Security News > 2022 > April > Microsoft fixes actively exploited zero-day reported by the NSA (CVE-2022-24521)

On this April 2022 Patch Tuesday, Microsoft has released patches for 128 CVE-numbered vulnerabilities, including one zero-day exploited in the wild and another for which there's already a PoC and a Metasploit module.

CVE-2022-24521 is a vulnerability in the Windows Common Log File System Driver that was reported to Microsoft by the National Security Agency and Adam Podlosky and Amir Bazine of Crowdstrike.

"Even though exploitation of this vulnerability requires an attacker to perfectly time their attack to win a race condition, Microsoft has rated it as 'Exploitation More Likely," says Claire Tills, senior research engineer at Tenable.

"Using the vulnerability, an attacker can create a specially-crafted RPC to execute code on the remote server with the same permissions as the RPC service. Microsoft recommends configuring some firewall rules to help prevent this vulnerability from being exploited. However, for customers who require this functionality, this guide has limited efficacy. To augment the firewall rules, enterprises should consider security controls that directly monitor and protect core software functionality and behavior."

"On systems where the NFS role is enabled, a remote attacker could execute their code on an affected system with high privileges and without user interaction. Again, that adds up to a wormable bug - at least between NFS servers. Similar to RPC, this is often blocked at the network perimeter. However, Microsoft does provide guidance on how the RPC port multiplexer 'is firewall-friendly and simplifies deployment of NFS.' Check your installations and roll out these patches rapidly."

As a closing sidenote, Microsoft has recently announced the upcoming availability of Windows Autopatch, an automated, managed service by Microsoft to help enterprise IT admins keep Windows and Office always up-to-date.

News URL

https://www.helpnetsecurity.com/2022/04/12/cve-2022-24521/