Microsoft security alert.
May 10, 2022
Advisory overview
Qualys Vulnerability R&D Lab has released new vulnerability checks in the Enterprise TruRisk Platform to protect organizations against 74 vulnerabilities that were fixed in 15 bulletins announced today by Microsoft. Customers can immediately audit their networks for these and other new vulnerabilities by accessing their Qualys subscription. Visit Qualys Security Blog to prioritize remediation.
Non-Qualys customers can audit their network for these and other vulnerabilities by signing up for a Qualys Free Trial, or by trying Qualys Community Edition.
Vulnerability details
Microsoft has released 15 security bulletins to fix newly discovered flaws in their software. Qualys has released the following checks for these new vulnerabilities:
-
Microsoft Office Security Update for May 2022
- Severity
- Critical 4
- Qualys ID
- 110407
- Vendor Reference
- KB4484347, KB4493152, KB5002184, KB5002187, KB5002196, KB5002199, KB5002204, KB5002205
- CVE Reference
- CVE-2022-29107, CVE-2022-29109, CVE-2022-29110
- CVSS Scores
- Base 9.3 / Temporal 6.9
- Description
-
Microsoft has released April 2022 security updates to fix multiple security vulnerabilities.
This security update contains the following:
Office Click-2-Run and Office 365 Release Notes
KB5002199
KB5002204
KB5002187
KB4484347
KB5002196
KB5002205
KB4493152
KB5002184QID Detection Logic:
This authenticated QID checks the file versions from the Microsoft advisory with the versions on the affected office system.Note: Office click-2-run and Office 365 installations need to be updated manually or need to be set to automatic update. There is no direct download for the patch.
- Consequence
-
Successful exploitation allows an attacker to execute code remotely.
- Solution
-
Refer to Microsoft Security Guidance for more details pertaining to this vulnerability.
Office Click-2-Run and Office 365 Release Notes
KB5002199
KB5002204
KB5002187
KB4484347
KB5002196
KB5002205
KB4493152
KB5002184Patches:
The following are links for downloading patches to fix these vulnerabilities:
Microsoft office April 2022
-
Microsoft SharePoint Server and Foundation Update for May 2022
- Severity
- Critical 4
- Qualys ID
- 110408
- Vendor Reference
- KB5002194, KB5002195, KB5002203, KB5002207
- CVE Reference
- CVE-2022-29108
- CVSS Scores
- Base 6.5 / Temporal 4.8
- Description
-
Microsoft has released May 2022 security updates to fix multiple security vulnerabilities.
This security update contains the following KBs:
KB5002203
KB5002194
KB5002207
KB5002195QID Detection Logic:
This authenticated QID checks the file versions from above Microsoft KB article with the versions on affected SharePoint system. - Consequence
-
Successful exploitation allows an attacker to execute code remotely.
- Solution
-
Refer to Microsoft Security Guidance for more details pertaining to this vulnerability.
KB5002203
KB5002194
KB5002207
KB5002195Patches:
The following are links for downloading patches to fix these vulnerabilities:
Microsoft SharePoint Foundation and SharePoint Server
-
Microsoft Visual Studio Code Remote Code Execution (RCE) Vulnerability for May 2022
- Severity
- Critical 4
- Qualys ID
- 376584
- Vendor Reference
- CVE-2022-30129
- CVE Reference
- CVE-2022-30129
- CVSS Scores
- Base 6.8 / Temporal 5.3
- Description
-
Visual Studio Code is a lightweight but powerful source code editor which runs on your desktop and is available for Windows, macOS and Linux.
Affected Versions:
Visual studio code prior to version 1.67.1
QID Detection Logic(Authenticated):
This QID checks for the vulnerable versions of Visual Studio Code.
