Security
Headlines
HeadlinesLatestCVEs

Headline

Vulnerability mitigated in the third-party Data Connector used in Azure Synapse pipelines and Azure Data Factory (CVE-2022-29972)

Summary Microsoft recently mitigated a vulnerability in Azure Data Factory and Azure Synapse pipelines. The vulnerability was specific to the third-party Open Database Connectivity (ODBC) driver used to connect to Amazon Redshift in Azure Synapse pipelines and Azure Data Factory Integration Runtime (IR) and did not impact Azure Synapse as a whole. The vulnerability could … Vulnerability mitigated in the third-party Data Connector used in Azure Synapse pipelines and Azure Data Factory (CVE-2022-29972) Read More »

msrc-blog
#vulnerability#mac#microsoft#amazon

Summary

Microsoft recently mitigated a vulnerability in Azure Data Factory and Azure Synapse pipelines. The vulnerability was specific to the third-party Open Database Connectivity (ODBC) driver used to connect to Amazon Redshift in Azure Synapse pipelines and Azure Data Factory Integration Runtime (IR) and did not impact Azure Synapse as a whole. The vulnerability could have allowed an attacker to perform remote command execution across IR infrastructure not limited to a single tenant.

Microsoft has conducted a detailed internal investigation to identify any cases of abuse. The only activity identified was performed by Orca Security, who reported the vulnerability. Our investigation found no evidence of misuse or malicious activity. The vulnerability was mitigated on April 15, 2022.

There is no action needed from Azure Data Factory or Azure Synapse pipeline customers who are hosted in the Azure cloud (Azure Integration Runtime) or who host on-premises (Self-Hosted Integration Runtime) with auto-updates turned on. Self-host IR customers without auto-update need to take action to safeguard their deployments. Customers with this configuration were notified and provided guidance through Azure Service Health Alerts (Tracking ID: MLC3-LD0); however, additional information can be found below in the “Customer Recommendations and Additional Support” section. Customers with auto-updates enabled do not need to take additional action.

The following sections explain in more detail the relevant architectural background of the services and components involved, some high-level technical details of the vulnerability and steps Microsoft has taken to mitigate the issue and, any next steps or recommendations for customers.

Background

Azure Data Factory is a Microsoft Cloud Extract Transform Load (ETL) service that enables data integration and data transformation. Azure Data Factory is available as a standalone service, and it is also provided as Azure Synapse pipelines.

Customers using Azure Data Factory or Azure Synapse pipelines can create an Integration Runtime (IR) in their factories and/or workspaces to allow for data integration across different network environments. Azure Synapse pipelines can be used to integrate data from various sources into Synapse Analytics workspaces. These pipelines also support connectors, which allow data to be integrated across different data stores, including third-party products. Azure Data Factory and Azure Synapse pipelines have many data connectors to different data sources built-in today.

IRs using Azure Synapse pipelines can be hosted in the Azure cloud (via the Azure Data Factory Integration Runtime) or hosted on-premises (Self-Hosted Integration Runtime). Cloud-hosted Azure IRs can also be configured with a Managed Virtual Network (VNet) and will use private endpoints to connect to supported data stores, which can provide an extra layer of network isolation.

As a high-level architectural overview of the hosting models:

  1. Azure IR (with a Managed Virtual Network): Cloud-hosted Azure IRs with a Managed VNet provide a dedicated container and dynamic pool behind a VNet, it is not shared across multiple customers.
  2. Azure IR (without a Managed Virtual Network): Cloud-hosted Azure IRs execute pipeline activities in a shared pool of underlying compute resources. This allows multiple customers to utilize the resources in this pool and dynamically scale nodes at runtime.
  3. Self-hosted IR (SHIR): As SHIR requires an on-premises or customer-provided virtual machine to execute tasks, SHIRs are dedicated to a single customer by design. SHIR can pull tasks from cloud or other on-premises data sources.

The vulnerability was specific to the third-party ODBC connector used to connect to Amazon Redshift in Azure Synapse pipelines and Azure Data Factory Integration Runtime (IR).

Vulnerability Impact

The vulnerability in the third-party ODBC connector for Amazon Redshift allowed a user running jobs in a Synapse pipeline to execute remote commands. A user who exploited this vulnerability could then potentially acquire the Azure Data Factory service certificate and execute commands in another tenant’s Azure Data Factory Integration Runtimes. These certificates are specific to Azure Data Factory and Synapse Pipelines, and do not pertain to the rest of Azure Synapse.

