege escalation issue that can be exploited if an attacker can win a race condition.

Microsoft categorised the flaw as ‘high’ complexity in order to exploit it and there is functional proof-of-concept (PoC) code available that works in most situations where the vulnerability exists, it said.

Its CVSS v3 score is comparatively lower than the aforementioned critical vulnerabilities, scoring 7.0, but ZDI also noted that there is a functional Metasploit module also available for CVE-2022-26904. This means the widely abused penetration testing software now has pre-built functionality to exploit the security vulnerability, making attacks easier for cyber criminals.

As with all security vulnerabilities and especially zero-day exploits, businesses are urged to apply the patches as soon as possible to prevent cyber attacks and potential data loss. Now that these vulnerabilities are published, prospective attackers can analyse the exploit methodology and use it to their advantage.

“With so many vulnerabilities to manage, it can be difficult to prioritise,” said Greg Wiseman, Lead Product Manager at Rapid7 to IT Pro. “Thankfully, most of this month’s CVEs can be addressed by patching the core operating system.

"Administrators should first focus on updating any public-facing servers before moving on to internal servers and then client systems. The SMB Client vulnerabilities can also be mitigated by blocking port 445/tcp at the network perimeter – victims need to be enticed to connect to a malicious SMB server, and this would help against Internet-based attackers. Of course, this won’t help much if the malicious system was set up within the perimeter.”

Full details of this week's round of patches can be found in Microsoft's detailed rundown.