An issue was discovered in the Pinniped Supervisor with either LADPIdentityProvider or ActiveDirectoryIdentityProvider resources. An attack would involve the malicious user changing the common name (CN) of their user entry on the LDAP or AD server to include special characters, which could be used to perform LDAP query injection on the Supervisor's LDAP query which determines their Kubernetes group membership.

**Impact**

A user authenticating to Kubernetes clusters via the Pinniped Supervisor could potentially gain elevated permissions in the clusters, only if _all_ of the following conditions were true:

*   The Pinniped Supervisor is configured with either an LADPIdentityProvider or an ActiveDirectoryIdentityProvider resource
*   The user somehow had the ability to edit some part of the distinguished name (DN) of user entries in the LDAP or Active Directory (AD) server's database
*   The user knows the password for the edited LDAP user entry (i.e. the user is a legitimate user)

An attack would involve the attacker changing the common name (CN) of their user entry on the LDAP or AD server to include special characters, which could be used to perform LDAP query injection on the Supervisor's LDAP query which determines their Kubernetes group membership.

Generally, users cannot edit LDAP entries, in which case this attack would first require compromising the LDAP server's security.

If you use the Pinniped Supervisor with either an LADPIdentityProvider or an ActiveDirectoryIdentityProvider resource, and your end users are able to change any part of their DN in their LDAP entry on the LDAP or AD server, then you should immediately upgrade Pinniped to v0.17.0.

**Patches**

The Pinniped Supervisor's LADPIdentityProvider feature was first introduced in v0.9.0. Previous versions were not effected.

The fix was introduced in release v0.17.0.

**Workarounds**

Preventing attackers from being able to edit their LDAP user entry prevents them from controlling the inputs required to make this attack.

**References**

The issue was fixed by PR #1148.

**For more information**

If you have any questions or comments about this advisory, please reach out to the maintainers using one of the methods described in this repo's README.md.

CVE-2022-22975

Microsoft's May Patch Tuesday roundup also included critical fixes for a number of flaws found in infrastructure present in many enterprise and cloud environments.

Microsoft’s May Patch Tuesday roundup also included critical fixes for a number of flaws found in infrastructure present in many enterprise and cloud environments.

Microsoft has revealed 73 new patches for May’s monthly update of security fixes, including a patch for one flaw–a zero-day Windows LSA Spoofing Vulnerability rated as “important”—that is currently being exploited with man-in-the-middle attacks.

The software giant’s monthly update of patches that comes out every second Tuesday of the month–known as Patch Tuesday—also included fixes for seven “critical” flaws, 65 others rated as “important,” and one rated as “low.”

Given that Microsoft released a record number of patches in April, May’s patch tally is relatively low, but still includes a number of notable flaws that deserve attention, researchers said.  

“Although this isn’t a large number, this month makes up for it in severity and infrastructure headaches,” observed Chris Hass, director of security at security firm Automox, in an email to Threatpost. “The big news is the critical vulnerabilities that need to be highlighted for immediate action.”

Of the seven critical flaws, five allow for remote code execution (RCE) and two give attackers elevation of privilege (EoP). The remainder of the flaws also include a high percentage of RCE and EoP bugs, with the former accounting for 32.9 percent of the flaws patched this month, while the latter accounted for 28.8 percent of fixes, according to a blog post by researchers at Tenable.

The Windows LSA Spoofing Vulnerability, tracked as CVE-2022-26925, in and of itself was not rated as critical. However, when chained with a new technology LAN manager (NTLM) relay attack, the combined CVSSv3 score for the attack chain is 9.8, noted Allan Liska, a senior security architect at Recorded Future, in an e-mail to Threatpost.

Moreover, the flaw—which allows an unauthenticated attacker to coerce domain controllers to authenticate to an attacker-controller server using NTLM–is being exploited in the wild as a zero-day, he said. This makes it a priority to patch, Liska added, echoing guidance from Microsoft.