- Consequence
-
Visual Studio Code is prone to Remote Code Execution
- Solution
-
Customers are advised to refer to CVE-2022-30129 and for more information pertaining to this vulnerability.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
CVE-2022-30129
-
Microsoft Exchange Server Elevation of Privilege Vulnerability for May 2022
- Severity
- Critical 4
- Qualys ID
- 50120
- Vendor Reference
- KB5014260, KB5014261
- CVE Reference
- CVE-2022-21978
- CVSS Scores
- Base 7.2 / Temporal 5.3
- Description
-
Microsoft Exchange Server is prone to multiple vulnerabilities:
Microsoft Exchange Server Elevation of Privilege Vulnerability
KB Articles associated with this update are: KB5014261, KB5014260Affected Versions:
Microsoft Exchange Server 2013 Cumulative Update 23
Microsoft Exchange Server 2019 Cumulative Update 11
Microsoft Exchange Server 2019 Cumulative Update 12
Microsoft Exchange Server 2016 Cumulative Update 23
Microsoft Exchange Server 2016 Cumulative Update 22
QID Detection Logic (authenticated):
The QID checks for the version of file Exsetup.exe.
- Consequence
-
Successful exploitation allows Elevation of privilege.
- Solution
-
Customers are advised to refer to KB5014261 KB5014260 for information pertaining to this vulnerability.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
KB5014260
KB5014261
-
Microsoft Visual Studio Security Update for May 2022
- Severity
- Serious 3
- Qualys ID
- 91895
- Vendor Reference
- CVE-2022-23267, CVE-2022-29117, CVE-2022-29145
- CVE Reference
- CVE-2022-23267, CVE-2022-29117, CVE-2022-29145
- CVSS Scores
- Base 5 / Temporal 4.1
- Description
-
Microsoft has released security Updates for Visual Studio which resolves Remote Code Execution and Denial of Service vulnerability.
Affected Software:
Microsoft Visual Studio 2019 version 16.9 (includes 16.0 - 16.8)
Microsoft Visual Studio 2019 version 16.11 (includes 16.0 - 16.10)
Microsoft Visual Studio 2022 Version 17.0
and Microsoft Visual Studio 2022 Version 17.1
QID Detection Logic: Authenticated
This QID detects vulnerable versions of Microsoft Visual Studio by checking the file version of the Visual Studio.
- Consequence
-
Microsoft Visual Studio 2019 16.9, 2022 17.0, and 2022 17.1 versions are prone to Denial of Service Vulnerabilities
- Solution
-
Customers are advised to refer to CVE-2022-29117, CVE-2022-29145, and CVE-2022-23267 for more information pertaining to these vulnerabilities.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
CVE-2022-23267
CVE-2022-29117
CVE-2022-29145
CVE-2022-29148
-
Microsoft Windows Cluster Shared Volume (CSV) Multiple Vulnerabilities for May 2022
- Severity
- Critical 4
- Qualys ID
- 91896
- Vendor Reference
- KB5013941, KB5013942, KB5013944, KB5013952, KB5014001, KB5014011, KB5014017, KB5014018
- CVE Reference
- CVE-2022-29102, CVE-2022-29120, CVE-2022-29122, CVE-2022-29123, CVE-2022-29134, CVE-2022-29135, CVE-2022-29138, CVE-2022-29150, CVE-2022-29151
- CVSS Scores
- Base 6.9 / Temporal 5.1
- Description
-
Microsoft releases the security update for Windows Cluster Shared Volume
The KB Articles associated with the update:
KB5014001
KB5014011
KB5014017
KB5014018
KB5013952
KB5013944
KB5013941
KB5013942
This QID checks for the file version of ntoskrnl.exe
The following versions of ntoskrnl.exe with their corresponding KBs are verified:
KB5014001-6.3.9600.20369
KB5014011-6.3.9600.20369
KB5014017-6.2.9200.23711
KB5014018-6.2.9200.23711
- Consequence
-
Successful exploit could compromise Confidentiality, Integrity and Availability
- Solution
-
Please refer to the
KB5014001
, KB5014011
, KB5014017
, KB5014018
, KB5013952, KB5013944, KB5013942, KB5013941.Patches:
The following are links for downloading patches to fix these vulnerabilities:
KB5013941
KB5013942
KB5013944
KB5013952
KB5014001
KB5014011
KB5014017
KB5014018
-
Microsoft Windows Security Update for May 2022
- Severity
- Critical 4
- Qualys ID
- 91897
- Vendor Reference
- KB5013941, KB5013942, KB5013943, KB5013944, KB5013945, KB5013952, KB5013963, KB5013999, KB5014001, KB5014006, KB5014010, KB5014011, KB5014012, KB5014017, KB5014018, KB5014025
