Microsoft's May Patch Tuesday roundup also included critical fixes for a number of flaws found in infrastructure present in many enterprise and cloud environments.

Microsoft’s May Patch Tuesday roundup also included critical fixes for a number of flaws found in infrastructure present in many enterprise and cloud environments.

Microsoft has revealed 73 new patches for May’s monthly update of security fixes, including a patch for one flaw–a zero-day Windows LSA Spoofing Vulnerability rated as “important”—that is currently being exploited with man-in-the-middle attacks.

The software giant’s monthly update of patches that comes out every second Tuesday of the month–known as Patch Tuesday—also included fixes for seven “critical” flaws, 65 others rated as “important,” and one rated as “low.”

Given that Microsoft released a record number of patches in April, May’s patch tally is relatively low, but still includes a number of notable flaws that deserve attention, researchers said.  

“Although this isn’t a large number, this month makes up for it in severity and infrastructure headaches,” observed Chris Hass, director of security at security firm Automox, in an email to Threatpost. “The big news is the critical vulnerabilities that need to be highlighted for immediate action.”

Of the seven critical flaws, five allow for remote code execution (RCE) and two give attackers elevation of privilege (EoP). The remainder of the flaws also include a high percentage of RCE and EoP bugs, with the former accounting for 32.9 percent of the flaws patched this month, while the latter accounted for 28.8 percent of fixes, according to a blog post by researchers at Tenable.

The Windows LSA Spoofing Vulnerability, tracked as CVE-2022-26925, in and of itself was not rated as critical. However, when chained with a new technology LAN manager (NTLM) relay attack, the combined CVSSv3 score for the attack chain is 9.8, noted Allan Liska, a senior security architect at Recorded Future, in an e-mail to Threatpost.

Moreover, the flaw—which allows an unauthenticated attacker to coerce domain controllers to authenticate to an attacker-controller server using NTLM–is being exploited in the wild as a zero-day, he said. This makes it a priority to patch, Liska added, echoing guidance from Microsoft.

****Critical Infrastructure Vulnerabilities****

Of the other critical RCE flaws patched by Microsoft, four are worth noting because of their presence in infrastructure that’s fairly ubiquitous in many enterprise and/or cloud environments.

One is tracked as CVE-2022-29972 and is found in Insight Software’s Magnitude Simba Amazon Redshift ODBC Driver, and would need to be patched by a cloud provider—something organizations should follow up on, Liska said.

CVE-2022-22012 and CVE-2022-29130 are RCE vulnerabilities found in Microsoft’s LDAP service that are rated as critical. However, a caveat by Microsoft in its security bulletin noted that they are only exploitable “if the MaxReceiveBuffer LDAP policy is set to a value higher than the default value.” That means that systems with the default value of this policy would not be vulnerable, the company said.

While “having the MaxReceiveBuffer set to a higher value than the default” seems an “uncommon configuration,” if an organization has this setting, it should prioritize patching these vulnerabilities, Liska observed.

Another critical RCE, CVE-2022-26937, is found in the Network File System (NFS) and has broad impact for Windows Server versions 2008 through 2022. However, this vulnerability only affects NFSV2 and NFSV3, and Microsoft has included instructions for disabling these versions of the NFS in the bulletin.

At the same time, Microsoft characterized the ease of exploitation of these vulnerabilities as “Exploitation More Likely,” as was the case with a similar vulnerability, CVE-2021-26432, an actively exploited zero day in the TCP/IP protocol stack in Windows server that was patched in August 2021.

“Given the similarities between these vulnerabilities and those of August of 2021, we could all be in store for a rough May,” Liska noted.

****Another Important Flaw Fixed****

Of the other flaws, another “important” one to note is CVE-2022-22019, a companion vulnerability to three previously disclosed and patched flaws found in Microsoft’s Remote Procedure Call (RPC) runtime library.

The vulnerability, discovered by Akamai researcher Ben Barnea, takes advantage of three RPC runtime library flaws that Microsoft had patched in April–CVE-2022-26809, CVE-2022-24492 and CVE-2022-24528, he revealed in a blog post Tuesday. The flaws affected Windows 7, 8, 10 and 11, and Windows Servers 2008, 2012, 2019 and 2022, and could allow a remote, unauthenticated attacker to execute code on the vulnerable machine with the privileges of the RPC service.