****Critical Infrastructure Vulnerabilities****

Of the other critical RCE flaws patched by Microsoft, four are worth noting because of their presence in infrastructure that’s fairly ubiquitous in many enterprise and/or cloud environments.

One is tracked as CVE-2022-29972 and is found in Insight Software’s Magnitude Simba Amazon Redshift ODBC Driver, and would need to be patched by a cloud provider—something organizations should follow up on, Liska said.

CVE-2022-22012 and CVE-2022-29130 are RCE vulnerabilities found in Microsoft’s LDAP service that are rated as critical. However, a caveat by Microsoft in its security bulletin noted that they are only exploitable “if the MaxReceiveBuffer LDAP policy is set to a value higher than the default value.” That means that systems with the default value of this policy would not be vulnerable, the company said.

While “having the MaxReceiveBuffer set to a higher value than the default” seems an “uncommon configuration,” if an organization has this setting, it should prioritize patching these vulnerabilities, Liska observed.

Another critical RCE, CVE-2022-26937, is found in the Network File System (NFS) and has broad impact for Windows Server versions 2008 through 2022. However, this vulnerability only affects NFSV2 and NFSV3, and Microsoft has included instructions for disabling these versions of the NFS in the bulletin.

At the same time, Microsoft characterized the ease of exploitation of these vulnerabilities as “Exploitation More Likely,” as was the case with a similar vulnerability, CVE-2021-26432, an actively exploited zero day in the TCP/IP protocol stack in Windows server that was patched in August 2021.

“Given the similarities between these vulnerabilities and those of August of 2021, we could all be in store for a rough May,” Liska noted.

****Another Important Flaw Fixed****

Of the other flaws, another “important” one to note is CVE-2022-22019, a companion vulnerability to three previously disclosed and patched flaws found in Microsoft’s Remote Procedure Call (RPC) runtime library.

The vulnerability, discovered by Akamai researcher Ben Barnea, takes advantage of three RPC runtime library flaws that Microsoft had patched in April–CVE-2022-26809, CVE-2022-24492 and CVE-2022-24528, he revealed in a blog post Tuesday. The flaws affected Windows 7, 8, 10 and 11, and Windows Servers 2008, 2012, 2019 and 2022, and could allow a remote, unauthenticated attacker to execute code on the vulnerable machine with the privileges of the RPC service.

Akamai researchers discovered that the previous patch only partially addressed the problem, allowing the new vulnerability to create the same integer overflow that was supposed to be fixed, he explained.

“During our research, we found that right before allocating memory for the new coalesced buffer, the code adds another 24 bytes to the allocation size,” Barnea wrote in the post. “These 24 bytes are the size of a struct called ‘rpcconn\_request\_hdr\_t,’ which serves as the buffer header.”

The previous patch performs the check for integer overflow before adding the header size, so it does not take into account this header–which can lead to the same integer overflow that the patch was attempting to mitigate, he explained.

“The new patch adds another call to validate that the addition of 24 bytes does not overflow,” mitigating the problem, Barnea wrote.

Actively Exploited Zero-Day Bug Patched by Microsoft

Microsoft on Tuesday rolled out fixes for as many as 74 security vulnerabilities, including one for a zero-day bug that's being actively exploited in the wild.
Of the 74 issues, seven are rated Critical, 66 are rated Important, and one is rated low in severity. Two of the flaws are listed as publicly known at the time of release.
These encompass 24 remote code execution (RCE), 21 elevation of

Microsoft on Tuesday rolled out fixes for as many as 74 security vulnerabilities, including one for a zero-day bug that's being actively exploited in the wild.

Of the 74 issues, seven are rated Critical, 66 are rated Important, and one is rated low in severity. Two of the flaws are listed as publicly known at the time of release.

These encompass 24 remote code execution (RCE), 21 elevation of privilege, 17 information disclosure, and six denial-of-service vulnerabilities, among others. The updates are in addition to 36 flaws patched in the Chromium-based Microsoft Edge browser on April 28, 2022.

