Known Vulnerabilities for Windows Server 2022 #1
Ensuring the security of our digital infrastructure is a collective responsibility, and to fulfill this duty, we must stay abreast of the latest vulnerabilities and threats. Today, I'd like to spotlight the identified vulnerabilities for Windows Server 2022, Microsoft's latest server operating system.
SMB over QUIC Exploited for DoS Attacks
QUIC, conceptualized by Google, is a transport layer protocol that addresses the challenges of connection reliability, security, latency, and packet losses using UDP. Microsoft's flavor of QUIC, known as MsQuic, finds its application in SMB and HTTP/3 on Windows Server 2022.
Spotting the Vulnerability: Cybersecurity enthusiasts from Akamai unveiled that attackers are leveraging this flaw to initiate DoS (Denial of Service) attacks. Here's a step-by-step unraveling of the process:
The loophole emerges when the received SMB message size is less than 4 bytes, prompting the system to compensate and read the subsequent packets.
Exploitation Mechanics: Attackers can sidestep size limitations by splitting the size over two packets. For a successful DoS exploit, a series of packets need to be unleashed. However, it's worth noting:
Crafty attackers manage this by establishing numerous connections and using a sequence of QUIC packets with multiple frames. The sequence typically involves creating a stream, triggering a 16 MB memory allocation, and then closing the stream.
Protecting Your Systems: The bottom line? Until a comprehensive solution is devised, the best defense against this vulnerability is patching your Windows Server. Disabling SMB over QUIC is another preventative measure, though not as robust.
Privilege Escalation Vulnerability in Active Directory Domain Service
Dubbed CVE-2022-26923, this flaw grants a low-privileged user the means to escalate their privileges all the way up to a domain administrator. This becomes particularly concerning in default Active Directory settings where the "Active Directory Certificate Services" server role is active.
Here's how it works:
Protecting Your Infrastructure: While Microsoft has addressed CVE-2022-26923 in their May security update, details about this vulnerability and its exploitation techniques are public knowledge. Hence, we cannot stress enough the importance of patching your systems immediately.
Windows LSA Spoofing
This vulnerability opens the door for an unauthenticated attacker to manipulate the LSARPC interface. Through this, they can trick the domain controller into authenticating them using NTLM. The process unfolds as follows:
It's essential to note that this vulnerability is not merely theoretical—CVE-2022-26925 has been identified in active exploitation attempts. While Microsoft has released a fix in their May security update, the exploit details remain publicly accessible. Therefore, patching your systems without delay is paramount.
Recommended by LinkedIn
Additional Notes: Another vulnerability, CVE-2022-26809, is on our radar due to its potential to cause widespread disruptions. The vulnerability lies within RPC, utilized extensively across various Windows and Windows Server versions. The at-risk rpcrt4.dll isn't exclusive to Microsoft services—it's also integrated into other applications.
Both CVE-2022-26923 and CVE-2022-26925 have their exploits available to the public. With this information in the open, it's merely a countdown until malicious entities capitalize on these vulnerabilities.
In Conclusion:
Cybersecurity is an ongoing journey, and staying updated is your best shield. We urge our readers to be proactive and take necessary measures to guard against these vulnerabilities.