[BreachExchange] April Records First Patch Tuesday of 2022 with 100+ CVEs

Matthew Wheeler mwheeler at flashpoint-intel.com
Wed Apr 13 08:41:16 EDT 2022


https://www.infosecurity-magazine.com/news/april-records-first-patch-tuesday/

Sysadmins will have a busy time ahead after Microsoft published fixes for
over 100 CVEs this month, including two zero-day bugs.

April’s Patch Tuesday saw patches released for 119 vulnerabilities in total.

The two publicly disclosed prior to Tuesday were CVE-2022-24521, a bug in
the Windows Common Log File System Driver (CLFS) reported by the NSA.
Already exploited in the wild, the vulnerability has a CVSS score of 7.8
and could allow privilege escalation.

The CLFS has previous when it comes to vulnerabilities, according to Tyler
Reguly, manager of security R&D at Tripwire.

“CLFS is a general purpose logging service that can be used by both user
and kernel-mode software,” he explained.

“Patches have been released for CLFS monthly since September 2021 with only
one exception – November 2021. From September 2021 until today, we have
seen 18 vulnerabilities patched within CLFS.”

Also publicly disclosed was CVE-2022-26904, a bug in Windows User Profile
Service that could lead to the elevation of privilege if successfully
exploited.

“Microsoft has listed the attack complexity as high given that it relies on
a race condition, however exploit code is already publicly available,
including in the Metasploit framework,” said Reguly.

Elsewhere, Windows Network File System (NFS) remote code execution (RCE)
vulnerabilities CVE-2022-24491 and CVE-2022-24497 are worth addressing,
according to Kev Breen, director of cyber threat research at Immersive Labs.

“These could be the kind of vulnerabilities which appeal to ransomware
operators as they provide the potential to expose critical data. It is also
important for security teams to note that NFS Role is not a default
configuration for Windows devices,” he explained.

Microsoft also released patches for an additional 26 CVEs in its Edge
browser.

This will be one of the last Patch Tuesday update rounds for many customers
after Microsoft last week announced “Autopatch,” a new managed service
designed to streamline the product update process for Windows 10/11
Enterprise E3 users.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20220413/2661963f/attachment.html>


More information about the BreachExchange mailing list