Today’s VERT Alert addresses Microsoft’s April 2022 Security Updates. VERT is actively working on coverage for these vulnerabilities and expects to ship ASPL-996 on Wednesday, April 13th.
In-The-Wild & Disclosed CVEs
While not previously publicly disclosed, Microsoft is reporting that they have seen active exploitation of this vulnerability in the wild. The vulnerability can lead to elevation of privilege by exploiting a flaw in the Windows Common Log File System (CLFS) driver. CLFS is a general-purpose logging service that can be used by both user and kernel-mode software. Patches have been released for CLFS monthly since September 2021 with only one exception – November 2021. From September 2021 until today, we have seen 18 vulnerabilities patched within CLFS.
Microsoft has rated this as Exploitation Detected on the latest software release on the Exploitability Index.
This publicly disclosed vulnerability in the Windows User Profile Service leads to elevation of privilege following successful exploitation. Microsoft has listed the attack complexity as high given that it relies on a race condition, however exploit code is already publicly available, including in the Metasploit framework.
Microsoft has rated this as Exploitation More Likely on the latest software release on the Exploitability Index.
CVE Breakdown by Tag
While historical Microsoft Security Bulletin groupings are gone, Microsoft vulnerabilities are tagged with an identifier. This list provides a breakdown of the CVEs on a per tag basis. Vulnerabilities are also colour coded to aid with identifying key issues.
- Traditional Software
- Mobile Software
- Cloud or Cloud Adjacent
- Vulnerabilities that are being exploited or that have been disclosed will be bold.
| Tag | CVE Count | CVEs |
| Windows File Explorer | 1 | CVE-2022-26808 |
| Windows Upgrade Assistant | 1 | CVE-2022-24543 |
| Windows Work Folder Service | 1 | CVE-2022-26807 |
| Windows Fax Compose Form | 3 | CVE-2022-26916, CVE-2022-26917, CVE-2022-26918 |
| Windows iSCSI Target Service | 1 | CVE-2022-24498 |
| Microsoft Local Security Authority Server (lsasrv) | 1 | CVE-2022-24493 |
| Windows Installer | 2 | CVE-2022-24530, CVE-2022-24499 |
| Visual Studio | 3 | CVE-2022-24513, CVE-2022-24765, CVE-2022-24767 |
| Windows Common Log File System Driver | 2 | CVE-2022-24521, CVE-2022-24481 |
| Windows Ancillary Function Driver for WinSock | 1 | CVE-2022-24494 |
| Microsoft Windows ALPC | 2 | CVE-2022-24482, CVE-2022-24540 |
| Windows PowerShell | 1 | CVE-2022-26788 |
| Microsoft Office SharePoint | 1 | CVE-2022-24472 |
| Windows Feedback Hub | 1 | CVE-2022-24479 |
| Active Directory Domain Services | 2 | CVE-2022-26814, CVE-2022-26817 |
| Windows Local Security Authority Subsystem Service | 2 | CVE-2022-24496, CVE-2022-24487 |
| Windows Network File System | 2 | CVE-2022-24491, CVE-2022-24497 |
| Windows Cluster Client Failover | 1 | CVE-2022-24489 |
| Microsoft Windows Media Foundation | 1 | CVE-2022-24495 |
| Microsoft Office Excel | 2 | CVE-2022-24473, CVE-2022-26901 |
| Microsoft Graphics Component | 2 | CVE-2022-26920, CVE-2022-26903 |
| Azure SDK | 1 | CVE-2022-26907 |
| Windows Kernel | 1 | CVE-2022-24483 |
| Windows DWM Core Library | 1 | CVE-2022-24546 |
| Windows User Profile Service | 1 | CVE-2022-26904 |
| Windows Telephony Server | 1 | CVE-2022-24550 |
| Windows RDP | 1 | CVE-2022-24533 |
| Windows Defender | 1 | CVE-2022-24548 |
| Azure Site Recovery | 3 | CVE-2022-26896, CVE-2022-26897, CVE-2022-26898 |
| Windows schannel | 1 | CVE-2022-26915 |
| Windows Endpoint Configuration Manager | 1 | CVE-2022-24527 |
| Windows File Server | 2 | CVE-2022-26810, CVE-2022-26827 |
| Power BI | 1 | CVE-2022-23292 |
| .NET Framework | 1 | CVE-2022-26832 |
| Visual Studio Code | 1 | CVE-2022-26921 |
| Role: DNS Server | 16 | CVE-2022-26811, CVE-2022-26812, CVE-2022-26813, CVE-2022-24536, CVE-2022-26815, CVE-2022-26816, CVE-2022-26818, CVE-2022-26819, CVE-2022-26820, CVE-2022-26821, CVE-2022-26822, CVE-2022-26823, CVE-2022-26824, CVE-2022-26825, CVE-2022-26826, CVE-2022-26829 |
| Windows Media | 1 | CVE-2022-24547 |
| Windows Win32K | 3 | CVE-2022-24474, CVE-2022-26914, CVE-2022-24542 |
| Windows AppX Package Manager | 1 | CVE-2022-24549 |
| Windows Kerberos | 3 | CVE-2022-24486, CVE-2022-24544, CVE-2022-24545 |
| Skype for Business | 2 | CVE-2022-26910, CVE-2022-26911 |
| Microsoft Windows Codecs Library | 1 | CVE-2022-24532 |
| LDAP - Lightweight Directory Access Protocol | 2 | CVE-2022-26919, CVE-2022-26831 |
| Windows Print Spooler Components | 15 | CVE-2022-26786, CVE-2022-26787, CVE-2022-26789, CVE-2022-26790, CVE-2022-26791, CVE-2022-26792, CVE-2022-26793, CVE-2022-26794, CVE-2022-26795, CVE-2022-26796, CVE-2022-26797, CVE-2022-26798, CVE-2022-26801, CVE-2022-26802, CVE-2022-26803 |
| Role: Windows Hyper-V | 9 | CVE-2022-22008, CVE-2022-22009, CVE-2022-23257, CVE-2022-23268, CVE-2022-24537, CVE-2022-24490, CVE-2022-24539, CVE-2022-26783, CVE-2022-26785 |
| Windows App Store | 1 | CVE-2022-24488 |
| Microsoft Edge (Chromium-based) | 26 | CVE-2022-24523, CVE-2022-24475, CVE-2022-26891, CVE-2022-26894, CVE-2022-26895, CVE-2022-26900, CVE-2022-26908, CVE-2022-26909, CVE-2022-26912, CVE-2022-1125, CVE-2022-1127, CVE-2022-1128, CVE-2022-1129, CVE-2022-1130, CVE-2022-1131, CVE-2022-1133, CVE-2022-1134, CVE-2022-1135, CVE-2022-1136, CVE-2022-1137, CVE-2022-1138, CVE-2022-1143, CVE-2022-1145, CVE-2022-1146, CVE-2022-1139, CVE-2022-1232 |
| Windows Remote Procedure Call Runtime | 3 | CVE-2022-24528, CVE-2022-24492, CVE-2022-26809 |
| YARP reverse proxy | 1 | CVE-2022-26924 |
| Microsoft Bluetooth Driver | 1 | CVE-2022-26828 |
| Microsoft Dynamics | 1 | CVE-2022-23259 |
| Windows SMB | 6 | CVE-2022-21983, CVE-2022-24485, CVE-2022-24534, CVE-2022-24500, CVE-2022-24541, CVE-2022-26830 |
| Windows Cluster Shared Volume (CSV) | 3 | CVE-2022-24484, CVE-2022-24538, CVE-2022-26784 |
Other Information
There were no new advisories included with the April Security Guidance.