Akamai researchers discovered that the previous patch only partially addressed the problem, allowing the new vulnerability to create the same integer overflow that was supposed to be fixed, he explained.

“During our research, we found that right before allocating memory for the new coalesced buffer, the code adds another 24 bytes to the allocation size,” Barnea wrote in the post. “These 24 bytes are the size of a struct called ‘rpcconn\_request\_hdr\_t,’ which serves as the buffer header.”

The previous patch performs the check for integer overflow before adding the header size, so it does not take into account this header–which can lead to the same integer overflow that the patch was attempting to mitigate, he explained.

“The new patch adds another call to validate that the addition of 24 bytes does not overflow,” mitigating the problem, Barnea wrote.

Actively Exploited Zero-Day Bug Patched by Microsoft

Microsoft on Tuesday rolled out fixes for as many as 74 security vulnerabilities, including one for a zero-day bug that's being actively exploited in the wild.
Of the 74 issues, seven are rated Critical, 66 are rated Important, and one is rated low in severity. Two of the flaws are listed as publicly known at the time of release.
These encompass 24 remote code execution (RCE), 21 elevation of

Microsoft on Tuesday rolled out fixes for as many as 74 security vulnerabilities, including one for a zero-day bug that's being actively exploited in the wild.

Of the 74 issues, seven are rated Critical, 66 are rated Important, and one is rated low in severity. Two of the flaws are listed as publicly known at the time of release.

These encompass 24 remote code execution (RCE), 21 elevation of privilege, 17 information disclosure, and six denial-of-service vulnerabilities, among others. The updates are in addition to 36 flaws patched in the Chromium-based Microsoft Edge browser on April 28, 2022.

Chief among the resolved bugs is CVE-2022-26925 (CVSS score: 8.1), a spoofing vulnerability affecting the Windows Local Security Authority (LSA), which Microsoft describes as a "protected subsystem that authenticates and logs users onto the local system."

"An unauthenticated attacker could call a method on the LSARPC interface and coerce the domain controller to authenticate to the attacker using NTLM," the company said. "This security update detects anonymous connection attempts in LSARPC and disallows it."

It's also worth noting that the CVSS severity rating of the flaw would be elevated to 9.8 should it be combined with NTLM relay attacks like PetitPotam, making it a critical issue.

"Being actively exploited in the wild, this exploit allows an attacker to authenticate as approved users as part of an NTLM relay attack - letting threat actors gain access to the hashes of authentication protocols," Kev Breen, director of cyber threat research at Immersive Labs, said.

The two other publicly-known vulnerabilities are as follows -

*   CVE-2022-29972 (CVSS score: 8.2) - Insight Software: CVE-2022-29972 Magnitude Simba Amazon Redshift ODBC Driver (aka SynLapse)
*   CVE-2022-22713 (CVSS score: 5.6) - Windows Hyper-V Denial-of-Service Vulnerability

Microsoft, which remediated CVE-2022-29972 on April 15, tagged it as "Exploitation More Likely" on the Exploitability Index, making it imperative affected users apply the updates as soon as possible.

Also patched by Redmond are several RCE bugs in Windows Network File System (CVE-2022-26937), Windows LDAP (CVE-2022-22012, CVE-2022-29130), Windows Graphics (CVE-2022-26927), Windows Kernel (CVE-2022-29133), Remote Procedure Call Runtime (CVE-2022-22019), and Visual Studio Code (CVE-2022-30129).

Cyber-Kunlun, a Beijing-based cybersecurity company, has been credited with reporting 30 of the 74 flaws, counting CVE-2022-26937, CVE-2022-22012, and CVE-2022-29130.

What's more, CVE-2022-22019 followed an incomplete patch for three RCE issues in the Remote Procedure Call (RPC) runtime library last month — CVE-2022-26809, CVE-2022-24492, and CVE-2022-24528 — that were addressed by Microsoft in April 2022.

