May 2022 Microsoft Security Updates

RCE's en el reporte de mayo:

Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-21972

Windows LDAP Remote Code Execution Vulnerability
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-22012
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-29128
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-29129
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-29130
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-29131
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-29139

Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-22015

Remote Desktop Client Remote Code Execution Vulnerability
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-22017

Remote Procedure Call Runtime Remote Code Execution Vulnerability
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-22019

Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-23270

Windows Address Book Remote Code Execution Vulnerability
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-26926

Windows Graphics Component Remote Code Execution Vulnerability
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-26927

Windows Network File System Remote Code Execution Vulnerability
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-26937

Microsoft SharePoint Server Remote Code Execution Vulnerability
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-29108

Microsoft Excel Remote Code Execution Vulnerability
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-29109
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-29110

Windows Fax Service Remote Code Execution Vulnerability
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-29115

Visual Studio Remote Code Execution Vulnerability
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-29148
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-30129

May 2022 Microsoft Security Updates
Tabla resumen.

Actualización de seguridad de SAP de mayo de 2022

Fecha de publicación: 11/05/2022
Importancia: 5 - Crítica

Recursos afectados:
SAP Business One Cloud, versión 1.1;
SAP Commerce, versiones 1905, 2005, 2105 y 2011;
SAP Customer Profitability Analytics, versión 2;
SAP Webdispatcher, versiones 7.22EXT, 7.49, 7.53, 7.77, 7.81, 7.83 y 7.85;
SAP Netweaver AS para ABAP y Java (ICM), versiones KRNL64NUC 7.22, 7.22EXT, 7.49, KRNL64UC, 7.22, 7.22EXT, 7.49, 7.53, 8.04, KERNEL 7.22, 7.49, 7.53, 7.77, 7.81, 7.85, 7.86, 7.87 y 8.04;
SAP BusinessObjects Business Intelligence Platform, versiones 420 y 430;
SAP NetWeaver Application Server para ABAP y ABAP Platform, versiones 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, 787 y 788;
SAP Employee Self Service (Fiori My Leave Request), versión 605;
SAP Host Agent, versión 7.22.

Descripción:
SAP ha publicado varias actualizaciones de seguridad en diferentes productos en su comunicado mensual.

https://www.incibe-cert.es/alerta-temprana/avisos-seguridad/actualizacion-seguridad-sap-mayo-2022

Intel® NUC Firmware Advisory

Intel ID: INTEL-SA-00654
Advisory Category: Firmware
Impact of vulnerability: Escalation of Privilege
Severity rating: HIGH

Original release: 05/10/2022

Summary:
Potential security vulnerabilities in some Intel® NUCs may allow escalation of privilege.
Intel is releasing firmware updates to mitigate these potential vulnerabilities.

https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00654.html

HP PC BIOS - May 2022 Security Updates

Potential security vulnerabilities have been identified in the BIOS (UEFI Firmware) for certain HP PC products, which might allow arbitrary code execution. HP is releasing firmware updates to mitigate these potential vulnerabilities.

Severity: High
HP Reference: HPSBHF03788 Rev. 2
Release date: May 10, 2022

https://support.hp.com/us-en/document/ish_6184733-6184761-16/hpsbhf03788

SonicWall urges customers to fix SMA 1000 vulnerabilities.

SonicWall warns customers to address several high-risk security flaws impacting its Secure Mobile Access (SMA) 1000 Series line of products.

SonicWall urges customers to address several high-risk security vulnerabilities affecting its Secure Mobile Access (SMA) 1000 Series line of products. An attacker can exploit the vulnerabilities to bypass authorization and, potentially, compromise vulnerable devices.


https://securityaffairs.co/wordpress/131247/security/sonicwall-urges-customers-to-fix-sma-1000-vulnerabilities.html

Vulnerabilidad en el sistema operativo de los cortafuegos de Zyxel

Fecha de publicación: 16/05/2022
Importancia: 4 - Alta

Recursos afectados:
USG FLEX 100(W), 200, 500 y 700 con versiones de firmware ZLD V5.00 hasta ZLD V5.21 Patch 1.
USG FLEX 50(W) y USG20(W)-VPN con versiones de firmware ZLD V5.10 hasta ZLD V5.21 Patch 1.
ATP series con versiones de firmware ZLD V5.10 hasta ZLD V5.21 Patch 1.
VPN series con versiones de firmware ZLD V4.60 hasta ZLD V5.21 Patch 1.

