threatpost.com
Open in
urlscan Pro
35.173.160.135
Public Scan
URL:
https://threatpost.com/microsoft-zero-days-wormable-bugs/179273/
Submission: On April 15 via api from US — Scanned from DE
Submission: On April 15 via api from US — Scanned from DE
Form analysis 4 forms found in the DOM
POST /microsoft-zero-days-wormable-bugs/179273/#gf_5
<form method="post" enctype="multipart/form-data" target="gform_ajax_frame_5" id="gform_5" action="/microsoft-zero-days-wormable-bugs/179273/#gf_5">
<div class="gform_body gform-body">
<ul id="gform_fields_5" class="gform_fields top_label form_sublabel_below description_below">
<li id="field_5_8" class="gfield field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label screen-reader-text" for="input_5_8">Your name</label>
<div class="ginput_container ginput_container_text"><input name="input_8" id="input_5_8" type="text" value="" class="medium" placeholder="Your name" aria-invalid="false"> </div>
</li>
<li id="field_5_1" class="gfield gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label screen-reader-text" for="input_5_1">Your e-mail address<span
class="gfield_required"><span class="gfield_required gfield_required_asterisk">*</span></span></label>
<div class="ginput_container ginput_container_email">
<input name="input_1" id="input_5_1" type="text" value="" class="medium" placeholder="Your e-mail address" aria-required="true" aria-invalid="false">
</div>
</li>
<li id="field_5_9" class="gfield js-kaspersky-gform-recaptcha-placeholder gform_hidden field_sublabel_below field_description_below gfield_visibility_hidden">
<div class="ginput_container ginput_container_text"><input name="input_9" id="input_5_9" type="hidden" class="gform_hidden" aria-invalid="false" value=""></div>
</li>
<li id="field_5_2" class="gfield input-without-label label-gdpr gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label screen-reader-text gfield_label_before_complex"><span
class="gfield_required"><span class="gfield_required gfield_required_asterisk">*</span></span></label>
<div class="ginput_container ginput_container_checkbox">
<ul class="gfield_checkbox" id="input_5_2">
<li class="gchoice gchoice_5_2_1">
<input class="gfield-choice-input" name="input_2.1" type="checkbox" value="I agree" id="choice_5_2_1">
<label for="choice_5_2_1" id="label_5_2_1">I agree to my personal data being stored and used to receive the newsletter</label>
</li>
</ul>
</div>
</li>
<li id="field_5_5" class="gfield input-without-label label-gdpr gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label screen-reader-text gfield_label_before_complex"><span
class="gfield_required"><span class="gfield_required gfield_required_asterisk">*</span></span></label>
<div class="ginput_container ginput_container_checkbox">
<ul class="gfield_checkbox" id="input_5_5">
<li class="gchoice gchoice_5_5_1">
<input class="gfield-choice-input" name="input_5.1" type="checkbox" value="I agree" id="choice_5_5_1">
<label for="choice_5_5_1" id="label_5_5_1">I agree to accept information and occasional commercial offers from Threatpost partners</label>
</li>
</ul>
</div>
</li>
<li id="field_5_10" class="gfield gform_validation_container field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label" for="input_5_10">Phone</label>
<div class="ginput_container"><input name="input_10" id="input_5_10" type="text" value=""></div>
<div class="gfield_description" id="gfield_description_5_10">This field is for validation purposes and should be left unchanged.</div>
</li>
</ul>
</div>
<div class="gform_footer top_label"> <input type="submit" id="gform_submit_button_5" class="gform_button button screen-reader-text" value="Subscribe"
onclick="if(window["gf_submitting_5"]){return false;} window["gf_submitting_5"]=true; "
onkeypress="if( event.keyCode == 13 ){ if(window["gf_submitting_5"]){return false;} window["gf_submitting_5"]=true; jQuery("#gform_5").trigger("submit",[true]); }" disabled="disabled"
style="display: none;"> <input type="hidden" name="gform_ajax" value="form_id=5&title=&description=&tabindex=0">
<input type="hidden" class="gform_hidden" name="is_submit_5" value="1">
<input type="hidden" class="gform_hidden" name="gform_submit" value="5">
<input type="hidden" class="gform_hidden" name="gform_unique_id" value="">
<input type="hidden" class="gform_hidden" name="state_5" value="WyJbXSIsImIwODQwZTA2ZGQ0NzYwODcyOTBkZjNmZDM1NDk2Y2ZkIl0=">