Exploiting the flaw would allow a remote, unauthenticated attacker to execute code on the vulnerable machine with the privileges of the RPC service, Akamai said.

The Patch Tuesday update is also notable for resolving two privilege escalation (CVE-2022-29104 and CVE-2022-29132) and two information disclosure (CVE-2022-29114 and CVE-2022-29140) vulnerabilities in the Print Spooler component, which has long posed an attractive target for attackers.

**Software Patches from Other Vendors**

Besides Microsoft, security updates have also been released by other vendors since the start of the month to rectify several vulnerabilities, including —

*   Adobe
*   AMD
*   Android
*   Cisco
*   Citrix
*   Dell
*   F5
*   Google Chrome
*   HP
*   Intel
*   Linux distributions Debian, Oracle Linux, Red Hat, SUSE, and Ubuntu
*   MediaTek
*   Mozilla Firefox, Firefox ESR, and Thunderbird
*   Qualcomm
*   SAP
*   Schneider Electric, and
*   Siemens

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Microsoft Releases Fix for New Zero-Day with May 2022 Patch Tuesday Updates

Microsoft today released updates to fix at least 74 separate security problems in its Windows operating systems and related software. This month's patch batch includes fixes for seven "critical" flaws, as well as a zero-day vulnerability that affects all supported versions of Windows.

**Microsoft** today released updates to fix at least 74 separate security problems in its **Windows** operating systems and related software. This month’s patch batch includes fixes for seven “critical” flaws, as well as a zero-day vulnerability that affects all supported versions of Windows.

By all accounts, the most urgent bug Microsoft addressed this month is CVE-2022-26925, a weakness in a central component of Windows security (the “**Local Security Authority**” process within Windows). CVE-2022-26925 was publicly disclosed prior to today, and Microsoft says it is now actively being exploited in the wild. The flaw affects Windows 7 through 10 and Windows Server 2008 through 2022.

**Greg Wiseman**, product manager for **Rapid7**, said Microsoft has rated this vulnerability as important and assigned it a CVSS (danger) score of 8.1 (10 being the worst), although Microsoft notes that the CVSS score can be as high as 9.8 in certain situations.

“This allows attackers to perform a man-in-the-middle attack to force domain controllers to authenticate to the attacker using NTLM authentication,” Wiseman said. “This is very bad news when used in conjunction with an NTLM relay attack, potentially leading to remote code execution. This bug affects all supported versions of Windows, but Domain Controllers should be patched on a priority basis before updating other servers.”

Wiseman said the most recent time Microsoft patched a similar vulnerability — last August in CVE-2021-36942 — it was also being exploited in the wild under the name “PetitPotam.”

“CVE-2021-36942 was so bad it made CISA’s catalog of Known Exploited Vulnerabilities,” Wiseman said.

Seven of the flaws fixed today earned Microsoft’s most-dire “critical” label, which it assigns to vulnerabilities that can be exploited by malware or miscreants to remotely compromise a vulnerable Windows system without any help from the user.

Among those is CVE-2022-26937, which carries a CVSS score of 9.8, and affects services using the **Windows Network File System** (NFS). **Trend Micro’s Zero Day Initiative** notes that this bug could allow remote, unauthenticated attackers to execute code in the context of the Network File System (NFS) service on affected systems.

“NFS isn’t on by default, but it’s prevalent in environment where Windows systems are mixed with other OSes such as Linux or Unix,” ZDI’s **Dustin Childs** wrote. “If this describes your environment, you should definitely test and deploy this patch quickly.”

Once again, this month’s Patch Tuesday is sponsored by **Windows Print Spooler**, a core Windows service that keeps spooling out the security hits. May’s patches include four fixes for Print Spooler, including two information disclosure and two elevation of privilege flaws.

“All of the flaws are rated as important, and two of the three are considered more likely to be exploited,” said **Satnam Narang**, staff research engineer at **Tenable**. “Windows Print Spooler continues to remain a valuable target for attackers since PrintNightmare was disclosed nearly a year ago. Elevation of Privilege flaws in particular should be carefully prioritized, as we’ve seen ransomware groups like Conti favor them as part of its playbook.”