Investigation and Mitigation

Orca Security reported a vulnerability to Microsoft on January 4, 2022, at which point we began our internal investigation to identify the scope of impact and to protect customers. Our timeline for investigation and mitigation can be summarized as follows:

  • January 4 – Orca reported the issue to Microsoft
  • March 2 – Microsoft completed rollout of initial hotfix
  • March 11 – Microsoft identified and notified customers affected by the researcher’s activity
  • March 30 – Orca notified Microsoft of an additional attack path to the same vulnerability
  • April 13 – Orca notified Microsoft of a second attack path to the same vulnerability
  • April 15 – Additional fixes deployed for the two newly reported attack paths as well as additional defense in depth measures applied

Microsoft fully mitigated attack paths to this vulnerability on April 15, 2022, by taking the following steps across all IR types:

  • Mitigated remote command execution in the impacted driver
  • Reduced the job execution privilege in the Azure Integration Runtime
  • Added extra validation layers as a defense in depth to harden the service
  • Rotated and revoked the backend service certificate and other Microsoft credentials that were accessed by the finder
  • Collaborated with the third-party ODBC driver provider on root-cause fixes to the driver used to connect to Amazon Redshift
  • Reviewed third-party driver vendor code and ran our security tooling to ensure it meets our security standards

Detections

While our investigation found no evidence of Microsoft product or service misuse or malicious activity from this vulnerability aside from the activity Orca reported, we are sharing the following Microsoft Defender for Endpoint and Microsoft Defender Antivirus detections to protect customers.

  • Customers using automatic updates do not need to take additional action. Enterprise customers managing updates should select the detection build 1.363.1065.0 or later and deploy it across their environments.
  • Microsoft Defender Antivirus version 1.363.1065.0 or later detects components and behaviors related to this threat and protects customers through the following detections:
    • Behavior:Win32/SuspAzureRequest.A
    • Behavior:Win32/SuspAzureRequest.B
    • Behavior:Win32/SuspAzureRequest.C
    • Behavior:Win32/LaunchingSuspCMD.B
  • Microsoft Defender for Endpoint alerts with the following titles in the Microsoft 365 Defender portal can indicate threat activity on your network:
    • Suspicious PowerShell Command Line.
    • Possible Azure Synapse Integration Runtime exploitation.

Microsoft Sentinel customers can use the following queries based on Microsoft Defender for Endpoint signatures to identify suspicious behavior leveraging this vulnerability.

  • Microsoft Defender for Endpoint (MDE) signatures for Azure Synapse pipelines and Azure Data Factory: This query looks for Microsoft Defender for Endpoint detections related to the remote command execution attempts on Azure IR with Managed VNet or SHIR. In Microsoft Sentinel, the SecurityAlerts table includes the name of the impacted device. Additionally, this query joins the DeviceInfo table to connect other information such as device group, IP address, signed in users, and others allowing analysts using Microsoft Sentinel to have more context related to the alert.
  • Possible command injection attempts against Azure Integration Runtimes: This hunting query looks for potential command injection attempts via the vulnerable third-party driver against Azure IR with Managed VNet or SHIR processes as well as post-exploitation activity based on process execution and command line activity.

Customer Recommendations and Additional Support

To ensure that your resources receive the necessary security updates, customers using Azure Data Factory with Self-hosted IRs (SHIRs) with auto-update turned off must update their SHIRs to the latest version (5.17.8154.2). Customers can download the latest version here. These customers were also notified of this guidance through Service Health (Tracking ID: MLC3-LD0) in the Azure Portal.

No further action is required of customers using SHIRs with auto-update enabled or customers using Azure IRs.

Customers can read more about the updates made to Self-hosted IR for this vulnerability in the release notes.

For additional protection, Microsoft recommends configuring Synapse workspaces with a Managed Virtual Network which provides better compute and network isolation. Customers using Azure Data Factory can enable Azure integration runtimes with a Managed Virtual Network. Microsoft is continually taking steps to apply additional safeguards to harden the Azure Data Factory and Azure Synapse Analytics platforms and protect our customers.