<input type="hidden" class="gform_hidden" name="gform_target_page_number_5" id="gform_target_page_number_5" value="0">
<input type="hidden" class="gform_hidden" name="gform_source_page_number_5" id="gform_source_page_number_5" value="1">
<input type="hidden" name="gform_field_values" value="">
</div>
<p style="display: none !important;"><label>Δ<textarea name="ak_hp_textarea" cols="45" rows="8" maxlength="100"></textarea></label><input type="hidden" id="ak_js_1" name="ak_js" value="1650030572145">
<script>
document.getElementById("ak_js_1").setAttribute("value", (new Date()).getTime());
</script>
</p>
</form>GET https://threatpost.com/
<form class="c-site-search__form" role="search" method="get" action="https://threatpost.com/">
<input type="text" class="c-site-search__field" name="s" placeholder="Search">
<button type="submit" class="c-button c-button--secondary c-button--smaller c-site-search__button" value="Search"><svg class="icon fill">
<use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://threatpost.com/wp-content/themes/threatpost-2018/assets/sprite/icons.svg#icon-search"></use>
</svg> Search</button>
<div class="c-site-search__overlay"></div>
</form>POST https://threatpost.com/wp-comments-post.php
<form action="https://threatpost.com/wp-comments-post.php" method="post" id="commentform" class="comment-form">
<div class="o-row">
<div class="o-col-12@md">
<div class="c-form-element"><textarea id="comment" name="comment" cols="45" rows="8" aria-required="true" placeholder="Write a reply..."></textarea></div>
</div>
</div>
<div class="o-row">
<div class="o-col-6@md">
<div class="c-form-element"><input id="author" name="author" placeholder="Your name" type="text" value="" size="30"></div>
</div>
<div class="o-col-6@md">
<div class="c-form-element"><input id="email" name="email" placeholder="Your email" type="text" value="" size="30"></div>
</div>
</div>
<p class="form-submit"><input name="submit" type="submit" id="submit" class="c-button c-button--primary" value="Send Comment"> <input type="hidden" name="comment_post_ID" value="179273" id="comment_post_ID">
<input type="hidden" name="comment_parent" id="comment_parent" value="0">
</p>
<p style="display: none;"><input type="hidden" id="akismet_comment_nonce" name="akismet_comment_nonce" value="155951539b"></p><!-- the following input field has been added by the Honeypot Comments plugin to thwart spambots -->
<input type="hidden" id="bwuWBpVe5thRXLM1Abmtjruuv" name="61D4R0XDlTpDLUP9vPgijyony">
<script type="text/javascript">
document.addEventListener("input", function(event) {
if (!event.target.closest("#comment")) return;
try {
grecaptcha.render("recaptcha-submit-btn-area", {
"sitekey": "6LfsdrAaAAAAAMVKgei6k0EaDBTgmKv6ZQrG7aEs",
"theme": "standard"
});
} catch (error) {
/*possible duplicated instances*/ }
});
</script>
<script src="https://www.google.com/recaptcha/api.js?hl=en&render=explicit" async="" defer=""></script>
<div id="recaptcha-submit-btn-area"> </div>
<noscript>
<style type="text/css">
#form-submit-save {
display: none;
}
</style>
<input name="submit" type="submit" id="submit-alt" tabindex="6" value="Submit Comment">
</noscript>
<p style="display: none !important;"><label>Δ<textarea name="ak_hp_textarea" cols="45" rows="8" maxlength="100"></textarea></label><input type="hidden" id="ak_js_2" name="ak_js" value="1650030572175">
<script>
document.getElementById("ak_js_2").setAttribute("value", (new Date()).getTime());
</script>
</p>
</form>GET https://threatpost.com/
<form class="c-site-search__form" role="search" method="get" action="https://threatpost.com/">
<input type="text" class="c-site-search__field" name="s" placeholder="Search">
<button type="submit" class="c-button c-button--secondary c-button--smaller c-site-search__button" value="Search"><svg class="icon fill">
<use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://threatpost.com/wp-content/themes/threatpost-2018/assets/sprite/icons.svg#icon-search"></use>
</svg> Search</button>
<div class="c-site-search__overlay"></div>
</form>Text Content
Newsletter
SUBSCRIBE TO OUR THREATPOST TODAY NEWSLETTER
Join thousands of people who receive the latest breaking cybersecurity news
every day.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn
Park, Woburn, MA 01801. Detailed information on the processing of personal data
can be found in the privacy policy. In addition, you will find them in the
message confirming the subscription to the newsletter.