- CVE Reference
- CVE-2022-21972, CVE-2022-22011, CVE-2022-22012, CVE-2022-22013, CVE-2022-22014, CVE-2022-22015, CVE-2022-22016, CVE-2022-22019, CVE-2022-22713, CVE-2022-23270, CVE-2022-23279, CVE-2022-24466, CVE-2022-26913, CVE-2022-26923, CVE-2022-26925, CVE-2022-26926, CVE-2022-26927, CVE-2022-26930, CVE-2022-26931, CVE-2022-26933, CVE-2022-26934, CVE-2022-26935, CVE-2022-26936, CVE-2022-29103, CVE-2022-29104, CVE-2022-29105, CVE-2022-29112, CVE-2022-29113, CVE-2022-29114, CVE-2022-29115, CVE-2022-29121, CVE-2022-29125, CVE-2022-29126, CVE-2022-29127, CVE-2022-29128, CVE-2022-29129, CVE-2022-29130, CVE-2022-29131, CVE-2022-29132, CVE-2022-29137, CVE-2022-29139, CVE-2022-29140, CVE-2022-29141, CVE-2022-29142, CVE-2022-30138
- CVSS Scores
- Base 9.3 / Temporal 7.7
- Description
-
Microsoft Windows Security Update - May 2022
The KB Articles associated with the update:
5013952
5013941
5013963
5013942
5013943
5014011
5014001
5014017
5014018
5014012
5013999
5014010
5014006
5014025
5013944
5013945
This QID checks for the file version of ntoskrnl.exe
- Consequence
-
Successful exploit could compromise Confidentiality, Integrity and Availability
- Solution
-
Please refer to the 5013952
5013941
5013963
5013942
5013943
5014011
5014001
5014017
5014018
5014012
5013999
5014010
5014006
5014025
5013944
5013945
Patches:
The following are links for downloading patches to fix these vulnerabilities:
KB5013941
KB5013942
KB5013943
KB5013944
KB5013945
KB5013952
KB5013963
KB5013999
KB5014001
KB5014006
KB5014010
KB5014011
KB5014012
KB5014017
KB5014018
KB5014025
-
Microsoft .NET Security Update for May 2022
- Severity
- Serious 3
- Qualys ID
- 91898
- Vendor Reference
- CVE-2022-23267, CVE-2022-29117, CVE-2022-29145
- CVE Reference
- CVE-2022-23267, CVE-2022-29117, CVE-2022-29145
- CVSS Scores
- Base 5 / Temporal 3.7
- Description
-
Microsoft has released a security Update for .NET which resolves Denial of Service Vulnerability.
This security update is rated Important for supported versions of .NETAffected versions:
.NET 5.0 before version 5.0.17
.NET 6.0 before version 6.0.5
and .NET Core 3.1 before version 3.1.25
QID Detection Logic: Authenticated
This QID detects vulnerable versions of Microsoft .NET Core by checking the file version on windows.
- Consequence
-
Successful exploitation of this vulnerability could lead to Denial of Service Vulnerability.
- Solution
-
Customers are advised to refer to CVE-2022-23267, CVE-2022-29117, and CVE-2022-29145 for more information pertaining to these vulnerabilities.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
CVE-2022-23267
CVE-2022-29117
CVE-2022-29145
-
Microsoft Windows Hyper-V Shared Virtual Disk Elevation of Privilege Vulnerability for May 2022
- Severity
- Critical 4
- Qualys ID
- 91899
- Vendor Reference
- KB5013941, KB5013942, KB5013944, KB5013952
- CVE Reference
- CVE-2022-29106
- CVSS Scores
- Base 4.4 / Temporal 3.3
- Description
-
Microsoft Hyper-V its release as Windows Server Virtualization, is a native hypervisor.it can create virtual machines on x86-64 systems running Windows.
Microsoft releases the security update for Windows May 2022The KB Articles associated with the update:
KB5013952
KB5013942
KB5013944
KB5013941
This QID checks for the file version of ntoskrnl.exe
- Consequence
-
Successful exploitation could compromise Confidentiality, Integrity and Availability
- Solution
-
Please refer to theKB5013952
KB5013942
KB5013944
KB5013941
Patches:
The following are links for downloading patches to fix these vulnerabilities:
5013941
5013942
5013944
5013952
-
Microsoft Windows Network File System (NFS) Remote Code Execution (RCE) Vulnerability for May 2022
- Severity
- Critical 4
- Qualys ID
- 91900
- Vendor Reference
- CVE-2022-26937
- CVE Reference
- CVE-2022-26937
- CVSS Scores
- Base 7.5 / Temporal 5.9
- Description
-
Microsoft Windows Network File System is vulnerable to Remote Code Execution Vulnerability.