Other Windows components that received patches this month include **.NET** and **Visual Studio**, **Microsoft Edge** (Chromium-based), **Microsoft Exchange Server**, **Office,** **Windows Hyper-V**, **Windows Authentication Methods**, **BitLocker**, **Remote Desktop Client**, and **Windows Point-to-Point Tunneling Protocol**.

Also today, Adobe issued five security bulletins to address at least 18 flaws in **Adobe CloudFusion**, **Framemaker**, **InCopy**, **InDesign**, and **Adobe Character Animator**. Adobe said it is not aware of any exploits in the wild for any of the issues addressed in today’s updates.

For a more granular look at the patches released by Microsoft today and indexed by severity and other metrics, check out the always-useful Patch Tuesday roundup from the **SANS Internet Storm Center**. And it’s not a bad idea to hold off updating for a few days until Microsoft works out any kinks in the updates: AskWoody.com usually has the skinny on any patches that may be causing problems for Windows users.

As always, please consider backing up your system or at least your important documents and data before applying system updates. And if you run into any problems with these patches, please drop a note about it here in the comments.

Microsoft Patch Tuesday, May 2022 Edition

Microsoft's May 2022 Patch Tuesday contains several bugs in ubiquitous software that could affect millions of machines, researchers warn.

Microsoft squashed 74 security vulnerabilities with its May 2022 Patch Tuesday update, including an important-rated zero-day bug that's being actively exploited in the wild and several that are likely widely present across enterprises.

It also patched seven critical flaws, 65 other important-rated bugs, and one low-severity issue. The fixes run the gamut of the computing giant's portfolio, including: Windows and Windows Components, .NET and Visual Studio, Microsoft Edge (Chromium-based), Microsoft Exchange Server, Office and Office Components, Windows Hyper-V, Windows Authentication Methods, BitLocker, Windows Cluster Shared Volume (CSV), Remote Desktop Client, Windows Network File System, NTFS, and Windows Point-to-Point Tunneling Protocol.

**3 Zero-Days, 1 Actively Exploited**  
The actively exploited bug (CVE-2022-26925) is a Windows LSA-spoofing vulnerability that rates 8.1 out of 10 on the CVSS vulnerability-severity scale – however, Microsoft notes in its advisory that it should be bumped up to critical (CVSS 9.8) if used in Windows NT LAN Manager (NTLM) relay attacks.

"\[A\]n unauthenticated attacker could call a method on the LSARPC interface and coerce the domain controller to authenticate to the attacker using NTLM," Microsoft warns in its advisory – a concerning situation considering that domain controllers provide high-level access to privileges.

Now deprecated, NTLM uses a weak authentication protocol that can easily reveal credentials and session keys. In a relay attack, bad actors can capture an authentication and relay it to another server – which they can then use to authenticate to the remote server with the compromised user's privileges.

That said, the bug is tougher to exploit than most, explains Trend Micro Zero Day Initiative (ZDI) researcher Dustin Childs in a Tuesday blog. "The threat actor would need to be in the logical network path between the target and the resource requested (e.g., man-in-the-middle), but since this is listed as under active attack, someone must have figured out how to make that happen."

Tyler Reguly, manager of security R&D at Tripwire, tells Dark Reading that the bug could be related to a previously seen threat known as PetitPotam, which emerged in July to allow attackers to force remote Windows systems to reveal easily crackable password hashes.

"Based on Microsoft’s provided links, this looks to be related to the previous PetitPotam patch," he notes, adding that researchers will be guessing about that. "This is a prime example of where detailed executive summaries that explain what is happening were useful in the past. It would be great if Microsoft could return to providing those on a regular basis," he says.

Microsoft also patched two other zero-days, including a critical bug (CVE-2022-29972, CVSS not available) in Insight Software's Magnitude Simba Amazon Redshift ODBC Driver – "a third-party ODBC data connector used to connect to Amazon Redshift, in Integration Runtime (IR) in Azure Synapse Pipelines, and Azure Data Factory," as ZDI's Childs explains.

He adds, "This update is complicated enough for Microsoft to blog about the bug and how it affects multiple Microsoft services."