Descripción:
Zyxel ha publicado el parche que soluciona una vulnerabilidad de inyección de comandos en el sistema operativo de los firewalls detallados en “Recursos afectados”.

https://www.incibe.es/protege-tu-empresa/avisos-seguridad/vulnerabilidad-el-sistema-operativo-los-cortafuegos-zyxel

Apache Releases Security Advisory for Tomcat
Original release date: May 16, 2022

The Apache Software Foundation has released a security advisory to address a vulnerability in multiple versions of Tomcat. An attacker could exploit this vulnerability to obtain sensitive information.

https://www.cisa.gov/uscert/ncas/current-activity/2022/05/16/apache-releases-security-advisory-tomcat

Microsoft recently observed a campaign targeting SQL servers that, like many attacks, uses brute force methods for initial compromise. What makes this campaign stand out is its use of the in-box utility sqlps.exe.

https://twitter.com/MsftSecIntel/status/1526680337216114693

Múltiples vulnerabilidades en productos Aruba

Fecha de publicación: 18/05/2022
Importancia: 5 - Crítica

Recursos afectados:
AirWave Management Platform, versión 8.2.14.0 y anteriores;
Aruba Fabric Composer (AFC) y Plexxi Composable Fabric Manager (CFM), versión 6.2.0 y anteriores;
Aruba EdgeConnect Enterprise, versiones ECOS 9.1.1.3, ECOS 9.0.6.0, ECOS 8.3.6.0 y anteriores;
Aruba EdgeConnect Enterprise Orchestrator (on-premises).

Descripción:
Múltiples vulnerabilidades en la biblioteca de procesamiento XML Expat afectan a productos de Aruba.

https://www.incibe-cert.es/alerta-temprana/avisos-seguridad/multiples-vulnerabilidades-productos-aruba

Actualiza tus dispositivos Apple y evita estas vulnerabilidades

Fecha de publicación: 17/05/2022
Importancia: Alta

Recursos afectados
macOS Catalina, versiones anteriores a 2022-004.
macOS Big Sur versiones, anteriores a 11.6.6.
macOS Monterey, versiones anteriores a 12.4.
iOS e iPadOS, versiones anteriores a 15.5:
iPhone 6s y posteriores,
iPad Pro (todos los modelos),
iPad Air 2 y posteriores,
iPad 5th generation y posteriores,
iPad mini 4 y posteriores,
iPod touch (7th generation).
Safari, versiones anteriores a 15.5.

Descripción
Apple ha identificado y corregido vulnerabilidades de lectura y escritura de memoria fuera de límites, ejecución arbitraria de código y elevación de privilegios que afectan a varios de sus sistemas, por lo que recomienda actualizar los sistemas afectados.

https://www.incibe.es/protege-tu-empresa/avisos-seguridad/actualiza-tus-dispositivos-apple-y-evita-estas-vulnerabilidades

VMSA-2022-0014

CVSSv3 Range: 7.8-9.8
Issue Date: 2022-05-18

CVE(s): CVE-2022-22972, CVE-2022-22973

Synopsis:
VMware Workspace ONE Access, Identity Manager and vRealize Automation updates address multiple vulnerabilities.

https://www.vmware.com/security/advisories/VMSA-2022-0014.html

CVE-2022-1183: Destroying a TLS session early causes assertion failure

Posting date: 18 May 2022
Program impacted: BIND
CVSS Score: 7.0
Severity: High

Versions affected: BIND 9.18.0 -> 9.18.2 and 9.19.0 of the BIND 9.19 development branch
Exploitable: Remotely

Description:
An assertion failure can be triggered if a TLS connection to a configured http TLS listener with a defined endpoint is destroyed too early.

Impact:
On vulnerable configurations, the named daemon may, in some circumstances, terminate with an assertion failure. Vulnerable configurations are those that include a reference to http within the listen-on statements in their named.conf. TLS is used by both DNS over TLS (DoT) and DNS over HTTPS (DoH), but configurations using DoT alone are unaffected.

https://kb.isc.org/docs/cve-2022-1183

ICS Advisory (ICSA-22-139-01)
Mitsubishi Electric MELSEC iQ-F Series

1. EXECUTIVE SUMMARY
CVSS v3 8.6
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Mitsubishi Electric
Equipment: MELSEC iQ-F Series
Vulnerabilities: Improper Input Validation

2. RISK EVALUATION
Successful exploitation of these vulnerabilities could cause a denial-of-service condition by sending specially crafted packets. A system reset is required for recovery.