Ongoing Efforts to Protect Customers

While Microsoft applied the necessary mitigations for the vulnerability that Orca Security reported, we continue to invest engineering effort to ensure that customers of Azure Data Factory and Synapse pipeline workloads running in our cloud are secure and trustworthy. Our ongoing efforts include:

  • Continuing to work with our third-party driver vendors to ensure that all updates meet our security standards; sharing with our third-party vendors our security tools and techniques for ensuring a secure footprint
  • Ensuring that Cloud processes and workloads, including third-party data connectors, run in a Zero Trust architecture that advance cross tenant isolation. Specifically, we are implementing virtualization of third-party connector execution to achieve per-tenant isolation.
  • Proactively monitoring the broader footprint of Microsoft services that leverage 3rd party connectors.
  • Continued investment in monitoring and detections for proactive alerting, notification, and accelerated mitigation.

Please visit our Security Advisory for further details on our ongoing effort to address this issue: ADV220001.

We want to acknowledge Orca Security for reporting this vulnerability. We encourage all researchers to work with vendors under Coordinated Vulnerability Disclosure (CVD) and abide by the terms and conditions in the Microsoft Bug Bounty Program to avoid impacting customer data while conducting security research.

Additional Resources

  • Details on this CVE: CVE-2022-29972
  • Microsoft Security Advisory – Defense in depth measures for Azure Data Factory and Azure Synapse pipeline: ADV220001

The MSRC Team

Related news

Technical Details Released for 'SynLapse' RCE Vulnerability Reported in Microsoft Azure

Microsoft has incorporated additional improvements to address the recently disclosed SynLapse security vulnerability in order to meet comprehensive tenant isolation requirements in Azure Data Factory and Azure Synapse Pipelines. The latest safeguards include moving the shared integration runtimes to sandboxed ephemeral instances and using scoped tokens to prevent adversaries from using a client

Microsoft Patch Tuesday: Fixes for 0-Day and 74 Other Flaws Released

By Waqas The latest edition of Patch Tuesday offers fixes for 7 critical flaws, including 5 RCE (remote code execution)… This is a post from HackRead.com Read the original post: Microsoft Patch Tuesday: Fixes for 0-Day and 74 Other Flaws Released

Update now! Microsoft releases patches, including one for actively exploited zero-day

May's Patch Tuesday includes one actively exploited zero-day vulnerability and some other interesting ones. The post Update now! Microsoft releases patches, including one for actively exploited zero-day appeared first on Malwarebytes Labs.

Actively Exploited Zero-Day Bug Patched by Microsoft

Microsoft's May Patch Tuesday roundup also included critical fixes for a number of flaws found in infrastructure present in many enterprise and cloud environments.

Microsoft Releases Fix for New Zero-Day with May 2022 Patch Tuesday Updates

Microsoft on Tuesday rolled out fixes for as many as 74 security vulnerabilities, including one for a zero-day bug that's being actively exploited in the wild. Of the 74 issues, seven are rated Critical, 66 are rated Important, and one is rated low in severity. Two of the flaws are listed as publicly known at the time of release. These encompass 24 remote code execution (RCE), 21 elevation of

What to Patch Now: Actively Exploited Windows Zero-Day Threatens Domain Controllers

Microsoft's May 2022 Patch Tuesday contains several bugs in ubiquitous software that could affect millions of machines, researchers warn.

Microsoft Patch Tuesday for May 2022 — Snort rules and prominent vulnerabilities

By Jon Munshaw, with contributions from Jaeson Schultz.  Microsoft returned to its normal monthly patching volume in May, disclosing and fixing 74 vulnerabilities as part of the company’s latest security update. This month’s Patch Tuesday includes seven critical vulnerabilities after Microsoft... [[ This is only the beginning! Please visit the blog for the complete entry ]]

Microsoft Mitigates RCE Vulnerability Affecting Azure Synapse and Data Factory

Microsoft on Monday disclosed that it mitigated a security flaw affecting Azure Synapse and Azure Data Factory that, if successfully exploited, could result in remote code execution. The vulnerability, tracked as CVE-2022-29972, has been codenamed "SynLapse" by researchers from Orca Security, who reported the flaw to Microsoft in January 2022. <!--adsense--> "The vulnerability was specific to

GHSA-269q-hmxg-m83q: Local Information Disclosure Vulnerability in io.netty:netty-codec-http

### Description ### [GHSA-5mcr-gq6c-3hq2](https://github.com/netty/netty/security/advisories/GHSA-5mcr-gq6c-3hq2) (CVE-2021-21290) contains an insufficient fix for the vulnerability identified. ### Impact ### When netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. This only impacts applications running on Java version 6 and lower. Additionally, this vulnerability impacts code running on Unix-like systems, and very old versions of Mac OSX and Windows as they all share the system temporary directory between all users. ### Vulnerability Details ### To fix the vulnerability the code was changed to the following: ```java @SuppressJava6Requirement(reason = "Guarded by version check") public static File createTempFile(String prefix, String suffix, File directory) throws IOException { if (javaVersion() >= 7) { if (directory == null) { ...

