Microsoft Patch Tuesday April 2022 and custom CVE comments sources in Vulristics

Hello everyone! This episode will be about Microsoft Patch Tuesday for April 2022 and new improvements in my Vulristics project. I decided to add more comment sources. Because it’s not just Tenable, Qualys, Rapid7 and ZDI make Microsoft Patch Tuesday reviews, but also other security companies and bloggers.

Alternative video link (for Russia): https://vk.com/video-149273431_456239085

You can see them in my automated security news telegram channel avleonovnews after every second Tuesday of the month. So, now you can add any links with CVE comments to Vulristics.

For April Patch Tuesday I will add these sources:

Let’s see if they highlight different sets of vulnerabilities.

$ cat comments_links.txt
Qualys|April 2022 Patch Tuesday: Microsoft Releases 145 Vulnerabilities with 10 Critical; Adobe Releases 4 Advisories, 78 Vulnerabilities with 51 Critical.|https://blog.qualys.com/vulnerabilities-threat-research/2022/04/12/april-2022-patch-tuesday
ZDI|THE APRIL 2022 SECURITY UPDATE REVIEW|https://www.zerodayinitiative.com/blog/2022/4/11/the-april-2022-security-update-review
Kaspersky|A bunch of vulnerabilities in Windows, one already exploited|https://www.kaspersky.com/blog/microsoft-patches-128-vulnerabilities/44099/
KrebsOnSecurity|Microsoft Patch Tuesday, April 2022 Edition|https://krebsonsecurity.com/2022/04/microsoft-patch-tuesday-april-2022-edition/
ComputerWeekly|Microsoft patches two zero-days, 10 critical bugs|https://www.computerweekly.com/news/252515909/Microsoft-patches-two-zero-days-10-critical-bugs
TheHackersNews|Microsoft Issues Patches for 2 Windows Zero-Days and 126 Other Vulnerabilities|https://thehackernews.com/2022/04/microsoft-issues-patches-for-2-windows.html
Threatpost|Microsoft Zero-Days, Wormable Bugs Spark Concern|https://threatpost.com/microsoft-zero-days-wormable-bugs/179273/

I have also added links to Qualys and ZDI blogposts. Qualys didn’t fix their blog search (apparently no one uses it). ZDI don’t have a blog search, and duckduckgo stopped indexing them properly.

In addition, Tenable closed access to their tenable.com. This is rather ironic considering that Russian Tenable Security Day took place on February 10, 2022, just two months ago. I participated in it. It was a formal event with Tenable’s EMEA CTO and Regional Manager. And now we are not talking about any support, updates and licenses for Russian companies and individuals, but even about access to the Tenable website. This is how the situation can change rapidly, if you trust Western vendors. Try not to do this.

But in any case, you can still use the Tenable blog as a source of comments about Patch Tuesday vulnerabilities. I have added socks proxy support to Vulristics.

vulners_key = "SFKJKEWRID2JFIJ...AAK3DHKSJD"
proxies = {
    'http': "socks5://<host>:<port>",
    'https': "socks5://<host>:<port>"
}

I run the command like this:

$ python3.8 vulristics.py --report-type "ms_patch_tuesday_extended" --mspt-year 2022 --mspt-month "April" --mspt-comments-links-path "comments_links.txt"  --rewrite-flag "True"

Just like last month, I’m taking into account not only the vulnerabilities published on April 11 (117 CVEs), but also all the vulnerabilities since last Patch Tuesday (40 CVEs). There are a total of 157 CVEs in the report.

MS PT Year: 2022
MS PT Month: April
MS PT Date: 2022-04-12
MS PT CVEs found: 117
Ext MS PT Date from: 2022-03-09
Ext MS PT Date to: 2022-04-11
Ext MS PT CVEs found: 40
ALL MS PT CVEs: 157

• Critical: 5
• High: 51
• Medium: 91
• Low: 10

Let’s start with the critical ones:

• Elevation of Privilege – Windows Common Log File System Driver (CVE-2022-24521). Exploitation in the wild is mentioned in AttackerKB and Microsoft. Public exploit is mentioned by Microsoft in CVSS Temporal Score (Functional Exploit). Since this vulnerability only allows a privilege escalation, it is likely paired with a separate code execution bug. This vulnerability was reported by the US National Security Agency.
• Remote Code Execution – Remote Procedure Call Runtime (CVE-2022-26809). An unauthenticated, remote attacker could exploit this vulnerability by sending “a specially crafted RPC call to an RPC host.” The vulnerability could allow a remote attacker to execute code at high privileges on an affected system. Since no user interaction is required, these factors combine to make this wormable, at least between machine where RPC can be reached. A proof of concept of this vulnerability is available on giithub. Other RCEs in RPC (CVE-2022-24492, CVE-2022-24528) were also classified as Critical, but this is due to misattribution of exploits. The only exploitable is CVE-2022-26809.
• Remote Code Execution – Microsoft Edge (CVE-2022-1096). In Vulristics report it was detected as Unknown Vulnerability Type because it’s impossible to detect vulnerability type by description. “This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. Google is aware that an exploit for CVE-2022-1096 exists in the wild.” In fact it is a well-known 0day RCE in Chrome, that affected all other Chromium-based browsers. Exploitation in the wild is mentioned in AttackerKB. The Vulristics report states that “Public exploit is found at Vulners”. However, it’s just a “Powershell script that dumps Chrome and Edge version to a text file in order to determine if you need to update due to CVE-2022-1096”. Yes, it is difficult to determine what exactly was uploaded on github.

Now let’s see the most interesting vulnerabilities with the High level.

• Elevation of Privilege – Windows User Profile Service (CVE-2022-26904).  This vulnerability supposed to have been fixed in the August 2021 update, when it was tracked as CVE-2021-34484. However, the researcher who discovered it later discovered a bypass, and then when that was fixed again in January, he went and bypassed it a second time. Not only is PoC out there for it, there’s a Metasploit module as well. This privilege escalation vulnerability allows an attacker to gain code execution at SYSTEM level on affected systems. The vulnerability relies on winning a race condition, which can be tricky to reliably achieve.
• Information Disclosure – Windows Kernel (CVE-2022-24483). Little is known about this vulnerability and no one has highlighted this vulnerability, but there is a PoC for it on github.
• Remote Code Execution – Windows DNS Server (CVE-2022-26812, CVE-2022-26814, CVE-2022-26829). Also, no one highlighted this vulnerability. Public exploit is mentioned by Microsoft in CVSS Temporal Score (Proof-of-Concept Exploit). There were 18(!) DNS Server bugs receiving patches this month.

For the remaining vulnerabilities, there is neither a sign of exploitation in the wild, nor a sign of a public exploit. Let’s see the most interesting ones.

• Remote Code Execution – Windows SMB (CVE-2022-24500). This vulnerability requires that a user with an affected version of Windows access a malicious server. An attacker would have to host a specially crafted server share or website. Exploitability Assessment: Exploitation Less Likely. Remote Code Execution – Windows Kernel (CVE-2022-24541)  is actually a similar SMB vulnerability as well.
• Remote Code Execution – Windows Network File System (CVE-2022-24491, CVE-2022-24497). An attacker could send a specially crafted NFS protocol network message to a vulnerable Windows machine, which could enable remote code execution. NOTE: This vulnerability is only exploitable for systems that have the NFS role enabled. Exploitability Assessment: Exploitation More Likely.

As you can see, additional sources of comments actually repeat everything that ZDI, Qualys, Rapid7 and Tenable highlight, but sometimes they add interesting details about vulnerabilities.

The full report is available: ms_patch_tuesday_april2022_report