https://www.cisa.gov/uscert/ics/advisories/icsa-22-139-01

May 2022
You might see authentication failures on the server or client for services

Status Originating update History
Resolved OS Build 19042.1706
KB5013942
2022-05-10 Resolved: 2022-05-19, 19:16 PT
Opened: 2022-05-11, 18:38 PT

After installing updates released May 10, 2022 on your domain controllers, you might see authentication failures on the server or client for services such as Network Policy Server (NPS), Routing and Remote access Service (RRAS), Radius, Extensible Authentication Protocol (EAP), and Protected Extensible Authentication Protocol (PEAP). An issue has been found related to how the mapping of certificates to machine accounts is being handled by the domain controller.

https://docs.microsoft.com/en-us/windows/release-health/status-windows-10-20h2#2826msgdesc

https://twitter.com/WindowsUpdate/status/1527400220216025088

VMSA-2022-0015

CVSSv3 Range:5.8
Issue Date:2022-05-24
CVE(s):CVE-2022-22977

Synopsis:
VMware Tools for Windows update addresses an XML External Entity (XXE) vulnerability (CVE-2022-22977)

https://www.vmware.com/security/advisories/VMSA-2022-0015.html

Drupal soluciona una vulnerabilidad que afecta a la librería Guzzel

Fecha de publicación: 26/05/2022
Importancia: 3 - Media

Recursos afectados:
Las versiones de Drupal anteriores a:
Drupal 9.3.14,
Drupal 9.2.20.

Descripción:
Se ha detectado una vulnerabilidad en la librería Guzzel utilizada por módulos de Drupal para gestionar peticiones y respuestas a servicios externos con el protocolo HTTP.

https://www.incibe.es/protege-tu-empresa/avisos-seguridad/drupal-soluciona-vulnerabilidad-afecta-libreria-guzzel

Citrix Releases Security Updates for ADC and Gateway
Original release date: May 26, 2022

Citrix has released security updates to address vulnerabilities in ADC and Gateway. An attacker could exploit these vulnerabilities to cause a denial-of-service condition.

CISA encourages users and administrators to review Citrix Security Update CTX457048 and apply the necessary updates.

https://www.cisa.gov/uscert/ncas/current-activity/2022/05/26/citrix-releases-security-updates-adc-and-gateway

VMSA-2022-0014.1

CVSSv3 Range: 7.8-9.8
Issue Date: 2022-05-18
Updated On: 2022-05-27

CVE(s): CVE-2022-22972, CVE-2022-22973

Synopsis:
VMware Workspace ONE Access, Identity Manager and vRealize Automation updates address multiple vulnerabilities.

Impacted Products
VMware Workspace ONE Access (Access)
VMware Identity Manager (vIDM)
VMware vRealize Automation (vRA)
VMware Cloud Foundation
vRealize Suite Lifecycle Manager

Introduction
Multiple vulnerabilities were privately reported to VMware. Patches are available to remediate these vulnerabilities in affected VMware products.

https://www.vmware.com/security/advisories/VMSA-2022-0014.html

Multiple Microsoft Office versions impacted by an actively exploited zero-day

A zero-day flaw in Microsoft Office that could be exploited by attackers to achieve arbitrary code execution on Windows systems.
The cybersecurity researcher nao_sec discovered a malicious Word document (“05-2022-0438.doc”) that was uploaded to VirusTotal from Belarus. The document uses the remote template feature to fetch an HTML and then uses the “ms-msdt” scheme to execute PowerShell code.

https://securityaffairs.co/wordpress/131800/hacking/multiple-microsoft-office-versions-zero-day.html

https://www.virustotal.com/gui/file/4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784/detection

https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/

Múltiples vulnerabilidades en GitLab

Fecha de publicación: 02/06/2022
Identificador: INCIBE-2022-0776
Importancia: 5 - Crítica

Recursos afectados:
Versiones anteriores a la 15.0.1, 14.10.4, y 14.9.5, de los productos:
GitLab Community Edition (CE),
GitLab Enterprise Edition (EE).

Descripción:
GitLab ha publicado nuevas versiones que solucionan 8 vulnerabilidades, siendo 1 crítica, 2 altas, 4 medias y 1 baja.

Solución:
Actualizar a la última versión disponible (15.0.1, 14.10.4, 14.9.5 o posteriores).

https://www.incibe-cert.es/alerta-temprana/avisos-seguridad/multiples-vulnerabilidades-gitlab-0