Microsoft RCE — April 2022 patches

As is customary on the second Tuesday of every month, Microsoft has released its set of security updates for its operating systems and products.

This month 117 patches were issued, covering 117 distinct vulnerabilities. Of these:

• 2 are already being exploited in the wild in active attacks (Privilege Escalation):
  • CVE-2022-24521
  • CVE-2022-26904
• 3 are Remote Command Execution in NFS and RPC:
  • CVE-2022-26809 — RPC service (TCP port 135)
  • CVE-2022-24491 and CVE-2022-24497 — NFS service (port 2049)
• 18 affect Windows DNS Server, the most critical being CVE-2022-26815

Cyber Attack Exposure

Public-Network Exposure

Although RPC is generally not a service intended for public-network exposure, in practice a significant number of Italian organisations are exposed (approximately 7 000 systems):

Globally, the population of potentially-affected systems is approximately 2 000 000:

Internal-Network Risks

The CVEs below are among the most critical weaponisable items in this release — they provide privilege escalation, administrative takeover, lateral movement, and arbitrary code execution primitives. Closing this exposure window cleanly across a heterogeneous Windows estate is the kind of structured patch and posture programme delivered by our Cybersecurity Advisory.

CVE-2022-24521

The flaw resides in the Windows Common Log File System (CLFS) driver and requires no user interaction to exploit. Attackers — or malicious software running with low privileges — can leverage it to obtain administrative rights on the affected host (T1068 — Exploitation for Privilege Escalation). It affects multiple Windows versions, including Windows 11.

CVE-2022-26904

This vulnerability has high attack complexity because exploitation depends on winning a race condition. A working Metasploit module is publicly available and successfully exploits the flaw — confidence high.

CVE-2022-26809

Allows an attacker to execute code with elevated privileges on the victim system. Because no user interaction is required, the combination of factors makes this vulnerability wormable — at least between target hosts where the RPC endpoint is reachable. The static port involved (TCP 135) is generally blocked at the perimeter, but this CVE is the primary lateral-movement primitive of the April release for any attacker already inside the corporate network (T1210 — Exploitation of Remote Services).

CVE-2022-24491

Technical details are not public and no working exploit is yet available. A bounty between 25 000 and 100 000 USD has been announced for a reliable exploit — confidence: indicator preliminary, public weaponisation expected.

Security Updates

Below is the list of relevant updates required to remediate the 117 vulnerabilities released this month:

• Microsoft Windows Server 2012 R2 (9600) — Monthly Rollup KB5012670
• Microsoft Windows Server 2012 (9200) — KB5012666
• Microsoft Windows Server 2022 (20348) — Security Update KB5012604
• Microsoft Windows Server 2019 (17763) — Security Update KB5012647
• Microsoft Windows Server 2008 R2 (7601) — Monthly Rollup KB5012626
• Microsoft Windows Server 2016 (14393) — Security Update KB5012596
• Microsoft Windows 10 — KB5012599, KB5012591, KB5012647
• Microsoft Windows 7 (7601) — Monthly Rollup KB5012626

Three RCE CVEs in the same release on services historically reachable inside the corporate perimeter — RPC and NFS — define the patch window: any host left unpatched on an internal network becomes a wormable lateral-movement primitive within hours of public exploit availability.