CVE-2022-29115: Windows Fax Service Remote Code Execution Vulnerability

**According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?** Exploitation of the vulnerability requires that a user import a specially crafted contact record and sends it a FAX.

CVE-2022-29128: Windows LDAP Remote Code Execution Vulnerability

**How could an attacker exploit this vulnerability?** This vulnerability could be exploited over the network by an authenticated normal user through a low complexity attack on a server configured as the domain controller.

CVE-2022-22013: Windows LDAP Remote Code Execution Vulnerability

**How could an attacker exploit this vulnerability?** An authenticated attacker could send a specially crafted request to a vulnerable LDAP server. Successful exploitation could result in the attacker's code running in the context of the SYSTEM account.

CVE-2022-29131: Windows LDAP Remote Code Execution Vulnerability

**How could an attacker exploit this vulnerability?** This vulnerability could be exploited over the network by an authenticated normal user through a low complexity attack on a server configured as the domain controller.

CVE-2022-29139: Windows LDAP Remote Code Execution Vulnerability

**How could an attacker exploit this vulnerability?** An attacker could exploit the vulnerability by convincing a user to connect a Lightweight Directory Access Protocol (LDAP) client to a malicious LDAP server. When the vulnerability is successfully exploited this could allow the malicious server to gain remote code execution within the LDAP client.

CVE-2022-29137: Windows LDAP Remote Code Execution Vulnerability

**How could an attacker exploit this vulnerability?** An authenticated attacker could send a specially crafted request to a vulnerable LDAP server. Successful exploitation could result in the attacker's code running in the context of the SYSTEM account.

CVE-2022-29129: Windows LDAP Remote Code Execution Vulnerability

**How could an attacker exploit this vulnerability?** This vulnerability could be exploited over the network by an authenticated normal user through a low complexity attack on a server configured as the domain controller.

CVE-2022-29141: Windows LDAP Remote Code Execution Vulnerability

**How could an attacker exploit this vulnerability?** An authenticated attacker could send a specially crafted request to a vulnerable LDAP server. Successful exploitation could result in the attacker's code running in the context of the SYSTEM account.

CVE-2022-29135: Windows Cluster Shared Volume (CSV) Elevation of Privilege Vulnerability

**According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?** Successful exploitation of this vulnerability requires an attacker to win a race condition.

CVE-2022-22014: Windows LDAP Remote Code Execution Vulnerability

**How could an attacker exploit this vulnerability?** An authenticated attacker could send a specially crafted request to a vulnerable LDAP server. Successful exploitation could result in the attacker's code running in the context of the SYSTEM account.

CVE-2022-29138: Windows Clustered Shared Volume Elevation of Privilege Vulnerability

**According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?** Successful exploitation of this vulnerability requires an attacker to win a race condition.

CVE-2022-29142: Windows Kernel Elevation of Privilege Vulnerability

**According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?** Successful exploitation of this vulnerability requires an attacker to win a race condition.

CVE-2022-29120: Windows Clustered Shared Volume Information Disclosure Vulnerability

**What type of information could be disclosed by this vulnerability?** The type of information that could be disclosed if an attacker successfully exploited this vulnerability is the contents of Kernel memory. An attacker could read the contents of Kernel memory from a user mode process.

CVE-2022-29133: Windows Kernel Elevation of Privilege Vulnerability

**According to the CVSS metric, a successful exploitation could lead to a scope change (S:C). What does this mean for this vulnerability?** In this case, a successful attack could be performed from a low privilege AppContainer. The attacker could elevate their privileges and execute code or access resources at a higher integrity level than that of the AppContainer execution environment.

CVE-2022-29122: Windows Clustered Shared Volume Information Disclosure Vulnerability

**What type of information could be disclosed by this vulnerability?** The type of information that could be disclosed if an attacker successfully exploited this vulnerability is the contents of Kernel memory. An attacker could read the contents of Kernel memory from a user mode process.

