Microsoft Patch Tuesday Summary

Microsoft has fixed 145 vulnerabilities, including 17 Microsoft Edge vulnerabilities, in the April 2022 update, with ten (10) classified as Critical as they allow Remote Code Execution (RCE). This month's Patch Tuesday release includes fixes for two (2) zero-day vulnerabilities as well, one (1) known to be actively exploited (CVE-2022-24521) and the other to be publicly exposed (CVE-2022-26904).

Microsoft has fixed several problems in their software, including Denial of Service, Elevation of Privilege, Information Disclosure, Remote Code Execution, and Spoofing vulnerabilities.

Notable Microsoft Vulnerabilities Patched

This month's advisory covers multiple Microsoft products, including, but not limited to, Azure, Browser (Edge - Chromium), Developer Tools, ESU, Microsoft Dynamics, Microsoft Office, SQL Server, System Center, and Windows.

CVE-2022-23259 - Microsoft Dynamics 365 (on-premises) Remote Code Execution (RCE) Vulnerability

This vulnerability has a CVSSv3.1 score of 8.8/10.

An authenticated user could run a specially crafted trusted solution package to execute arbitrary SQL commands. From there the attacker could escalate and execute commands as db_owner within their Dynamics 356 database.

Exploitability Assessment: Exploitation Less Likely.

CVE-2022-24491 and CVE-2022-24497 - Windows Network File System Remote Code Execution (RCE) Vulnerability

This vulnerability has a CVSSv3.1 score of 9.8/10.

An attacker could send a specially crafted NFS protocol network message to a vulnerable Windows machine, which could enable remote code execution. NOTE: This vulnerability is only exploitable for systems that have the NFS role enabled.

Exploitability Assessment: Exploitation More Likely.

CVE-2022-24500 - Windows SMB Remote Code Execution (RCE) Vulnerability

This vulnerability has a CVSSv3.1 score of 8.8/10.

This vulnerability requires that a user with an affected version of Windows access a malicious server. An attacker would have to host a specially crafted server share or website. An attacker would have no way to force users to visit this specially crafted server share or website, but would have to convince them to visit the server share or website, typically by way of an enticement in an email or chat message. For vulnerability to be exploited, a user would need to access a malicious SMB server to retrieve some data as part of an OS API call. Microsoft offers mitigations for this vulnerability, Block TCP port 445 at the enterprise perimeter firewall, and follow Microsoft guidelines to secure SMB traffic.

Exploitability Assessment: Exploitation Less Likely.

CVE-2022-24541 - Windows Server Service Remote Code Execution (RCE) Vulnerability

This vulnerability has a CVSSv3.1 score of 8.8/10.

This vulnerability requires that a user with an affected version of Windows access a malicious server. An attacker would have to host a specially crafted server share or website. An attacker would have no way to force users to visit this specially crafted server share or website, but would have to convince them to visit the server share or website, typically by way of an enticement in an email or chat message. Microsoft offers mitigations for this vulnerability, Block TCP port 445 at the enterprise perimeter firewall, and follow Microsoft guidelines to secure SMB traffic.

Exploitability Assessment: Exploitation Less Likely.

CVE-2022-26809 - Remote Procedure Call (RPC) Runtime Remote Code Execution (RCE) Vulnerability

This vulnerability has a CVSSv3.1 score of 9.8/10.

To exploit this vulnerability, an attacker would need to send a specially crafted Remote Procedure Call (RPC) to an RPC host. This could result in remote code execution (RCE) on the server side with the same permissions as the RPC service. Microsoft offers mitigations for this vulnerability, Block TCP port 445 at the enterprise perimeter firewall, and follow Microsoft guidelines to secure SMB traffic.

Exploitability Assessment: Exploitation More Likely.

Notable Adobe Vulnerabilities Patched

Adobe released updates to fix 78 CVEs affecting Acrobat, Acrobat Reader, Adobe After Effects, Adobe Commerce, Magento Open Source, and Photoshop. Of these 78 vulnerabilities, 51 are treated as Critical.

APSB22-13 : Security update available for Adobe Commerce | APSB22-13

This update resolves an Critical vulnerability and addresses 1 CVEs. Adobe Priority: 3

Adobe has released a security update for Adobe Commerce and Magento Open Source. This update resolves a critical Arbitrary code execution vulnerability. Successful exploitation could lead to arbitrary code execution.

APSB22-16 : Security update available for Adobe Acrobat and Reader | APSB22-16

This update resolves multiple Critical, Important and Moderate vulnerabilities and addresses 62 CVEs. Adobe Priority: 2

Adobe has released security updates for Adobe Acrobat and Reader for Windows and macOS. Successful exploitation could lead to arbitrary code execution, memory leak, security feature bypass and privilege escalation.

APSB22-19 :Security Updates Available for Adobe After Effects | APSB22-19

This update addresses Critical security vulnerabilities and addresses 2 CVEs. Adobe Priority: 3

Adobe has released an update for Adobe After Effects for Windows and macOS. Successful exploitation could lead to arbitrary code execution in the context of the current user.

APSB22-20 :Security update available for Adobe Photoshop | APSB22-20

This update addresses Critical security vulnerabilities and addresses 13 CVEs. Adobe Priority: 3

Adobe has released an update for Photoshop for Windows and macOS. Successful exploitation could lead to arbitrary code execution.

About Qualys Patch Tuesday

Qualys Patch Tuesday QIDs are published as Security Alerts, typically, late in the evening on the day of Patch Tuesday, followed later by the publication of the monthly queries for the Unified Dashboard: 2022 Patch Tuesday (QID Based) Dashboard by Noon on Wednesday.

Contributor: Bharat Jogi, Director, Vulnerability and Threat Research, Qualys

Related

Attachments

  • Original Link
  • Original Document
  • Permalink

Disclaimer

Qualys Inc. published this content on 12 April 2022 and is solely responsible for the information contained therein. Distributed by Public, unedited and unaltered, on 12 April 2022 20:24:04 UTC.