Today’s VERT Alert addresses Microsoft’s May 2022 Security Updates. VERT is actively working on coverage for these vulnerabilities and expects to ship ASPL-1002 on Wednesday, May 11th.

CVE-2022-26925

In-The-Wild & Disclosed CVEs

Based on Microsoft’s limited documentation, this appears to be a resurgence and/or improved version of PetitPotam. This month’s security guidance links to both the advisory and KB previously released for PetitPotam. Microsoft has described this as a man-in-the-middle attack, which makes the CVSS Attack Complexity metric High, lowering the CVSS score to 8.1.

Microsoft has rated this as Exploitation Detected on the latest software release on the Exploitability Index.

CVE-2022-29972

This vulnerability exists within a third-party Open Database Connectivity (ODBC) driver that is used within Azure Data Factory and Azure Synapse pipelines. Microsoft has released a blog post detailing the issue and the mitigations they applied as well as providing the detections they have made available via Microsoft Defender for Endpoint and Microsoft Defender Antivirus. In addition to the blog post, Microsoft also released an advisory about upcoming improvements.

Microsoft has rated this as Exploitation More Likely on the latest software release on the Exploitability Index.

CVE-2022-22713

A race condition in Microsoft Hyper-V could lead to a denial of service. Based on the security guidance only Windows 10 20H2, 21H1, and 21H2, along with Windows Server 20H2 are impacted by this vulnerability.

Microsoft has rated this as Exploitation Less Likely on the latest software release on the Exploitability Index.

CVE Breakdown by Tag

While historical Microsoft Security Bulletin groupings are gone, Microsoft vulnerabilities are tagged with an identifier. This list provides a breakdown of the CVEs on a per tag basis. Vulnerabilities are also colour coded to aid with identifying key issues.

  • Traditional Software
  • Mobile Software
  • Cloud or Cloud Adjacent
  • Vulnerabilities that are being exploited or that (Read more...)