CVE-2022-26931: Windows Kerberos Elevation of Privilege Vulnerability

**According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?** Successful exploitation of this vulnerability requires an attacker to prepare the target environment to improve exploit reliability.

CVE-2022-29140: Windows Print Spooler Information Disclosure Vulnerability

**What type of information could be disclosed by this vulnerability?** The type of information that could be disclosed if an attacker successfully exploited this vulnerability is unauthorized file system access - reading from the file system.

CVE-2022-29123: Windows Clustered Shared Volume Information Disclosure Vulnerability

**What type of information could be disclosed by this vulnerability?** The type of information that could be disclosed if an attacker successfully exploited this vulnerability is the contents of Kernel memory. An attacker could read the contents of Kernel memory from a user mode process.

CVE-2022-29114: Windows Print Spooler Information Disclosure Vulnerability

**What type of information could be disclosed by this vulnerability?** The type of information that could be disclosed if an attacker successfully exploited this vulnerability is unauthorized file system access - reading from the file system.

CVE-2022-26936: Windows Server Service Information Disclosure Vulnerability

**What type of information could be disclosed by this vulnerability?** The presence of specific file names and users can be confirmed over the internal network.

CVE-2022-29134: Windows Clustered Shared Volume Information Disclosure Vulnerability

**What type of information could be disclosed by this vulnerability?** The type of information that could be disclosed if an attacker successfully exploited this vulnerability is the contents of Kernel memory. An attacker could read the contents of Kernel memory from a user mode process.

CVE-2022-26926: Windows Address Book Remote Code Execution Vulnerability

**According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution?** The word **Remote** in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. For example, when the score indicates that the **Attack Vector** is **Local** and **User Interaction** is **Required**, this could describe an exploit in which an attacker, through social engineering, convinces a victim to download and open a specially crafted file from a website which leads to a local attack on their computer.

CVE-2022-29106: Windows Hyper-V Shared Virtual Disk Elevation of Privilege Vulnerability

**According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?** Successful exploitation of this vulnerability requires an attacker to win a race condition.

CVE-2022-29113: Windows Digital Media Receiver Elevation of Privilege Vulnerability

**According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?** Successful exploitation of this vulnerability requires an attacker to win a race condition.

CVE-2022-26937: Windows Network File System Remote Code Execution Vulnerability

Mitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors might be helpful in your situation: This vulnerability is not exploitable in NFSV4.1. Prior to updating your version of Windows that protects against this vulnerability, you can mitigate an attack by disabling NFSV2 and NFSV3. This may adversely affect your ecosystem and should only be used as a temporary mitigation. The following PowerShell command will disable those versions: PS C:\Set-NfsServerConfiguration -EnableNFSV2 $false -EnableNFSV3 $false After this, you will need to restart NFS server or reboot the machine. To restart NFS server, start a **cmd** window with **Run as Administrator**, enter the following commands: * **nfsadmin server stop** * **nfsadmin server start** To confirm that NFSv2 and NFSv3 have been turned off, run the following command in a Powershe...

CVE-2022-22016: Windows PlayToManager Elevation of Privilege Vulnerability

**According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?** Successful exploitation of this vulnerability requires an attacker to win a race condition.

CVE-2022-29102: Windows Failover Cluster Information Disclosure Vulnerability

**What type of information could be disclosed by this vulnerability?** The type of information that could be disclosed if an attacker successfully exploited this vulnerability is the contents of Kernel memory. An attacker could read the contents of Kernel memory from a user mode process.

CVE-2022-26927: Windows Graphics Component Remote Code Execution Vulnerability

**How could an attacker exploit this vulnerability?** There are multiple ways an attacker could exploit the vulnerability, such as by either convincing a user to open a specially crafted document, or by convincing a user to visit a webpage that contains specially crafted embedded OpenType fonts. The resulting Remote Code Execution would be within the context of the authenticated local user.

CVE-2022-26923: Active Directory Domain Services Elevation of Privilege Vulnerability

**How could an attacker exploit this vulnerability?** An authenticated user could manipulate attributes on computer accounts they own or manage, and acquire a certificate from Active Directory Certificate Services that would allow elevation of privilege.

