Mail server

Critical Exchange Server bug fixed for March Tuesday patch

After a mild Patch Tuesday in February, Exchange Server returns to the list of vulnerabilities on Patch Tuesday in March.

In total, Microsoft has patched 71 unique flaws, including three rated critical and three more publicly disclosed this month. Administrators were given a relatively light workload on February Patch Tuesday, with no critical vulnerabilities on 51 CVEs and no fixes for Exchange Server.

Administrators managing an on-premises mail server will want to focus on fixing an Exchange Server remote code execution vulnerability (CVE-2022-23277). The bug is classified as critical and affects all supported versions. The bug has a relatively high Common Vulnerability Rating System rating of 8.8 out of 10.

Exchange Server continues to attract considerable interest from malicious actors. Intrusion attempts on the messaging platform continue to evolve in sophistication, often using methods that string together multiple vulnerabilities to gain access to the highly prized infrastructure component. By using another vulnerability to achieve elevation of privilege and obtain the correct level of authentication, the attacker does not need user interaction to execute malicious code against server accounts.

Chris Goettl

“While there are a few hurdles for the attacker to jump through, that definitely makes this critical Exchange vulnerability a priority,” said Chris Goettl, vice president of product management at Ivanti, an asset management company. computers and terminals.

Microsoft fixed another Exchange Server vulnerability (CVE-2022-24463) for the March patch on Tuesday. The spoofing flaw is considered significant and affects Exchange Server 2016 and 2019 systems. A malicious actor needs credentials to perform the attack.

“An authenticated attacker could make a specially crafted network call to the target Exchange server that would cause an http request to a server controlled by the attacker to be parsed. This could lead to the disclosure of files from the target Exchange server,” wrote Microsoft in its CVE notes.

Existence of proof-of-concept code should speed up fixes

Microsoft also released security updates for three publicly disclosed vulnerabilities during the March patch on Tuesday. Two bugs have proof-of-concept code, which should prompt admins to push fixes for these flaws quickly.

A remote code execution vulnerability (CVE-2022-24512) is considered significant for several .NET and Visual Studio products, including .NET Core 3.1, .NET 5.0, .NET 6.0, and newer Microsoft Visual Studio products. The vulnerability has a relatively low CVSS score of 6.3; a malicious actor needs user interaction and additional vulnerabilities to launch an attack.

A Windows Fax and Scan Service Elevation of Privilege Vulnerability (CVE-2022-24459), which is deemed important for supported Windows desktop and server operating systems, has a CVSS rating of 7.8. There is proof-of-concept exploit code for this vulnerability, which requires no user interaction to trigger the exploit.

A Remote Desktop Protocol (RDP) Client Remote Code Execution Vulnerability (CVE-2022-21990) classified as significant affects supported Windows desktop and server operating systems. There is proof-of-concept exploit code for this flaw.

“In the case of a Remote Desktop connection, an attacker with control of a remote desktop server could trigger remote code execution on the RDP client machine when a victim connects to the attacking server with the client vulnerable remote desktop,” Microsoft wrote in the CVE Notes.

Systems susceptible to the RDP vulnerability should be prioritized due to the availability of proof-of-concept code that could be quickly weaponized. Even though the BlueKeep and DejaBlue flaws were dominating the news not so long ago, many organizations could still be at the mercy of the next round of RDP flaws.

“Even though it’s 2022, we still haven’t learned our lesson. Not everyone has closed this RDP gap. There is still a lot of public exposure with this vulnerability, whether on the network or usable remotely within an organization’s environment,” Goettl said.

The March patch on Tuesday fixed two more RDP client bugs: CVE-2022-23285, a remote code execution vulnerability rated significant with a CVSS rating of 8.8, and CVE-2022-24503, a disclosure vulnerability information deemed important with a CVSS rating of 5.4.

Administrators will also want to pay early attention to an important-rated Windows SMBv3 client/server remote code execution vulnerability that affects new Windows client and server machines. Microsoft’s CVE Notes provide a PowerShell command to help administrators who might not be able to quickly patch systems with additional instructions for blocking TCP port 445 in the firewall. Goettl said these kinds of antiquated defensive measures for older technologies have caused companies to adopt new security methods, such as the zero-trust model and Secure Access Service Edge.

Microsoft updates remediation plan for 2021 vulnerability

Microsoft recently revised an old CVE to add dates for next steps in a multi-stage fix for a Windows Distributed Component Object Model (DCOM) server security feature bypass vulnerability (CVE-2021-26414).

A June 2021 patch added protections for Windows clients, while the next update scheduled for the June patch on Tuesday will harden DCOM servers. Administrators can disable DCOM server hardening via a registry key change if issues arise. The final phase, scheduled for March 14, 2023, will harden DCOM servers and remove the ability to rollback protection.

Goettl said there are many layers of complexity with this type of remediation. Administrators should communicate any application issues with the vendor to correct the issues before Microsoft applies DCOM protections. A resolution can take a lot of effort, time, and money to get each affected machine working properly.

“It could be painful, especially for a small number of companies that reach a point where they just can’t fix the problems. Then they will have to abandon this technology or leave it exposed in March 2023,” he said. he declares.