* Your name
* Your e-mail address*
*
* *
* I agree to my personal data being stored and used to receive the
newsletter
* *
* I agree to accept information and occasional commercial offers from
Threatpost partners
* Phone
This field is for validation purposes and should be left unchanged.
Δ
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn
Park, Woburn, MA 01801. Detailed information on the processing of personal data
can be found in the privacy policy. In addition, you will find them in the
message confirming the subscription to the newsletter.
Threatpost
* Podcasts
* Malware
* Vulnerabilities
* InfoSec Insiders
* Webinars
*
*
*
*
*
*
*
Search
* Menswear Brand Zegna Reveals Ransomware AttackPrevious article
* Feds Shut Down RaidForums Hacking MarketplaceNext article
MICROSOFT ZERO-DAYS, WORMABLE BUGS SPARK CONCERN
Author: Tara Seals
April 12, 2022 4:00 pm
4 minute read
Write a comment
Share this article:
*
*
For April Patch Tuesday, the computing giant addressed a zero-day under active
attack and several critical security vulnerabilities, including three that allow
self-propagating exploits.
Microsoft has released patches for 128 security vulnerabilities for its April
2022 monthly scheduled update – ten of them rated critical (including three
wormable code-execution bugs that require no user interaction to exploit).
There are also two important-rated zero-days that allow privilege escalation,
including one listed as under active exploit.
The bugs in the update are found across the portfolio, including in Microsoft
Windows and Windows Components, Microsoft Defender and Defender for Endpoint,
Microsoft Dynamics, Microsoft Edge (Chromium-based), Exchange Server, Office and
Office Components, SharePoint Server, Windows Hyper-V, DNS Server, Skype for
Business, .NET and Visual Studio, Windows App Store and Windows Print Spooler
Components.
“This large volume of patches hasn’t been seen since the fall of 2020. However,
this level is similar to what we saw in the first quarter of last year,” Dustin
Childs, researcher at Trend Micro’s Zero Day Initiative, said in a blog breaking
down the fixes.
ZERO-DAY PATCHES
The vulnerability that’s been exploited in the wild ahead of patching allows
privilege escalation, and is tracked as CVE-2022-24521. It rates 7.8 out of 10
on the CVSS vulnerability-severity scale. It’s listed as a “Windows Common Log
File System Driver Execution Vulnerability,” and was reported to Microsoft by
the National Security Agency.
“It’s not stated how widely the exploit is being used in the wild, but it’s
likely still targeted at this point and not broadly available,” Childs noted.
“Go patch your systems before that situation changes.”
Researchers noted that attackers are likely pairing it with a separate
code-execution bug in their campaigns. For that reason, Immersive Labs’ Kevin
Breen, director of cyber-threat research, places the actively exploited bug at
the top of the priority list for patching.
“Being the type of vulnerability for escalating privileges, this would indicate
a threat actor is currently using it to aid lateral movement to capitalize on a
pre-existing foothold,” he explained.
The second zero-day is found in the Windows User Profile Service, and is tracked
as CVE-2022-26904.
It also allows privilege escalation, and rates a CVSS score of 7. Even though
it’s listed as exploitation more likely, it has a high attack complexity,
Microsoft noted in its advisory, because “successful exploitation of this
vulnerability requires an attacker to win a race condition.”
Even so, researchers at Tripwire noted that exploit code is available for the
bug, including in the Metasploit framework.
CRITICAL CONCERNS FOR APRIL
Out of the critical flaws, all of which allow remote code-execution (RCE),
researchers flagged a bug that could allow for self-propagating exploits
(CVE-2022-26809) as being of the most concern.