CVE-2022-29148: Visual Studio Remote Code Execution Vulnerability

**According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?** Exploitation of the vulnerability requires that a user open a specially crafted file. * In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file. * In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) containing a specially crafted file designed to exploit the vulnerability. An attacker would have no way to force users to visit the website. Instead, an attacker would have to convince users to click a link, typically by way of an enticement in an email or instant message, and then convince them to open the specially crafted file.

CVE-2022-26933: Windows NTFS Information Disclosure Vulnerability

**What type of information could be disclosed by this vulnerability?** Exploiting this vulnerability could allow the disclosure of certain kernel memory content.

CVE-2022-29125: Windows Push Notifications Apps Elevation of Privilege Vulnerability

**According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?** Successful exploitation of this vulnerability requires an attacker to win a race condition.

CVE-2022-30129: Visual Studio Code Remote Code Execution Vulnerability

**According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?** The user would have to click on a specially crafted URL to be compromised by the attacker.

CVE-2022-22012: Windows LDAP Remote Code Execution Vulnerability

**Are there any special conditions necessary for this vulnerability to be exploitable?** Yes. This vulnerability is only exploitable if the MaxReceiveBuffer LDAP policy is set to a value higher than the default value. Systems with the default value of this policy would not be vulnerable. For more information, please see LDAP policies.

CVE-2022-29116: Windows Kernel Information Disclosure Vulnerability

**What type of information could be disclosed by this vulnerability?** The type of information that could be disclosed if an attacker successfully exploited this vulnerability is the contents of Kernel memory. An attacker could read the contents of Kernel memory from a user mode process.

CVE-2022-26935: Windows WLAN AutoConfig Service Information Disclosure Vulnerability

**According to the CVSS metric, the attack vector is adjacent (AV:A). What does that mean for this vulnerability?** This vulnerability's attack is limited at the protocol level to a logically adjacent topology. This means it cannot simply be done across the internet, but instead needs something specific tied to the target. Good examples would include the same shared physical network (such as Bluetooth or IEEE 802.11), logical network (local IP subnet), or from within a secure or otherwise limited administrative domain (MPLS, secure VPN to an administrative network zone). This is common to many attacks that require man-in-the-middle type setups or that rely on initially gaining a foothold in another environment.

CVE-2022-29112: Windows Graphics Component Information Disclosure Vulnerability

**According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?** Exploitation of the vulnerability requires that a user open a specially crafted file. * In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file. * In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) containing a specially crafted file designed to exploit the vulnerability. An attacker would have no way to force users to visit the website. Instead, an attacker would have to convince users to click a link, typically by way of an enticement in an email or instant message, and then convince them to open the specially crafted file.

CVE-2022-29130: Windows LDAP Remote Code Execution Vulnerability

**Are there any special conditions necessary for this vulnerability to be exploitable?** Yes. This vulnerability is only exploitable if the MaxReceiveBuffer LDAP policy is set to a value higher than the default value. Systems with the default value of this policy would not be vulnerable. For more information, please see LDAP policies.

CVE-2022-26930: Windows Remote Access Connection Manager Information Disclosure Vulnerability

**What type of information could be disclosed by this vulnerability?** The type of information that could be disclosed if an attacker successfully exploited this vulnerability is memory layout - the vulnerability allows an attacker to collect information that facilitates predicting addressing of the memory.

CVE-2022-29126: Tablet Windows User Interface Application Core Elevation of Privilege Vulnerability

**According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?** Successful exploitation of this vulnerability requires an attacker to win a race condition.

CVE-2022-29108: Microsoft SharePoint Server Remote Code Execution Vulnerability

**According to the CVSS metric, privileges required is low (PR:L). What does that mean for this vulnerability?** The attacker must be authenticated and possess the permissions for page creation to be able to exploit this vulnerability.

CVE-2022-29121: Windows WLAN AutoConfig Service Denial of Service Vulnerability

**According to the CVSS metric, the attack vector is adjacent (AV:A). What does that mean for this vulnerability?** This vulnerability's attack is limited at the protocol level to a logically adjacent topology. This means it cannot simply be done across the internet, but instead needs something specific tied to the target. Good examples would include the same shared physical network (such as Bluetooth or IEEE 802.11), logical network (local IP subnet), or from within a secure or otherwise limited administrative domain (MPLS, secure VPN to an administrative network zone). This is common to many attacks that require man-in-the-middle type setups or that rely on initially gaining a foothold in another environment.