Chief among the resolved bugs is CVE-2022-26925 (CVSS score: 8.1), a spoofing vulnerability affecting the Windows Local Security Authority (LSA), which Microsoft describes as a "protected subsystem that authenticates and logs users onto the local system."

"An unauthenticated attacker could call a method on the LSARPC interface and coerce the domain controller to authenticate to the attacker using NTLM," the company said. "This security update detects anonymous connection attempts in LSARPC and disallows it."

It's also worth noting that the CVSS severity rating of the flaw would be elevated to 9.8 should it be combined with NTLM relay attacks like PetitPotam, making it a critical issue.

"Being actively exploited in the wild, this exploit allows an attacker to authenticate as approved users as part of an NTLM relay attack - letting threat actors gain access to the hashes of authentication protocols," Kev Breen, director of cyber threat research at Immersive Labs, said.

The two other publicly-known vulnerabilities are as follows -

*   CVE-2022-29972 (CVSS score: 8.2) - Insight Software: CVE-2022-29972 Magnitude Simba Amazon Redshift ODBC Driver (aka SynLapse)
*   CVE-2022-22713 (CVSS score: 5.6) - Windows Hyper-V Denial-of-Service Vulnerability

Microsoft, which remediated CVE-2022-29972 on April 15, tagged it as "Exploitation More Likely" on the Exploitability Index, making it imperative affected users apply the updates as soon as possible.

Also patched by Redmond are several RCE bugs in Windows Network File System (CVE-2022-26937), Windows LDAP (CVE-2022-22012, CVE-2022-29130), Windows Graphics (CVE-2022-26927), Windows Kernel (CVE-2022-29133), Remote Procedure Call Runtime (CVE-2022-22019), and Visual Studio Code (CVE-2022-30129).

Cyber-Kunlun, a Beijing-based cybersecurity company, has been credited with reporting 30 of the 74 flaws, counting CVE-2022-26937, CVE-2022-22012, and CVE-2022-29130.

What's more, CVE-2022-22019 followed an incomplete patch for three RCE issues in the Remote Procedure Call (RPC) runtime library last month — CVE-2022-26809, CVE-2022-24492, and CVE-2022-24528 — that were addressed by Microsoft in April 2022.

Exploiting the flaw would allow a remote, unauthenticated attacker to execute code on the vulnerable machine with the privileges of the RPC service, Akamai said.

The Patch Tuesday update is also notable for resolving two privilege escalation (CVE-2022-29104 and CVE-2022-29132) and two information disclosure (CVE-2022-29114 and CVE-2022-29140) vulnerabilities in the Print Spooler component, which has long posed an attractive target for attackers.

**Software Patches from Other Vendors**

Besides Microsoft, security updates have also been released by other vendors since the start of the month to rectify several vulnerabilities, including —

*   Adobe
*   AMD
*   Android
*   Cisco
*   Citrix
*   Dell
*   F5
*   Google Chrome
*   HP
*   Intel
*   Linux distributions Debian, Oracle Linux, Red Hat, SUSE, and Ubuntu
*   MediaTek
*   Mozilla Firefox, Firefox ESR, and Thunderbird
*   Qualcomm
*   SAP
*   Schneider Electric, and
*   Siemens

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Microsoft Releases Fix for New Zero-Day with May 2022 Patch Tuesday Updates

Microsoft's May 2022 Patch Tuesday contains several bugs in ubiquitous software that could affect millions of machines, researchers warn.

Microsoft squashed 74 security vulnerabilities with its May 2022 Patch Tuesday update, including an important-rated zero-day bug that's being actively exploited in the wild and several that are likely widely present across enterprises.