The final zero-day (CVE-2022-22713, CVSS 5.6) is an important-rated bug in Windows Hyper-V that could allow denial-of-service (DoS).

**Leading Lights: Critical Microsoft Security Bugs to Patch Now**  
As far as other patches for admins to prioritize this month, some of the critical-rated issues are far-reaching across organizational infrastructure and could affect millions of companies, researchers warn.

"The big news is the critical vulnerabilities that need to be highlighted for immediate action," Chris Hass, director of security at Automox, tells Dark Reading. "This month features vulnerabilities in a number of applications that are prevalent in most enterprise organizations, including NSF, Remote Desktop Client, and Active Directory."

For instance, the critical bug affecting Windows Network File System, or NFS (CVE-2022-26937, CVSS 9.8) could allow unauthenticated remote code-execution (RCE) in the context of the highly privileged NFS service, according to Microsoft's advisory. To boot, its ubiquity is Log4j-like: It "is present in every Windows Server version from 2008 forward," Hass says, "which puts most organizations at risk if action isn't taken quickly."

Further, "these types of vulnerabilities will potentially appeal to ransomware operators as they could lead to the kind of exposure of critical data, often part of a ransom attempt," Kevin Breen, director of cyber threat research at Immersive Labs, tells Dark Reading.

In terms of who should especially prioritize the patch, "NFS isn't on by default, but it's prevalent in environment where Windows systems are mixed with other OSes such as Linux or Unix. If this describes your environment, you should definitely test and deploy this patch quickly," Childs warns.

As for other critical bugs to consider, Breen flags CVE-2022-22017 (CVSS 8.8), an RCE issue in the also-ubiquitous Remote Desktop (RDP) Client.

"With more remote workers than ever, enterprises need to put anything affecting RDP on the radar — especially given its popularity with ransomware actors and access brokers," he warns.

The Active Directory bug (CVE-2022-26923, CVSS 8.8) is found in Domain Services and could allow elevation of privilege thanks to an issue with the issuance of certificates. ZDI, which reported the bug, says that an attacker can gain access to a certificate to authenticate to a DC with a high level of privilege, allowing any domain-authenticated user to become a domain admin if Active Directory Certificate Services are running.

"This is a very common deployment," Childs says. "Considering the severity of this bug and the relative ease of exploit, it would not surprise me to see active attacks using this technique sooner rather than later."

Of less concern, Breen says, are a group of 10 RCE bugs in LDAP (the most severe, CVE-2022-22012, has a CVSS score of 9.8). These "appear particularly threatening; however, they have been marked by Microsoft as 'exploitation less likely' as they require a default configuration unlikely to exist in most environments," he notes. "It's not to say there is no need to patch these, rather a reminder that context is important when prioritizing patches."

**The Worst of the Rest**  
A handful of other vulnerabilities that also stood out to researchers are worth noting here, starting with Windows Print Spooler, which has long presented an attractive bull's-eye for cyberattackers.

"There were several Windows Print Spooler vulnerabilities patched this month, including two information disclosure flaws (CVE-2022-29114, CVE-2022-29140) and two elevation of privilege flaws (CVE-2022-29104, CVE-2022-29132)," Satnam Narang, staff research engineer at Tenable, tells Dark Reading. "All of the flaws are rated as important, and two of the three are considered more likely to be exploited. Windows Print Spooler continues to remain a valuable target for attackers since PrintNightmare was disclosed nearly a year ago. Elevation-of-privilege flaws in particular should be carefully prioritized, as we've seen ransomware groups like Conti favor them as part of its playbook."

Breen also highlighted two other important-rated bugs as patching priorities:

*   CVE-2022-29108, a remotely executable flaw in Sharepoint that could likely be abused by an attacker seeking to move laterally across an organization. "Requiring authenticated access to exploit, it could be used by a threat actor to steal confidential information or inject documents with malicious code or macros that could be part of a wider attack chain," Breen warns.
*   A bug in Azure Data Factory (no CVE assigned) is remotely exploitable and can expose an enterprise’s confidential data, according to Breen.

Virsec CTO and co-founder Satya Gupta says that overall, the broader context of Microsoft's patching trends is important to consider for defenders. Specifically, in the last year, more than a third of the patches (1,330, or 36%) are for RCE issues.

