When looking at the May 2022 Patch Tuesday today, I noticed ten updates that specifically address Remote Code Execution (RCE) vulnerabilities in Windows LDAP. These vulnerabilities are specific to Domain Controllers (in the default configuration), so this sparked my interest in these updates.
Ten Windows LDAP RCE vulnerabilities
Ten Windows LDAP remote code execution vulnerabilities were addressed:
- CVE-2022-22012 Windows LDAP Vulnerability (CVSSv3 9.8/8.5)
- CVE-2022-22013 Windows LDAP Vulnerability (CVSSv3 8.8/7.7)
- CVE-2022-22014 Windows LDAP Vulnerability (CVSSv3 8.8/7.7)
- CVE-2022-29128 Windows LDAP Vulnerability (CVSSv3 8.8/7.7)
- CVE-2022-29129 Windows LDAP Vulnerability (CVSSv3 8.8/7.7)
- CVE-2022-29130 Windows LDAP Vulnerability (CVSSv3 9.8/8.5)
- CVE-2022-29131 Windows LDAP Vulnerability (CVSSv3 8.8/7.7)
- CVE-2022-29137 Windows LDAP Vulnerability (CVSSv3 8.8/7.7)
- CVE-2022-29139 Windows LDAP Vulnerability (CVSSv3 8.8/7.7)
- CVE-2022-29141 Windows LDAP Vulnerability (CVSSv3 8.8/7.7)
These vulnerabilities all allow remote code execution on Domain Controllers over the network. For most of the above vulnerabilities, the attacker or targeted user would need an authenticated normal user account. The attacker would send a specially crafted request to a vulnerable Domain Controller. Successful exploitation could result in the attacker's code running in the context of the SYSTEM account.
As the Common Vulnerability Scoring System (CVSS) v3 score of two of these vulnerabilities is 9.8/8.5, the May 2022 cumulative update can be considered a Critical update for Domain Controllers.
Affected Operating Systems
Most of the above vulnerabilities exist in all supported Windows and Windows Server Operating Systems. Although support for Windows Server 2008 and Windows Server 2008 R2 has ended, Microsoft has made updates available for all Windows Server platforms.
CVE-2022-29130 and CVE-2022-22012 are only exploitable if the MaxReceiveBuffer LDAP policy is set to a value higher than the default value. Systems with the default value of this policy would not be vulnerable.
CVE-2022-29131 only applies to Domain Controllers running Windows Server 2019, Windows Server, version 20H2 and Windows Server 2022.
Call to Action
I urge you to install the necessary security updates on Domain Controllers, in a test environment as soon as possible, assess the risk and possible impact on your production environment and then, roll out this update to Windows Server installations, running as Domain Controllers, in the production environment.