It also patched seven critical flaws, 65 other important-rated bugs, and one low-severity issue. The fixes run the gamut of the computing giant's portfolio, including: Windows and Windows Components, .NET and Visual Studio, Microsoft Edge (Chromium-based), Microsoft Exchange Server, Office and Office Components, Windows Hyper-V, Windows Authentication Methods, BitLocker, Windows Cluster Shared Volume (CSV), Remote Desktop Client, Windows Network File System, NTFS, and Windows Point-to-Point Tunneling Protocol.

**3 Zero-Days, 1 Actively Exploited**  
The actively exploited bug (CVE-2022-26925) is a Windows LSA-spoofing vulnerability that rates 8.1 out of 10 on the CVSS vulnerability-severity scale – however, Microsoft notes in its advisory that it should be bumped up to critical (CVSS 9.8) if used in Windows NT LAN Manager (NTLM) relay attacks.

"\[A\]n unauthenticated attacker could call a method on the LSARPC interface and coerce the domain controller to authenticate to the attacker using NTLM," Microsoft warns in its advisory – a concerning situation considering that domain controllers provide high-level access to privileges.

Now deprecated, NTLM uses a weak authentication protocol that can easily reveal credentials and session keys. In a relay attack, bad actors can capture an authentication and relay it to another server – which they can then use to authenticate to the remote server with the compromised user's privileges.

That said, the bug is tougher to exploit than most, explains Trend Micro Zero Day Initiative (ZDI) researcher Dustin Childs in a Tuesday blog. "The threat actor would need to be in the logical network path between the target and the resource requested (e.g., man-in-the-middle), but since this is listed as under active attack, someone must have figured out how to make that happen."

Tyler Reguly, manager of security R&D at Tripwire, tells Dark Reading that the bug could be related to a previously seen threat known as PetitPotam, which emerged in July to allow attackers to force remote Windows systems to reveal easily crackable password hashes.

"Based on Microsoft’s provided links, this looks to be related to the previous PetitPotam patch," he notes, adding that researchers will be guessing about that. "This is a prime example of where detailed executive summaries that explain what is happening were useful in the past. It would be great if Microsoft could return to providing those on a regular basis," he says.

Microsoft also patched two other zero-days, including a critical bug (CVE-2022-29972, CVSS not available) in Insight Software's Magnitude Simba Amazon Redshift ODBC Driver – "a third-party ODBC data connector used to connect to Amazon Redshift, in Integration Runtime (IR) in Azure Synapse Pipelines, and Azure Data Factory," as ZDI's Childs explains.

He adds, "This update is complicated enough for Microsoft to blog about the bug and how it affects multiple Microsoft services."

The final zero-day (CVE-2022-22713, CVSS 5.6) is an important-rated bug in Windows Hyper-V that could allow denial-of-service (DoS).

**Leading Lights: Critical Microsoft Security Bugs to Patch Now**  
As far as other patches for admins to prioritize this month, some of the critical-rated issues are far-reaching across organizational infrastructure and could affect millions of companies, researchers warn.

"The big news is the critical vulnerabilities that need to be highlighted for immediate action," Chris Hass, director of security at Automox, tells Dark Reading. "This month features vulnerabilities in a number of applications that are prevalent in most enterprise organizations, including NSF, Remote Desktop Client, and Active Directory."

For instance, the critical bug affecting Windows Network File System, or NFS (CVE-2022-26937, CVSS 9.8) could allow unauthenticated remote code-execution (RCE) in the context of the highly privileged NFS service, according to Microsoft's advisory. To boot, its ubiquity is Log4j-like: It "is present in every Windows Server version from 2008 forward," Hass says, "which puts most organizations at risk if action isn't taken quickly."

Further, "these types of vulnerabilities will potentially appeal to ransomware operators as they could lead to the kind of exposure of critical data, often part of a ransom attempt," Kevin Breen, director of cyber threat research at Immersive Labs, tells Dark Reading.

In terms of who should especially prioritize the patch, "NFS isn't on by default, but it's prevalent in environment where Windows systems are mixed with other OSes such as Linux or Unix. If this describes your environment, you should definitely test and deploy this patch quickly," Childs warns.

