Security News > 2022 > May > Microsoft patches Windows LSA spoofing zero-day under active attack (CVE-2022-26925)
May 2022 Patch Tuesday is here, and Microsoft has marked it by releasing fixes for 74 CVE-numbered vulnerabilities, including one zero-day under active attack and two publicly known vulnerabilities.
First and foremost, we have CVE-2022-26925, an "Important" spoofing vulnerability in Windows Local Security Authority that may turn into a "Critical" one if combined with NTLM relay attacks.
"Being actively exploited in the wild, this allows an attacker to authenticate as approved users as part of an NTLM relay attack - letting threat actors gain access to the hashes of authentication protocols," noted Kevin Breen, Director of Cyber Threat Research at Immersive Labs.
The complexity of exploiting CVE-2022-26925 is considered high because exploitation requires an attacker to be positioned as an attacker-in-the-middle, added Satnam Narang, staff research engineer at Tenable, and joined Microsoft in urging administrators to patch this flaw, then follow it up with a review of two documents that delineate additional measures to mitigate NTLM relay attacks against Active Directory Certificate Services.
Dustin Childs, with Trend Micro's Zero Day Initiative, has singled out CVE-2022-26923, an EOP bug in Active Directory Domain Services, which may allow attackers to obtain a certificate that will allow them to authenticate to a domain controller with a high level of privilege - all they need is to include crafted data in a certificate request.
"In essence, any domain authenticated user can become a domain admin if Active Directory Certificate Services are running on the domain. This is a very common deployment. Considering the severity of this bug and the relative ease of exploit, it would not surprise me to see active attacks using this technique sooner rather than later," he noted.
News URL
https://www.helpnetsecurity.com/2022/05/10/cve-2022-26925/
Related news
- Microsoft fixes two Windows zero-days exploited in malware attacks (source)
- Lazarus Hackers Exploited Windows Kernel Flaw as Zero-Day in Recent Attacks (source)
- DarkGate Malware Exploited Recently Patched Microsoft Flaw in Zero-Day Attack (source)
- Week in review: Palo Alto Networks firewalls under attack, Microsoft patches two exploited zero-days (source)
- Lazarus hackers exploited Windows zero-day to gain Kernel privileges (source)
- Microsoft rolls back decision to stop Windows 11 22H2 preview updates (source)
- CISA warns of Microsoft Streaming bug exploited in malware attacks (source)
- Windows Kernel bug fixed last month exploited as zero-day since August (source)
- Microsoft: Windows 11 “invites” coming to more Windows 10 Pro PCs (source)
- Hackers steal Windows NTLM authentication hashes in phishing attacks (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-05-10 | CVE-2022-26925 | Missing Authentication for Critical Function vulnerability in Microsoft products Windows LSA Spoofing Vulnerability | 5.9 |
| 2022-05-10 | CVE-2022-26923 | Improper Certificate Validation vulnerability in Microsoft products Active Directory Domain Services Elevation of Privilege Vulnerability | 8.8 |