Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Ransomware

Microsoft Issues Out-of-Band Patch for Flaw Allowing Lateral Movement, Ransomware Attacks

Microsoft this week released an out-of-band security update for its Endpoint Configuration Manager solution to patch a vulnerability that could be useful to malicious actors for moving around in a targeted organization’s network.

Microsoft this week released an out-of-band security update for its Endpoint Configuration Manager solution to patch a vulnerability that could be useful to malicious actors for moving around in a targeted organization’s network.

The vulnerability is tracked as CVE-2022-37972 and it has been described by Microsoft as a medium-severity spoofing issue. The tech giant has credited Brandon Colley of Trimarc Security for reporting the flaw.

In its advisory, Microsoft said there is no evidence of exploitation, but the vulnerability has been publicly disclosed.

Prajwal Desai has published a brief blog post describing the patch, but Colley told SecurityWeek that he has yet to make public any information and noted that he has been working with Microsoft on coordinated disclosure. The researcher believes that Microsoft’s advisory says the issue has been publicly disclosed because the tech giant is aware that he will talk about it at the BSidesKC conference this weekend.

The researcher expects a blog post detailing CVE-2022-37972 to only be published in November. However, he noted that it’s related to an issue described in a July blog post focusing on the attack surface of Microsoft System Center Configuration Manager (SCCM) client push accounts.

SCCM is the previous name of Microsoft Endpoint Configuration Manager (MECM), an on-premises management solution for desktops, servers and laptops, allowing users to deploy updates, apps, and operating systems. One method for deploying the needed client application to endpoints is client push installation, which enables admins to easily and automatically push clients to new devices.

In the July blog post, Colley showed how an attacker with admin privileges on one endpoint could abuse client push installation design flaws to obtain hashed credentials for all configured push accounts.

He warned that since some of these accounts could have domain admin or elevated privileges on several machines in the enterprise, they can be leveraged by threat actors for lateral movement and even as part of a disruptive ransomware attack.

Advertisement. Scroll to continue reading.

The attack is possible, in part, due to a setting that allows connections to fall back to the less secure NTLM authentication protocol.

NTLM setting vulnerability in Microsoft Endpoint Configuration Manager

The MECM vulnerability patched this week by Microsoft with an out-of-band update is related to the use of NTLM authentication. The researcher explained that before Microsoft fixed the flaw, it was possible to force NTLM authentication for the client push account.

“Prior to this patch, it was possible for an attacker to bypass the NTLM connection fallback setting which was previously thought to have prevented the type of attack in my July blog,” Colley told SecurityWeek.

The US Cybersecurity and Infrastructure Security Agency (CISA) has urged administrators to review Microsoft’s advisory and apply the necessary updates.

Related: Microsoft Patch Tuesday: 84 Windows Vulns, Including Already-Exploited Zero-Day

Related: Already Exploited Zero-Day Headlines Microsoft Patch Tuesday

Related: Microsoft Confirms Exploitation of ‘Follina’ Zero-Day Vulnerability

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Ransomware

A SaaS ransomware attack against a company’s Sharepoint Online was done without using a compromised endpoint.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.