Adrian Borlea
In this article:

Microsoft's April 2022 Patch Tuesday: zero-day vulnerabilities, critical CVEs and wormable bugs.

Microsoft has released updates to fix roughly 120 security vulnerabilities in its Windows Operating systems and other software for the April Patch Tuesday. From the CVEs addressed, two are ranked as important zero-days, including CVE-2022-24521, which is under active exploitation. 

The zero-day vulnerabilities resolved in this update are: 

  • CVE-2022-26904: This known zero-day flaw impacts the Windows User Profile Service, that’s why it’s considered an Elevation of Privilege (EoP) vulnerability. The bug has been issued a CVSS severity score of 7.0 and its attack complexity is considered 'high', as "successful exploitation of this vulnerability requires an attacker to win a race condition," according to Microsoft.
  • CVE-2022-24521: This bug is another EoP issue found in the Windows Common Log File System Driver. Issued a CVSS score of 7.8, Microsoft says that attack complexity is low and the company has detected active exploitation, despite the flaw not being made public until now.  

Two other security issues CVE-2022-26809 and CVE-2022-24491 have earned CVSS scores of 9.8 impacting Remote Procedure Call Runtime and the Windows Network File System:

  • CVE-2022-26809 – a Windows Remote Procedure Call Runtime Remote Code Execution vulnerability. It affects almost every Windows OS and Microsoft has it listed as more likely to be exploited. To exploit this vulnerability, an attacker would need to send a specially crafted RPC call to an RPC host. This could result in remote code execution on the server side with the same permissions as the RPC service. TCP port 445 is used to initiate a connection with the affected component. And some quick Shodan scans showed that millions of systems have that port open. More details on this vulnerability can be found here 
  • CVE-2022-24491 – a Windows Network File System Remote Code Execution vulnerability. This vulnerability is only exploitable for systems that have the NFS role enabled. An attacker could send a specially crafted NFS protocol network message to a vulnerable Windows machine, which could enable remote code execution.

Another list of vulnerabilities affecting Windows DNS Server received patches – CVE-2022-26815, CVE-2022-26814 and CVE-2022-26817. All are ranked as important so we recommend prioritizing patching your DNS servers.   

At Runecast we keep you updated about the latest vulnerabilities, exploits and security research. We pride ourselves on responding quickly and decisively to news like this.

Meet other Runecasters here:

Try Runecast

For testing (proof-of-concept or demonstration installation), a trial version is offered that performs a complete analysis but shows limited results.

Request a trial