"This of course represents a massive opportunity for malicious actors to compromise nearly any customer," he says. "In total, several of May's vulnerabilities represent a Log4j level of exposure, particularly if you consider what it would take to patch millions of servers."

What to Patch Now: Actively Exploited Windows Zero-Day Threatens Domain Controllers

In getNodeValue of USCCDMPlugin.java, there is a possible disclosure of ICCID due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-212573046References: N/A

_Published May 2, 2022_

The Pixel Update Bulletin contains details of security vulnerabilities and functional improvements affecting supported Pixel devices (Google devices). For Google devices, security patch levels of 2022-05-05 or later address all issues in this bulletin and all issues in the May 2022 Android Security Bulletin. To learn how to check a device's security patch level, see Check and update your Android version.

All supported Google devices will receive an update to the 2022-05-05 patch level. We encourage all customers to accept these updates to their devices.

**Announcements**

*   In addition to the security vulnerabilities described in the May 2022 Android Security Bulletin, Google devices also contain patches for the security vulnerabilities described below.

**Security patches**

Vulnerabilities are grouped under the component that they affect. There is a description of the issue and a table with the CVE, associated references, type of vulnerability, severity, and updated Android Open Source Project (AOSP) versions (where applicable). When available, we link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID.

**Pixel**

    

CVE

References

Type

Severity

Component

CVE-2022-20120

A-203213034\*

RCE

Critical

Bootloader

CVE-2022-20117

A-217475903\*

ID

Critical

Titan-M

CVE-2021-4083

A-216408350  
Upstream kernel

EoP

High

Kernel

CVE-2022-20118

A-205707793\*

EoP

High

Kernel

CVE-2022-20119

A-213170715\*

ID

High

Display/Graphics

CVE-2022-20121

A-212573046\*

ID

High

USCCDMService

**Qualcomm components**

   

CVE

References

Severity

Component

CVE-2021-35084

A-204909067  
QC-CR#3001178

Moderate

WLAN

CVE-2021-35085

A-204012850  
QC-CR#3001331

Moderate

WLAN

CVE-2021-35092

A-204909309  
QC-CR#2985885 \[2\]

Moderate

Modem

CVE-2021-35098

A-190503256  
QC-CR#2966419

Moderate

Audio

**Qualcomm closed-source components**

   

CVE

References

Severity

Component

CVE-2021-35079

A-204908838\*

Moderate

Closed-source component

**Functional patches**

For details on the new bug fixes and functional patches included in this release, refer to the Pixel Community forum.

**Common questions and answers**

This section answers common questions that may occur after reading this bulletin.

**1\. How do I determine if my device is updated to address these issues?**

Security patch levels of 2022-05-05 or later address all issues associated with the 2022-05-05 security patch level and all previous patch levels. To learn how to check a device's security patch level, read the instructions on the Google device update schedule.

**2\. What do the entries in the _Type_ column mean?**

Entries in the _Type_ column of the vulnerability details table reference the classification of the security vulnerability.

 

Abbreviation

Definition

RCE

Remote code execution

EoP

Elevation of privilege

ID

Information disclosure

DoS

Denial of service

N/A

Classification not available

**3\. What do the entries in the _References_ column mean?**

Entries under the _References_ column of the vulnerability details table may contain a prefix identifying the organization to which the reference value belongs.

 

Prefix

Reference

A-

Android bug ID

QC-

Qualcomm reference number

M-

MediaTek reference number

N-

NVIDIA reference number

B-

Broadcom reference number

U-

UNISOC reference number

**4\. What does an \* next to the Android bug ID in the _References_ column mean?**

Issues that are not publicly available have an \* next to the Android bug ID in the _References_ column. The update for that issue is generally contained in the latest binary drivers for Pixel devices available from the Google Developer site.

**5\. Why are security vulnerabilities split between this bulletin and the Android Security Bulletins?**

Security vulnerabilities that are documented in the Android Security Bulletins are required to declare the latest security patch level on Android devices. Additional security vulnerabilities, such as those documented in this bulletin are not required for declaring a security patch level.