CVE-2022-26934: Windows Graphics Component Information Disclosure Vulnerability

**According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?** Exploitation of the vulnerability requires that a user open a specially crafted file. * In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file. * In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) containing a specially crafted file designed to exploit the vulnerability. An attacker would have no way to force users to visit the website. Instead, an attacker would have to convince users to click a link, typically by way of an enticement in an email or instant message, and then convince them to open the specially crafted file.

CVE-2022-22019: Remote Procedure Call Runtime Remote Code Execution Vulnerability

**How could an attacker exploit the vulnerability?** To exploit this vulnerability, an attacker would need to trick a user into executing a specially crafted script which executes an RPC call to an RPC host. This could result in remote code execution on the server side with the same permissions as the RPC service.

CVE-2022-22017: Remote Desktop Client Remote Code Execution Vulnerability

**How would an attacker exploit this vulnerability?** An attacker would have to convince a targeted user to connect to a malicious RDP server. Upon connecting, the malicious server could execute code on the victim's system in the context of the targeted user.

CVE-2022-24466: Windows Hyper-V Security Feature Bypass Vulnerability

**What kind of security feature could be bypassed by exploiting this vulnerability?** This Hyper-V vulnerability relates to a Virtual Machine Switch with virtual networking in Hyper-V Network Virtualization (HNV). It might be possible to bypass extended ACLs and other Windows security feature checks. See Create Security Policies with Extended Port Access Control Lists for information about extended ACLs.

CVE-2022-26938: Storage Spaces Direct Elevation of Privilege Vulnerability

**According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?** Successful exploitation of this vulnerability requires an attacker to win a race condition.

CVE-2022-26939: Storage Spaces Direct Elevation of Privilege Vulnerability

**According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?** Successful exploitation of this vulnerability requires an attacker to win a race condition.

CVE-2022-26932: Storage Spaces Direct Elevation of Privilege Vulnerability

**According to the CVSS metric, a successful exploitation could lead to a scope change (S:C). What does this mean for this vulnerability?** In this case, a successful attack could be performed from a low privilege AppContainer. The attacker could elevate their privileges and execute code or access resources at a higher integrity level than that of the AppContainer execution environment.

CVE-2022-26925: Windows LSA Spoofing Vulnerability

**How could an attacker exploit this vulnerability?** An unauthenticated attacker could call a method on the LSARPC interface and coerce the domain controller to authenticate to the attacker using NTLM. This security update detects anonymous connection attempts in LSARPC and disallows it. **Is there more information available on how to protect my system?** Yes. Please see ADV210003 Mitigating NTLM Relay Attacks on Active Directory Certificate Services (AD CS). **Are there further actions I need to take to protect my system after I have applied the security update?** Yes. Please see KB5005413 for more information on the steps that you need to take to protect your system. Please note that the combined CVSS score would be 9.8 when this vulnerability is chained with the noted NTLM Relay Attacks on Active Directory Certificate Services (AD CS). **Should I prioritize updating domain controllers when I apply the security updates released on May 10, 2022?** Yes. This vulnerability affect...

CVE-2022-29127: BitLocker Security Feature Bypass Vulnerability

**According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?** Successful exploitation of this vulnerability requires an attacker to win a race condition.

CVE-2022-23279: Windows ALPC Elevation of Privilege Vulnerability

**According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?** Successful exploitation of this vulnerability requires an attacker to win a race condition.

CVE-2022-21972: Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability

**According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?** Successful exploitation of this vulnerability requires an attacker to win a race condition.

CVE-2022-21978: Microsoft Exchange Server Elevation of Privilege Vulnerability

 **Do I need to take further steps to be protected from this vulnerability?** Because of additional security hardening work for CVE-2022-21978, the following actions should be taken in addition to application of May 2022 security updates: For customers that have Exchange Server 2016 CU22 or CU23, or Exchange Server 2019 CU11 or CU12 installed Install the May 2022 SU first and then run one of the following commands using Setup.exe in your Exchange Server installation path (e.g., …\\Program Files\\Microsoft\\Exchange Server\\v15\\Bin): * Setup.exe /IAcceptExchangeServerLicenseTerms_DiagnosticDataON /PrepareAllDomains * Setup.exe /IAcceptExchangeServerLicenseTerms_DiagnosticDataOFF /PrepareAllDomains For customers that have Exchange Server 2013 CU23 installed: Install the May 2022 SU first and then run the following command using Setup.exe in your Exchange Server installation path (e.g., …\\Program Files\\Microsoft\\Exchange Server\\v15\\Bin): * Setup.exe /IAcceptEx...

