It's back, it's big, and it's bad. April Patch Tuesday brings 145 vulnerability fixes from Microsoft -- the highest number in 19 months -- including a trio of remote code execution (RCE) vulnerabilities in Hyper-V and a brace of critical (CVSS 9.8) bugs in the Windows Network File System. One of the bugs was reported by the NSA and is under active attack. With adversaries getting ever-faster* at reverse engineering patches, working out what the vulnerability was and exploiting it before many IT teams have had their coffee, prompt patching as ever is king.
A striking 36 of the new CVEs were reported by Chinese cybersecurity company Cyber Kunlun, across DNS Server, SMB, RPC, Hyper-V and beyond, including 50% of the 10 critical new Microsoft vulnerabilities (A team from Cyber Kunlun also won the Tianfu Cup hacking contest in late 2021. The company's CTO, identifying themselves only as @mj0011 told The Stack that their team had been working closely together since 2014 "not only on Windows vulnerabilities but also iOS/Google products/open source products/VMware products…etc." adding that "I think one of key to a good research team is [being] flexible and supportive to members like Google Project Zero.")
*Last week was a good example: it took Positive Technologies less than 24 hours to reproduce an exploit for the pre-auth RCE vulnerability (CVE-2022-22954) in VMware Workspace ONE Access after its patch.
April Patch Tuesday 2022: What to look out for
Among the vulnerabilities listed as "exploitation detected" are CVE-2022-24521 -- an elevation of privilege (EOP) vulnerability in the Windows common log file system driver. A swath of Windows Server and desktop versions are vulnerable and while it requires local access (EOP, doh!) it requires no user interaction to exploit. This was reported by the National Security Agency (NSA) and Crowdstrike's Adam Podlosky and Amir Bazine.
An RPC runtime (which underpins many Windows client/server applications) library RCE vulnerability, CVE-2022-26809, gets a high CVSS score of 9.8 and the annotation that exploitation is "more likely". The vulnerability, reported by Cyber Kunlun, could allow a remote attacker to executed code at high privileges on an affected system. Nearly a million services appear to be publicly exposed.
As the Zero Day Initiative (ZDI) notes in its own April Patch Tuesday write-up: "Since no user interaction is required, these factors combine to make this wormable, at least between machine where RPC can be reached... this bug could be used for lateral movement by an attacker. Definitely test and deploy this one quickly."
An EOP vulnerability, CVE-2022-26904 is publicly known with both a proof-of-concept (POC) and a Metasploit module already out in the wild. The bug gives code execution at SYSTEM level on affected systems once they have a foot in the door which is why, ZDI notes, "these types of bugs are often paired with code execution bugs" like a string of CVEs fixed by Adobe today (which patched 70 CVEs across Acrobat, Reader, Photoshop and beyond.)
In short, April Patch Tuesday was a minor blockbuster after a generally quite series of Patch Tuesday so far in 2022 and many will need prompt attention by security teams (if you have them) and IT if you don't.
Microsoft meanwhile says it is rolling out Windows Autopatch to enterprise customers on enterprise E3 and upward contracts in July 2022, Microsoft says in an FAQ (across Windows 10 and 11 but not Server).
Microsoft says that "updates are applied to a small initial set of devices, evaluated, and then graduated to increasingly larger sets, with an evaluation period at each progression. This process is dependent on customer testing and verification of all updates during these rollout stages. The outcome is to assure that registered devices are always up to date and disruption to business operations is minimized, which will free an IT department from that ongoing task... If an issue is encountered, the Autopatch service can be paused by the customer or the service itself.
"When applicable, a rollback will be applied or made available."