**Versions**

  

Version

Date

Notes

1.0

May 2, 2022

Bulletin Published

CVE-2022-20121: Pixel Update Bulletin—May 2022  |  Android Open Source Project

In CarSetings, there is a possible to pair BT device bypassing user's consent due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-12LAndroid ID: A-216190509

_Published May 2, 2022_

The Android Automotive OS (AAOS) Update Bulletin contains details of security vulnerabilities affecting the Android Automotive OS platform. The full AAOS update comprises the security patch level of 2022-05-05 or later from the May 2022 Android Security Bulletin in addition to all issues in this bulletin.

We encourage all customers to accept these updates to their devices.

The issue in this bulletin is a high security vulnerability in the AAOS component that could enable attacker to pair a BT device without the users consent. The severity assessment is based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are turned off for development purposes or if successfully bypassed.

**Announcements**

*   In addition to the security vulnerabilities described in the May 2022 Android Security Bulletin, the May 2022 Android Automotive OS Update Bulletin also contains patches specifically for AAOS vulnerabilities as described below.

**2022-05-01 security patch level vulnerability details**

In the sections below, we provide details for each of the security vulnerabilities that apply to the 2022-05-01 patch level. Vulnerabilities are grouped under the component they affect. Issues are described in the tables below and include CVE ID, associated references, type of vulnerability, severity, and updated AOSP versions (where applicable). When available, we link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID. Devices with Android 10 and later may receive security updates as well as Google Play system updates.

**AAOS**

The vulnerability in this section could enable attacker to pair a BT device without the users consent.

    

CVE

References

Type

Severity

Updated AOSP versions

CVE-2021-39738

A-216190509

EoP

High

10, 11, 12, 12L

**Common questions and answers**

This section answers common questions that may occur after reading this bulletin.

**1\. How do I determine if my device is updated to address these issues?**

To learn how to check a device's security patch level, read the instructions on the Google device update schedule.

*   Security patch levels of 2022-05-01 or later address all issues associated with the 2022-05-01 security patch level.

Device manufacturers that include these updates should set the patch string level to:

*   \[ro.build.version.security\_patch\]:\[2022-05-01\]

For some devices on Android 10 or later, the Google Play system update will have a date string that matches the 2022-05-01 security patch level. Please see this article for more details on how to install security updates.

**2\. What do the entries in the _Type_ column mean?**

Entries in the _Type_ column of the vulnerability details table reference the classification of the security vulnerability.

 

Abbreviation

Definition

RCE

Remote code execution

EoP

Elevation of privilege

ID

Information disclosure

DoS

Denial of service

N/A

Classification not available

**3\. What do the entries in the _References_ column mean?**

Entries under the _References_ column of the vulnerability details table may contain a prefix identifying the organization to which the reference value belongs.

 

Prefix

Reference

A-

Android bug ID

QC-

Qualcomm reference number

M-

MediaTek reference number

N-

NVIDIA reference number

B-

Broadcom reference number

U-

UNISOC reference number

**4\. What does an \* next to the Android bug ID in the _References_ column mean?**

Issues that are not publicly available have an \* next to the corresponding reference ID. The update for that issue is generally contained in the latest binary drivers for Pixel devices available from the Google Developer site.

**5\. Why are security vulnerabilities split between this bulletin and device / partner security bulletins, such as the Pixel bulletin?**

Security vulnerabilities that are documented in this security bulletin are required to declare the latest security patch level on Android devices. Additional security vulnerabilities that are documented in the device / partner security bulletins are not required for declaring a security patch level. Android device and chipset manufacturers may also publish security vulnerability details specific to their products, such as Google, Huawei, LGE, Motorola, Nokia, or Samsung.

**Versions**

  

Version

Date

Notes

1.0

May 2, 2022

Bulletin Published

CVE-2021-39738: Android Automotive OS Update Bulletin—May 2022  |  Android Open Source Project

Windows Graphics Component Remote Code Execution Vulnerability.

CVE-2022-26927

Visual Studio Remote Code Execution Vulnerability.

CVE-2022-29148

Microsoft Windows Media Foundation Remote Code Execution Vulnerability.

Tag

#rce