Do I need to take further steps to be protected from this vulnerability?

Because of additional security hardening work for CVE-2022-21978, the following actions should be taken in addition to application of May 2022 security updates:

For customers that have Exchange Server 2016 CU22 or CU23, or Exchange Server 2019 CU11 or CU12 installed

Install the May 2022 SU first and then run one of the following commands using Setup.exe in your Exchange Server installation path (e.g., …\Program Files\Microsoft\Exchange Server\v15\Bin):

• Setup.exe /IAcceptExchangeServerLicenseTerms_DiagnosticDataON /PrepareAllDomains

• Setup.exe /IAcceptExchangeServerLicenseTerms_DiagnosticDataOFF /PrepareAllDomains

For customers that have Exchange Server 2013 CU23 installed:

Install the May 2022 SU first and then run the following command using Setup.exe in your Exchange Server installation path (e.g., …\Program Files\Microsoft\Exchange Server\v15\Bin):

• Setup.exe /IAcceptExchangeServerLicenseTerms /PrepareAllDomains

For customers that have any older version of Exchange Server not listed above:

Update your Exchange server to the latest CU, install May 2022 SU and then follow the steps above.

NOTE: You need to run /PrepareAllDomains only once per organization and those changes will apply to all versions of Exchange Server within the organization. When you run /PrepareAllDomains, your account needs to be a member of the Enterprise Admins security group. This might be a different account from the one you use to install the SU.

Please see New Exchange Server Security Update and Hotfix Packaging for more information

According to the CVSS metric, privileges required is high (PR:H). What privileges does an attacker require to exploit this vulnerability?

Successful exploitation of this vulnerability requires the attacker to be authenticated to the Exchange Server as a member of a high privileged group.

According to the CVSS metric, a successful exploitation could lead to a scope change (S:C). What does this mean for this vulnerability?

In this case, an attacker with elevated privileges on the Exchange server could gain the rights of a Domain Administrator. This could allow access and controls outside of the expected scope of the targeted functionality.

Information published.

According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?

Successful exploitation of this vulnerability requires an attacker to win a race condition.

How could an attacker exploit this vulnerability?

An unauthenticated attacker could send a specially crafted connection request to a RAS server, which could lead to remote code execution (RCE) on the RAS server machine.

Information published.

According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?

Successful exploitation of this vulnerability requires an attacker to win a race condition.

Information published.

Information published.

According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?

Successful exploitation of this vulnerability requires an attacker to win a race condition.

How could an attacker exploit this vulnerability?

An unauthenticated attacker could send a specially crafted connection request to a RAS server, which could lead to remote code execution (RCE) on the RAS server machine.

Information published.

What kind of security feature could be bypassed by exploiting this vulnerability?

This Hyper-V vulnerability relates to a Virtual Machine Switch with virtual networking in Hyper-V Network Virtualization (HNV). It might be possible to bypass extended ACLs and other Windows security feature checks.

See Create Security Policies with Extended Port Access Control Lists for information about extended ACLs.

According to the CVSS metric, a successful exploitation could lead to a scope change (S:C). What does this mean for this vulnerability?

Successful exploitation of this vulnerability could allow a Hyper-V guest to affect the functionality of the Hyper-V host.

According to the CVSS metric, the Hyper-V attack vector is adjacent (AV:A). What does that mean for this vulnerability?

Where the attack vector metric is Adjacent (A), this represents virtual machines connected via a Hyper-V Network Virtualization (HNV) logical network. This configuration forms an isolation boundary where the virtual machines within the virtual network can only communicate with each other. In this attack vector, the vulnerable component is bound to the network stack, but the attack is limited to systems configured to use the HNV network.

Information published.

What Security Feature might be bypassed by this vulnerability?

The authentication feature could be bypassed as this vulnerability allows impersonation.

According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?

The attacker must inject themselves into the logical network path between the target and the resource requested by the victim in order to read or modify network communications. This is called a man-in-the-middle (MITM) attack.

How could an attacker exploit this vulnerability?

