Too many organisations risk cyberattacks via enabled legacy code they do not need. The warning comes in the wake of LRQA’s cybersecurity team discovering a second high-risk vulnerability in Microsoft’s VPN protocol.
The vulnerability, called CVE-2022-23270, formed part of Microsoft’s 10th May Patch Tuesday release. Everyone should install it as quickly as possible.
Introducing CVE-2022-23270
Sitting in the heart of Microsoft’s VPN protocol, and dating back two decades, CVE-2022-23270 is a Use-After-Free (UAF) vulnerability. It relates to two pieces of code operating on the same structure. One can free memory whilst the other code still uses it.
The risk is if something unexpectedly happens to simultaneously use that freed memory. At best, the CPU would crash. At worst, this vulnerability creates the opportunity for a significant cyberattack.
Unlike the first critical Microsoft VPN vulnerability LRQA discovered (CVE-2022-21972), this second vulnerability affects both servers and client devices such as desktops. This means that potential damage could be far more widespread.
With a race condition weakness, you can only trigger the vulnerability when both pieces of code are operating together. But for this vulnerability, there is no time restriction like for CVE-2022-21972. The attacker can repeatedly attempt to trigger the vulnerability until successful.
Worryingly, this vulnerability is systemic and there are a handful of ways to trigger it. This makes it incredibly dangerous and increases the scope of an attack to both servers and desktops.
For this reason, Microsoft have scored CVE-2022-23270 as 8 on the Common Vulnerability Scoring System (CVSS). 10 indicates the highest possible cyber risk.
Read an accompanying blog on our Labs website
exploring the technical detail and code involved
in discovering this vulnerability
Widespread risk to servers and desktops
If you or your business runs a Microsoft VPN server or uses the Windows built-in Point-to-Point Tunneling (PPTP) VPN protocol to connect to another VPN, you could be at risk.
As PPTP is an unencrypted protocol, you do not need someone to take control of your VPN to be at risk.
The Microsoft VPN is entry-level, so small and medium-sized organisations face the greatest risk from this vulnerability. It is also dangerous for individuals given the potential to attack desktops too. Remotely placing code on your system is entirely possible using this weakness, and your anti-virus software would not spot it.
The risk from CVE-2022-23270 rapidly escalates when you consider how easily it could spread around the internet. An accomplished cyber attacker could create a worm to automatically infect every desktop it could infiltrate via the unencrypted protocol. Home network security is often lower than business security. Once in, the malware could spread to everything connected to it.
In short, if left unpatched, an attack via CVE-2022-23270 could cause global disruption of enormous proportions.
Prompt reporting to Microsoft
Our vulnerability research team constantly interrogates drivers looking for vulnerabilities hidden in code. Using reverse engineering and specialist knowledge, we uncover risks unseen by many.
On discovering a vulnerability, we first work to trigger it reliably before reporting it to the software developer, in this case, Microsoft. We then work closely with them to establish proof of concept, ensuring they can identify the root cause.
From that point, Microsoft develops a fix which is thoroughly tested before being released via a patch. In this case, their patch was released on Tuesday 10th May 2022.
You are never 100% safe online
CVE-2022-23270 demonstrates the risk caused by unnecessary legacy code. Embedded within a VPN protocol dating back to the 1990s, many newer VPN iterations have superseded it. And yet, some businesses still rely on the original version.
It is not just Microsoft; legacy software remains operational for most major providers. Developed years ago, cybersecurity was not a consideration, and encryption was not so essential.
Even if you use an encrypted VPN today, you are still at risk should third parties talk to your VPN using unencrypted software. When you are connected to the internet, it is impossible to remain 100% safe.
Our recent Microsoft vulnerability discoveries also highlight the length of time it takes to release a patch. Both critical vulnerabilities were reported on 29th October 2021. Having worked through many complexities, Microsoft released the patch on 10th May 2022. For six months, the uncovered vulnerability risks exploitation in the wrong hands.
Act now to mitigate your risk
At the very least, we urge you to install the Microsoft patch as soon as possible. It might mean being temporarily offline. That could impact your productivity, but not as much as a cyberattack would.
You can also lessen your exposure to high-risk vulnerabilities such as these by reviewing your VPN setup and strengthening your security posture.
1. Review your VPN set-up
The COVID-19 pandemic shone a spotlight on VPNs. Many businesses installed protocols quickly as part of the race for connectivity and Microsoft was an obvious choice for many.
Known for ensuring backwards compatibility and choice, Microsoft installs many pieces of code by default. You might never need them, but they exist on your server or PC. This happens with Microsoft’s original VPN protocol. Post-installation configuration is crucial to remove what you do not need.
Every piece of unused code is an unattended open door to your system. Legacy code was not written with cybersecurity in mind. In certain circumstances, it presents a risk.
Alternatively, opt for a modern SSL encrypted VPN protocol or another encrypted option. You will then run code with a more robust security architecture. Do you really need to use the original, unencrypted PPTP VPN protocol?
Whatever you decide, make sure your IT team disable non-encrypted protocols and removes unnecessary code. This way, you are locking more doors and lowering your risk of cyber-intrusion.
2. Strengthen your security posture
Cybersecurity vulnerabilities are endless. Meanwhile, skilled attackers continue working tirelessly to find and exploit them. That is the reality today.
You must accept your network is not impenetrable; no network is. Focus instead on strengthening your security posture. For example, you might review your IT processes and controls in-house. You might also choose to have a Security Operations Centre (SOC) team constantly monitoring your network.
Eliminating known cyber-risks and spotting issues promptly are the first steps to achieving a stronger security posture. The next step is to have a comprehensive recovery plan in place, should the worst happen.
By creating the best possible cyber-defence and incident response for your business you are keeping your operations and reputation as safe as you can.
You can read an accompanying blog on our LRQA Cyber Labs articles exploring the technical detail and code involved in discovering this vulnerability here.