CVE-2022-29150: Windows Cluster Shared Volume (CSV) Elevation of Privilege Vulnerability

**According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?** Successful exploitation of this vulnerability requires an attacker to win a race condition.

CVE-2022-29151: Windows Cluster Shared Volume (CSV) Elevation of Privilege Vulnerability

**According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?** Successful exploitation of this vulnerability requires an attacker to win a race condition.

CVE-2022-22713: Windows Hyper-V Denial of Service Vulnerability

**According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?** Successful exploitation of this vulnerability requires an attacker to win a race condition.

CVE-2022-23270: Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability

**According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?** Successful exploitation of this vulnerability requires an attacker to win a race condition.

CVE-2022-29868: CVE-2022-29868 for versions 7.2.4-7.9.2 of 1Password for Mac

1Password for Mac 7.2.4 through 7.9.x before 7.9.3 is vulnerable to a process validation bypass. Malicious software running on the same computer can exfiltrate secrets from 1Password provided that 1Password is running and is unlocked. Affected secrets include vault items and derived values used for signing in to 1Password.

CVE-2022-29933: cms/CHANGELOG.md at develop · craftcms/cms

Craft CMS through 3.7.36 allows a remote unauthenticated attacker, who knows at least one valid username, to reset the account's password and take over the account by providing a crafted HTTP header to the application while using the password reset functionality. Specifically, the attacker must send X-Forwarded-Host to the /index.php?p=admin/actions/users/send-password-reset-email URI. NOTE: the vendor's position is that a customer can already work around this by adjusting the configuration (i.e., by not using the default configuration).

CVE-2022-29972: Magnitude Simba Redshift and Athena Driver Vulnerability

An argument injection vulnerability in the browser-based authentication component of the Magnitude Simba Amazon Redshift ODBC Driver (1.4.14 through 1.4.21.1001 and 1.4.22 through 1.4.x before 1.4.52) may allow a local user to execute arbitrary code.

CVE-2022-30240: Magnitude Simba Redshift and Athena Driver Vulnerability

An argument injection vulnerability in the browser-based authentication component of the Magnitude Simba Amazon Redshift JDBC Driver 1.2.40 through 1.2.55 may allow a local user to execute code. NOTE: this is different from CVE-2022-29972.

CVE-2022-27412: Explore CMS 1.0 SQL Injection ≈ Packet Storm

Explore CMS v1.0 was discovered to contain a SQL injection vulnerability via a /page.php?id= request.

CVE-2022-30286: The art of vulnerability chaining (PyScript)

pyscriptjs (aka PyScript Demonstrator) in PyScript through 2022-05-04 allows a remote user to read Python source code.

Vulnerability mitigated in the third-party Data Connector used in Azure Synapse pipelines and Azure Data Factory (CVE-2022-29972)

Summary Summary Microsoft recently mitigated a vulnerability in Azure Data Factory and Azure Synapse pipelines. The vulnerability was specific to the third-party Open Database Connectivity (ODBC) driver used to connect to Amazon Redshift in Azure Synapse pipelines and Azure Data Factory Integration Runtime (IR) and did not impact Azure Synapse as a whole.

CVE-2022-29972: Insight Software: CVE-2022-29972 Magnitude Simba Amazon Redshift ODBC Driver

**Is the CVSS vector different as it relates to the Microsoft services that the vulnerability affects?** The vulnerability in the Redshift driver referenced in the CVE impacts Microsoft services listed in the affected software table. The environmental score as it relates to affected Microsoft services can be different than the score assigned by the owner of the CVE. The base environmental score that Micrososft has assigned is 8.2. Environmental Vector Element Value Comment Modified Attack Vector Network Modified Attack Complexity Low Modified Privileges Required High Modified User Interaction None Modified Scope Changed The vulnerability in the redshift driver impacts the services listed in the affected software. Modified Confidentiality High Modified Integrity High Modified Availability High **Are there any special roles that enable exploitation of this vulnerability?** Exploiting this vulnerability requires an attacker to have at least one of the following role...

msrc-blog: Latest News

Mitigating NTLM Relay Attacks by Default