Flash Notice: [CVE-2022-22047] Microsoft Zero-Day Actively Exploited, Impacting Server & Client Windows Platforms

Overview of cve-2022-22047

A zero-day vulnerability was found in the latest Widows 11 and Windows Server 2022 releases. CVE-2022-22047 is a local privilege escalation vulnerability found in the Windows Client and Windows Server Runtime Subsystem. Although Microsoft has issued a patch, the vulnerability is actively being exploited by attackers and has a CVSS rating of 6.8.

Technical details are sparse, however Microsoft’s advisory stated that an attacker who successfully exploits the vulnerability could gain SYSTEM privileges and disable local services such as Endpoint Detection and Security tools. However, in order to gain those privileges, the attacker must first gain access to the system by exploiting a separate code execution flaw. According to CISA, agencies affected by the zero day have three weeks to (until August 2, 2022), to patch CVE-2022-22047.

Microsoft has yet to reveal if the vulnerability is being used in widespread or targeted attacks but it’s still important to patch regardless of the details. In the absence of information, it’s always best to choose the safest option and in this case, it’s following Microsoft’s instructions for patching.

additional vulnerabilities

CVE-2022-30216 is a tampering vulnerability in the Windows Server Service that could allow an attacker to upload a malicious file certificate and target a server. Microsoft gave the bug its highest exploit index rating which means an active exploit could happen within 30 days.

CVE-2022-22029 is a remote code execution vulnerability found in the Windows NFS service. This is not an easy vulnerability to exploit, as an attacker would need to make repeated exploitation attempts through sending constant or intermittent data. However, attempts to exploit could go unnoticed, making patching a priority.

CVE-2022-22026 is an elevation of privilege flaw with a CVSS score of 7.8. If an attacker is successful, they could send specially crafted data to the local CSRSS service and escalate privileges from AppContainer to SYSTEM. An AppContainer environment is a defensible security boundary, making processes bypassing the boundary a change in Scope.

Because CVE-2022-22047 is actively exploited in the wild, it’s pertinent that your organization makes patching the vulnerabilities a priority. Attackers could target your devices and gain access to your networks and systems, causing devastation that could have a long-lasting impact on your business operations.

How Avertium is Protecting Our Customers:

Fusion MXDR is the first MDR offering that fuses together all aspects of security operations into a living, breathing, threat-resistant XDR solution. By fusing insights from threat intelligence, security assessments, and vulnerability management into our MDR approach, Fusion MXDR offers a more informed, robust, and cost-effective approach to cybersecurity – one that is great than the sum of its parts.
Avertium offers Zero Trust Architecture, like AppGate, to stop malware lateral movement.
Avertium uses whitelisting tools like AppLocker to audit or block command-line interpreters.
Avertium offers Zero Trust Network as a Service (ZTNaaS) for any organization that wants to control their attack surface. The zero-trust security model delivers exactly what the name promises: it's an IT security concept that specifies no access is allowed until the successful completion of authentication and authorization processes

Avertium's recommendations

Avertium recommends that you follow Microsoft’s advisory and patch CVE-2022-22047 as soon as possible, as there are no published mitigations yet.
Avertium also recommends that you patch the other vulnerabilities mentioned in the notice: CVE-2022-30216, CVE-2022-22029, and CVE-2022-22026.

INDICATOR'S OF COMPROMISE (IOCS):

At this time, there are no known IoCs associated with CVE-2022-22047. Avertium’s threat hunters remain vigilant in locating IoCs for our customers. Should any be located, Avertium will disclose them as soon as possible. For more information on how Avertium can help protect your organization, reach out to your Avertium Service Delivery Manager or Account Executive.