An attacker who successfully exploited this vulnerability could carry out a Man-in-the-Middle (MITM) attack and could decrypt and read or modify TLS traffic between the client and server. There is no impact to the availability of the attacked machine (A:N).

Information published.

How could an attacker exploit this vulnerability? An unauthenticated attacker could call a method on the LSARPC interface and coerce the domain controller to authenticate to the attacker using NTLM. This security update detects anonymous connection attempts in LSARPC and disallows it.

Is there more information available on how to protect my system?

Yes. Please see ADV210003 Mitigating NTLM Relay Attacks on Active Directory Certificate Services (AD CS).

Are there further actions I need to take to protect my system after I have applied the security update?

Yes. Please see KB5005413 for more information on the steps that you need to take to protect your system. Please note that the combined CVSS score would be 9.8 when this vulnerability is chained with the noted NTLM Relay Attacks on Active Directory Certificate Services (AD CS).

Should I prioritize updating domain controllers when I apply the security updates released on May 10, 2022?

Yes. This vulnerability affects all servers but domain controllers should be prioritized in terms of applying security updates.

How will installing the updates that address this CVE impact my environment?

The EFS API OpenEncryptedFileRaw(A/W), often used in backup software, continues to work in all versions of Windows (local and remote), except when backing up to or from a system running Windows Server 2008 SP2. OpenEncryptedFileRaw will no longer work on Windows Server 2008 SP2.

Note: If you are unable to use backup software on Windows 7 Service Pack 1 and Windows Server 2008 R2 Service Pack 1 and later, after installing the updates that address this CVE, contact the manufacturer of your backup software for updates and support.

According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?

The attacker must inject themselves into the logical network path between the target and the resource requested by the victim in order to read or modify network communications. This is called a man-in-the-middle (MITM) attack.

Information published.

According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution?

The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally.

For example, when the score indicates that the Attack Vector is Local and User Interaction is Required, this could describe an exploit in which an attacker, through social engineering, convinces a victim to download and open a specially crafted file from a website which leads to a local attack on their computer.

According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

Exploitation of the vulnerability requires that a user import a specially crafted contact record into the Windows Address Book.

Information published.

How could an attacker exploit this vulnerability?

There are multiple ways an attacker could exploit the vulnerability, such as by either convincing a user to open a specially crafted document, or by convincing a user to visit a webpage that contains specially crafted embedded OpenType fonts. The resulting Remote Code Execution would be within the context of the authenticated local user.

Information published.

What type of information could be disclosed by this vulnerability?

The type of information that could be disclosed if an attacker successfully exploited this vulnerability is memory layout - the vulnerability allows an attacker to collect information that facilitates predicting addressing of the memory.

Information published.

According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?

Successful exploitation of this vulnerability requires an attacker to prepare the target environment to improve exploit reliability.

Information published.

According to the CVSS metric, a successful exploitation could lead to a scope change (S:C). What does this mean for this vulnerability?

In this case, a successful attack could be performed from a low privilege AppContainer. The attacker could elevate their privileges and execute code or access resources at a higher integrity level than that of the AppContainer execution environment.

According to the CVSS metric, privileges required is high (PR:H). What does that mean for this vulnerability?

Successful exploitation of this vulnerability requires the attacker or targeted user to have specific elevated privileges. As is best practice, regular validation and audits of administrative groups should be conducted.

Information published.

What type of information could be disclosed by this vulnerability?

Exploiting this vulnerability could allow the disclosure of certain kernel memory content.

Information published.

According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

Exploitation of the vulnerability requires that a user open a specially crafted file.

• In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file.
• In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) containing a specially crafted file designed to exploit the vulnerability.

An attacker would have no way to force users to visit the website. Instead, an attacker would have to convince users to click a link, typically by way of an enticement in an email or instant message, and then convince them to open the specially crafted file.

What type of information could be disclosed by this vulnerability?

Exploiting this vulnerability could allow the disclosure of initialized or uninitialized memory in the process heap.

Information published.