This vulnerability is not exploitable in NFSV4.1.
The KB Articles associated with the update are:
5013941
5013942
5013944
5013952
5013999
5014001
5014006
5014010
5014011
5014012
5014017
5014018QID Detection Logic (Authenticated):
This QID checks for the file version of nfssvr.sys.
- Consequence
-
An attacker could send a specially crafted NFS protocol network message to a vulnerable Windows machine, which could enable remote code execution.
- Solution
-
Please refer to the CVE-2022-26937 for more information pertaining to these vulnerabilities.
Workaround:
Prior to updating your version of Windows that protects against this vulnerability, you can mitigate an attack by disabling NFSV2 and NFSV3. This may adversely affect your ecosystem and should only be used as a temporary mitigation.
The following PowerShell command will disable those versions:
PS C:\Set-NfsServerConfiguration -EnableNFSV2 $false -EnableNFSV3 $falsePatches:
The following are links for downloading patches to fix these vulnerabilities:
CVE-2022-26937
-
Microsoft Windows Remote Desktop Protocol (RDP) Multiple Vulnerabilities for May 2022
- Severity
- Critical 4
- Qualys ID
- 91901
- Vendor Reference
- CVE-2022-22017, CVE-2022-26940
- CVE Reference
- CVE-2022-22017, CVE-2022-26940
- CVSS Scores
- Base 9.3 / Temporal 6.9
- Description
-
Remote Desktop client for Windows Desktop to access Windows apps and desktops remotely from a different Windows device.
CVE-2022-26940: Remote Desktop Protocol Client Information Disclosure Vulnerability.
CVE-2022-22017: Remote Desktop Client Remote Code Execution Vulnerability.
Affected Versions:
Windows Remote Desktop Client Versions prior to version 1.2.3130QID Detection Logic:(Authenticated)
This QID checks for a vulnerable Remote Desktop client - Consequence
-
Upon connecting, the malicious server could execute code on the victim's system in the context of the targeted user.
- Solution
-
Customers are advised to refer to Microsoft Advisory CVE-2022-26940 And CVE-2022-22017for more details.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
CVE-2022-22017
CVE-2022-26940
-
Microsoft Windows 11 Kernel Multiple Vulnerabilities for May 2022
- Severity
- Critical 4
- Qualys ID
- 91903
- Vendor Reference
- KB5013943
- CVE Reference
- CVE-2022-29116, CVE-2022-29133
- CVSS Scores
- Base 7.2 / Temporal 5.6
- Description
-
Microsoft releases the security update for Windows May 2022
The KB Article associated with the update:
KB5013943
QID Detection Logic:
This QID checks for the file version of ntoskrnl.exeThe following versions of ntoskrnl.exe with their corresponding KBs are verified:
10.0.22000.675- KB5013943
- Consequence
-
Successful Exploit could compromise Confidentiality, Integrity and Availability
- Solution
-
Please refer to the advisories
KB5013943
Patches:
The following are links for downloading patches to fix these vulnerabilities:
KB5013943
-
Microsoft .NET Framework Denial of Service (DoS) Vulnerability for May 2022
- Severity
- Serious 3
- Qualys ID
- 91904
- Vendor Reference
- KB5013624, KB5013625, KB5013627, KB5013628, KB5013630, KB5013837, KB5013838, KB5013839, KB5013840, KB5013868, KB5013870, KB5013871, KB5013872, KB5013873, KB5013952
- CVE Reference
- CVE-2022-30130
- CVSS Scores
- Base 4.3 / Temporal 3.2
- Description
-
A denial of service vulnerability exist in Microsoft .Net Framework.
Following KBs are covered in this detection:
KB5013624
KB5013625
KB5013627
KB5013628
KB5013630
KB5013837
KB5013838
KB5013839
KB5013840
KB5013868
KB5013870
KB5013871
KB5013872
KB5013873
KB5013952This security update is rated Important for supported versions of Microsoft .NET Framework.