As for other critical bugs to consider, Breen flags CVE-2022-22017 (CVSS 8.8), an RCE issue in the also-ubiquitous Remote Desktop (RDP) Client.

"With more remote workers than ever, enterprises need to put anything affecting RDP on the radar — especially given its popularity with ransomware actors and access brokers," he warns.

The Active Directory bug (CVE-2022-26923, CVSS 8.8) is found in Domain Services and could allow elevation of privilege thanks to an issue with the issuance of certificates. ZDI, which reported the bug, says that an attacker can gain access to a certificate to authenticate to a DC with a high level of privilege, allowing any domain-authenticated user to become a domain admin if Active Directory Certificate Services are running.

"This is a very common deployment," Childs says. "Considering the severity of this bug and the relative ease of exploit, it would not surprise me to see active attacks using this technique sooner rather than later."

Of less concern, Breen says, are a group of 10 RCE bugs in LDAP (the most severe, CVE-2022-22012, has a CVSS score of 9.8). These "appear particularly threatening; however, they have been marked by Microsoft as 'exploitation less likely' as they require a default configuration unlikely to exist in most environments," he notes. "It's not to say there is no need to patch these, rather a reminder that context is important when prioritizing patches."

**The Worst of the Rest**  
A handful of other vulnerabilities that also stood out to researchers are worth noting here, starting with Windows Print Spooler, which has long presented an attractive bull's-eye for cyberattackers.

"There were several Windows Print Spooler vulnerabilities patched this month, including two information disclosure flaws (CVE-2022-29114, CVE-2022-29140) and two elevation of privilege flaws (CVE-2022-29104, CVE-2022-29132)," Satnam Narang, staff research engineer at Tenable, tells Dark Reading. "All of the flaws are rated as important, and two of the three are considered more likely to be exploited. Windows Print Spooler continues to remain a valuable target for attackers since PrintNightmare was disclosed nearly a year ago. Elevation-of-privilege flaws in particular should be carefully prioritized, as we've seen ransomware groups like Conti favor them as part of its playbook."

Breen also highlighted two other important-rated bugs as patching priorities:

*   CVE-2022-29108, a remotely executable flaw in Sharepoint that could likely be abused by an attacker seeking to move laterally across an organization. "Requiring authenticated access to exploit, it could be used by a threat actor to steal confidential information or inject documents with malicious code or macros that could be part of a wider attack chain," Breen warns.
*   A bug in Azure Data Factory (no CVE assigned) is remotely exploitable and can expose an enterprise’s confidential data, according to Breen.

Virsec CTO and co-founder Satya Gupta says that overall, the broader context of Microsoft's patching trends is important to consider for defenders. Specifically, in the last year, more than a third of the patches (1,330, or 36%) are for RCE issues.

"This of course represents a massive opportunity for malicious actors to compromise nearly any customer," he says. "In total, several of May's vulnerabilities represent a Log4j level of exposure, particularly if you consider what it would take to patch millions of servers."

What to Patch Now: Actively Exploited Windows Zero-Day Threatens Domain Controllers

Windows LDAP Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-22012, CVE-2022-22013, CVE-2022-22014, CVE-2022-29128, CVE-2022-29129, CVE-2022-29131, CVE-2022-29137, CVE-2022-29139, CVE-2022-29141.

CVE-2022-29130

Windows LDAP Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-22013, CVE-2022-22014, CVE-2022-29128, CVE-2022-29129, CVE-2022-29130, CVE-2022-29131, CVE-2022-29137, CVE-2022-29139, CVE-2022-29141.

CVE-2022-22012

Windows LDAP Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-22012, CVE-2022-22013, CVE-2022-22014, CVE-2022-29128, CVE-2022-29130, CVE-2022-29131, CVE-2022-29137, CVE-2022-29139, CVE-2022-29141.

Tag

#ldap