Microsoft returned to its normal monthly patching volume in May, disclosing and fixing 74 vulnerabilities as part of the company’s latest security update. This month’s Patch Tuesday includes seven critical vulnerabilities after Microsoft disclosed more than 140 security issues in April.

The point-to-point tunneling feature in Windows contains two of the most serious vulnerabilities that could allow an attacker to execute remote code on a targeted RAS server machine. While CVE-2022-21972 and CVE-2022-23270 are rated “critical,” Microsoft stated the attack complexity is high since an adversary needs to win a race condition, making it less likely an attacker could exploit these issues.

CVE-2022-26931 and CVE-2022-26923 are elevation of privilege vulnerabilities in Windows Kerberos and Windows Active Directory, respectively. They both are considered critical, though CVE-2022-26931 is considered less likely to be exploited because it has a higher attack complexity.

The Windows Network File System contains the highest-rated vulnerability of the month: CVE-2022-26937, which has a severity score of 9.8 out of a possible 10. An attacker could exploit this vulnerability by making an unauthenticated, specially crafted call to an NFS service to eventually gain the ability to execute remote code.

May’s Patch Tuesday also features a vulnerability in the Magnitude Simba Amazon Redshift ODBC Driver that affects the Windows self-hosted integration runtime service. An attacker could exploit CVE-2022-29972 to execute remote code, though they would need to first have the same level of privilege as a Synapse Administrator, Synapse Contributor or Synapse Computer Operator.

Talos would also like to highlight six important vulnerabilities that Microsoft considers to be “more likely” to be exploited:

A complete list of all the vulnerabilities Microsoft disclosed this month is available on its update page.

In response to these vulnerability disclosures, Talos is releasing a new SNORTⓇ rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Cisco Secure Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

The rules included in this release that protect against the exploitation of many of these vulnerabilities are 59726 - 59728, 59730, 59731, 59733, 59734, 59737 and 59738. For Snort 3, the following rules are also available to protect against these vulnerabilities: 300125, 300126, 300128, 300129, 300130, 300133 and 300134 - 300137.