.NET Framework 2.0, 3.0, 3.5, 3.5.1, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2 and 4.8
QID Detection Logic (Authenticated):
- Checks for vulnerable version of Mscorlib.dll for .Net Framework
- Consequence
-
Successful exploitation allows attacker to cause denial of service vulnerability.
- Solution
-
Customers are advised to refer to CVE-2022-30130 for more details pertaining to this vulnerability.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
CVE-2022-30130
-
Microsoft Visual Studio 15.9 (15.0-15.8) Remote Code Execution (RCE) Vulnerability for May 2022
- Severity
- Serious 3
- Qualys ID
- 91905
- Vendor Reference
- CVE-2022-29148
- CVE Reference
- CVE-2022-29148
- CVSS Scores
- Base 6.8 / Temporal 5.6
- Description
-
Microsoft has released security Updates for Visual Studio which resolves Remote Code Execution vulnerability.
Affected Software:
Microsoft Visual Studio 2017 version 15.9 (includes 15.0 - 15.8)
QID Detection Logic: Authenticated
This QID detects vulnerable versions of Microsoft Visual Studio by checking the file version of the Visual Studio.
- Consequence
-
Microsoft Visual Studio 2017 version 15.9 is prone to Remote Code Execution vulnerability
- Solution
-
Customers are advised to refer to CVE-2022-29148 for more information pertaining to this vulnerability.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
CVE-2022-29148
-
Microsoft Windows Storage Spaces Controller Multiple Vulnerabilities for May 2022
- Severity
- Serious 3
- Qualys ID
- 91906
- Vendor Reference
- KB5013941, KB5013942, KB5013944, KB5013952
- CVE Reference
- CVE-2022-26932, CVE-2022-26938, CVE-2022-26939
- CVSS Scores
- Base 7.2 / Temporal 5.3
- Description
-
Microsoft releases the security update for Windows Cluster Shared Volume
The KB Articles associated with the update:
KB5013952
KB5013944
KB5013941
KB5013942
This QID checks for the file version of ntoskrnl.exe
The following versions of ntoskrnl.exe with their corresponding KBs are verified:
KB5013941-10.0.17763.2928
KB5013944-10.0.20348.707
KB5013952-10.0.14393.5125
KB5013942- 10.0.19041.1706
- Consequence
-
Successful exploit could compromise Confidentiality, Integrity and Availability
- Solution
-
Please refer to the
KB5013952,
KB5013944,
KB5013942,
KB5013941.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
KB5013941
KB5013942
KB5013944
KB5013952
These new vulnerability checks are included in Qualys vulnerability signature 2.5.474-6. Each Qualys account is automatically updated with the latest vulnerability signatures as they become available. To view the vulnerability signature version in your account, from the Qualys Help menu, select the About tab.
Selective Scan Instructions Using Qualys
To perform a selective vulnerability scan, configure a scan profile to use the following options:
- Ensure access to TCP ports 135 and 139 are available.
- Enable Windows Authentication (specify Authentication Records).
-
Enable the following Qualys IDs:
- 110407
- 110408
- 376584
- 50120
- 91895
- 91896
- 91897
- 91898
- 91899
- 91900
- 91901
- 91903
- 91904
- 91905
- 91906
- If you would like the scan to return the Windows Hostname, also include QID 82044 and ensure access to UDP port 137 is available.
- If you would like to be notified if Qualys is unable to log on to a host (if Authentication fails), also include QID 105015.
In addition, prior to running a scan for these new vulnerabilities, you can estimate your exposure to these new threats by running the Risk Analysis Report, available from the Qualys Vulnerability Management Reports tab.
Access for Qualys Customers
Platforms and Platform Identification
Technical Support
For more information, customers may contact Qualys Technical Support.
About Qualys
The Enterprise TruRisk Platform and its integrated suite of security and compliance applications provides organizations of all sizes with a global view of their security and compliance solutions, while drastically reducing their total cost of ownership. Qualys solutions include: continuous monitoring, vulnerability management, policy compliance, PCI compliance, security assessment questionnaire, web application scanning, web application firewall, malware detection and SECURE Seal for security testing of web sites.