It exists in the Remote Procedure Call (RPC) Runtime Library, and rates 9.8 out
of 10 on the CVSS scale, with exploitation noted as more likely. If exploited, a
remote attacker could execute code with high privileges.
Danny Kim, principal architect at Virsec, noted that the vulnerability is
specifically found in Microsoft’s Server Message Block (SMB) functionality,
which is used primarily for file-sharing and inter-process communication,
including Remote Procedure Calls. RPC is a communication mechanism that allows
for one program to request a service or functionality from another program
located on the network (internet and/or intranet). RPCs can be used in
technologies like storage replica or managing shared volumes.
“This vulnerability is another example of an attacker taking advantage of
legitimate functionality for malicious gain,” he said via email. “Using the
vulnerability, an attacker can create a specially crafted RPC to execute code on
the remote server with the same permissions as the RPC service.”
The bug could be used to create especially virulent threats, according to
Childs.
“Since no user interaction is required, these factors combine to make this
wormable, at least between machines where RPC can be reached,” Childs noted.
Microsoft recommends configuring firewall rules to help prevent this
vulnerability from being exploited; the static port used (TCP port 135) can be
blocked at the network perimeter.
“Still, this bug could be used for lateral movement by an attacker,” Childs
warned. “Definitely test and deploy this one quickly.”
Next up are CVE-2022-24491/24497, two RCE bugs that affect the Windows Network
File System (NFS). Both also have CVSS scores of 9.8, and both are listed as
exploitation more likely. They also allow the potential for worming exploits,
Childs warned.
“On systems where the NFS role is enabled, a remote attacker could execute their
code on an affected system with high privileges and without user interaction,”
Childs explained. “Again, that adds up to a wormable bug – at least between NFS
servers. Similar to RPC, this is often blocked at the network perimeter.”
Immersive’s Breen added, “These could be the kind of vulnerabilities which
appeal to ransomware operators as they provide the potential to expose critical
data. It is also important for security teams to note that NFS Role is not a
default configuration for Windows devices.”
The remaining critical vulnerabilities are as follows:
* CVE-2022-23259: Microsoft Dynamics 365 (on-premises) (CVSS 8.8)
* CVE-2022-22008: Windows Hyper-V (CVSS 7.7)
* CVE-2022-23257: Windows Hyper-V (CVSS 8.6)
* CVE-2022-24537: Windows Hyper-V (CVSS 7.7)
* CVE-2022-26919: Windows LDAP (CVSS 8.1)
* CVE-2022-24541: Windows Server (CVSS 8.8)
* CVE-2022-24500: Windows SMB (CVSS 8.8)
OTHER BUGS OF NOTE
Also worth mentioning: Out of a whopping 18 bugs found in the Windows Domain
Name Server (DNS), one (CVE-2022-26815) allows RCE and is listed as important,
with a CVSS score of 7.2.
Microsoft noted that while attack complexity is low, “the attacker or targeted
user would need specific elevated privileges [for successful exploitation]. As
is best practice, regular validation and audits of administrative groups should
be conducted.”
Meanwhile, “there are a couple of important mitigations to point out here,”
Childs noted. “The first is that dynamic updates must be enabled for a server to
be affected by this bug. The CVSS also lists some level of privileges to
exploit. Still, any chance of an attacker getting RCE on a DNS server is one too
many, so get your DNS servers patched.”
Moving to the cloud? Discover emerging cloud-security threats along with solid
advice for how to defend your assets with our FREE downloadable eBook, “Cloud
Security: The Forecast for 2022.” We explore organizations’ top risks and
challenges, best practices for defense, and advice for security success in such
a dynamic computing environment, including handy checklists.
Write a comment
Share this article:
* Cloud Security
* Critical Infrastructure
* Vulnerabilities
* Web Security
SUGGESTED ARTICLES
FEDS: APTS HAVE TOOLS THAT CAN TAKE OVER CRITICAL INFRASTRUCTURE
Threat actors have developed custom modules to compromise various ICS devices as
well as Windows workstations that pose an imminent threat, particularly to
energy providers.
