Patch Tuesday May 2022

Jordan Hammond fun headshot
Jordan Hammond|May 10, 2022
patch tuesday may 2022
patch tuesday may 2022

It is time for another Patch Tuesday, and while we are looking at a lower number of exploits patched overall, some of them are absolute doozies. Overall, we are looking at 73 total exploits, six critical, two publicly disclosed, and one actively exploited. That is quite the combo. I am feeling optimistic today, so while breaking down the horror, I will try and give a bright side for each!

Some highlights (or lowlights)

CVE-2022-26925: This is the one that is actively exploited. It allows an attacker to spoof LSA(Local Security Authority) to force the domain controller to authenticate.  It is rated as an 8.1 but can be paired with a separate exploit that would set the score to a 9.8. It has a Network attack vector with no privileges or user interaction required. All servers will need to be patched, not just Domain Controllers. You will want to make sure every server has this and KB5005413 applied to ensure you are completely secure. 

Positive: …the complexity is listed as high?

CVE-2022-26937: This critical RCE patch attacking the Network File system is rated as a 9.8. The attack vector is Network, no privileges or user interaction is required, and complexity is low. That has all the markers of something that is wormable. This is a bad one that impacts a commonly used component as well. This exploit does not impact the latest versions of NFS, so you are safe if you are not on 2 or 3. If you are using 2 or 3 and cannot upgrade to 4.1 without impacting your production, you can do that with some quick PowerShell.

C:\Set-NfsServerConfiguration -EnableNFSV2 $false -EnableNFSV3 $false

Positive: This exploit does not work on NFSV4.1

CVE-2022-29130: This LDAP RCE exploit is also rated as a 9.8. It has many of the same markers as the previous patch we listed but with one major mitigating factor. You are not at risk if you have not increased your MaxRecieveBuffer higher than the default. You will need to check your DCs, but if your mac buffer is over 10,485,760 bytes, you might want to decrease it until you can get patched.

Positive: You are already protected if you never messed with a random LDAP setting!

Wrapping up

OOF! This was a rough month for optimism. A lot of those exploits are really bad. We did not even go into the exploits that are already known. The sooner you can get your lab patched for testing, the better. With the right tools, your lab could already be patching for you while you read this blog and ponder how we got to this point. Automating your peace of mind seems like a great and thematically aligned way to end this blog. Happy Patching!

Jordan Hammond fun headshot
Jordan Hammond

Jordan had spent his life wondering why tasks he didn’t like to do had no options to complete themselves. Eventually he had to make that happen on his own. It turned out that he enjoyed making tasks complete themselves, and PDQ thought that is something he should talk about on the internet while drinking most Thursdays on the PDQ webcast.

Related Articles