April 14, 2022
FEDS SHUT DOWN RAIDFORUMS HACKING MARKETPLACE
The DoJ is charging its founder, 21-year-old Portuguese citizen Diogo Santos
Coelho, on six criminal counts, including conspiracy, access device fraud and
aggravated identity theft.
April 13, 2022
SSRF FLAW IN FINTECH PLATFORM ALLOWED FOR COMPROMISE OF BANK ACCOUNTS
Researchers discovered the vulnerability in an API already integrated into many
bank systems, which could have defrauded millions of users by giving attackers
access to their funds.
April 7, 2022
1
DISCUSSION
LEAVE A COMMENT CANCEL REPLY
Δ
This site uses Akismet to reduce spam. Learn how your comment data is processed.
INFOSEC INSIDER
* THE UNCERTAIN FUTURE OF IT AUTOMATION
March 8, 2022
1
* 6 CYBER-DEFENSE STEPS TO TAKE NOW TO PROTECT YOUR COMPANY
February 25, 2022
2
* THE HARSH TRUTHS OF CYBERSECURITY IN 2022, PART II
February 24, 2022
2
* 3 TIPS FOR FACING THE HARSH TRUTHS OF CYBERSECURITY IN 2022, PART I
February 9, 2022
* ‘LONG LIVE LOG4SHELL’: CVE-2021-44228 NOT DEAD YET
February 4, 2022
Newsletter
SUBSCRIBE TO THREATPOST TODAY
Join thousands of people who receive the latest breaking cybersecurity news
every day.
Subscribe now
Twitter
Feds warn: Power plants and other critical infrastructure at risk from
state-sponsored #cyberattackers exploiting C… https://t.co/HX7c9wbjmB
16 hours ago
Follow @threatpost
NEXT 00:02 01:19 360p 720p HD 1080p HD Auto (360p) About Connatix V158870 Closed
Captions About Connatix V158870
1/1 Skip Ad Continue watching after the ad Visit Advertiser websiteGO TO PAGE
SUBSCRIBE TO OUR NEWSLETTER, THREATPOST TODAY!
Get the latest breaking news delivered daily to your inbox.
Subscribe now
Threatpost
The First Stop For Security News
* Home
* About Us
* Contact Us
* Advertise With Us
* RSS Feeds
* Copyright © 2022 Threatpost
* Privacy Policy
* Terms and Conditions
* Advertise
*
*
*
*
*
*
*
TOPICS
* Black Hat
* Breaking News
* Cloud Security
* Critical Infrastructure
* Cryptography
* Facebook
* Government
* Hacks
* IoT
* Malware
* Mobile Security
* Podcasts
* Privacy
* RSAC
* Security Analyst Summit
* Videos
* Vulnerabilities
* Web Security
Threatpost
*
*
*
*
*
*
*
TOPICS
* Cloud Security
* Malware
* Vulnerabilities
* Privacy
Show all
* Black Hat
* Critical Infrastructure
* Cryptography
* Facebook
* Featured
* Government
* Hacks
* IoT
* Mobile Security
* Podcasts
* RSAC
* Security Analyst Summit
* Slideshow
* Videos
* Web Security
AUTHORS
* Elizabeth Montalbano
* Nate Nelson
THREATPOST
* Home
* About Us
* Contact Us
* Advertise With Us
* RSS Feeds
Search
*
*
*
*
*
*
*
InfoSec Insider
INFOSEC INSIDER POST
Infosec Insider content is written by a trusted community of Threatpost
cybersecurity subject matter experts. Each contribution has a goal of bringing a
unique voice to important cybersecurity topics. Content strives to be of the
highest quality, objective and non-commercial.
Sponsored
SPONSORED CONTENT
Sponsored Content is paid for by an advertiser. Sponsored content is written and
edited by members of our sponsor community. This content creates an opportunity
for a sponsor to provide insight and commentary from their point-of-view
directly to the Threatpost audience. The Threatpost editorial team does not
participate in the writing or editing of Sponsored Content.
We use cookies to make your experience of our websites better. By using and
further navigating this website you accept this. Detailed information about the
use of cookies on this website is available by clicking on more information.
ACCEPT AND CLOSE
Notifications