HC3: Monthly Cybersecurity Vulnerability Bulletin - March 18, 2022

February Vulnerabilities of Interest to the Health Sector

Executive Summary

In February 2022, vulnerabilities in common information systems relevant to the health sector have been released that require attention. This includes the monthly Patch Tuesday vulnerabilities released by several vendors on the second Tuesday of each month, along with mitigation steps and patches. Vulnerabilities for this month are from Microsoft, Adobe, Android, Google, Apple, Cisco, Citrix, Intel, Mozilla, SAP, and VMWare. HC3 recommends patching all vulnerabilities with special consideration to each vulnerability criticality category against the risk management posture of the organization. As always, accountability, proper inventory management and device hygiene along with and asset tracking are imperative to an effective patch management program.

Importance to HPH Sector

DEPARTMENT OF HOMELAND SECURITY/CYBERSECURITY & INFRASTRUCTURE SECURITY AGENCY
The Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) is constantly adding new vulnerabilities to their Known Exploited Vulnerabilities Catalog. This effort is driven by Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, which established the Known Exploited Vulnerabilities Catalog as a living list of known CVEs that carry significant risk to the US federal enterprise. Vulnerabilities that are entered into this catalog are required to be patched by their associated deadline by all US executive agencies. While these requirements do not extend to the private sector, HC3 recommends all healthcare entities review vulnerabilities in this catalog and consider prioritizing them as part of their risk mitigation plan. The full database can be found here.

MICROSOFT
For the month of February, Microsoft released 48 security fixes for software, including a patch for a zero-day vulnerability. There were no critical-severity flaws on the list for this month. Microsoft Outlook and Office, Azure Data Explorer, Windows Kernel, Hyper-V, and Microsoft SharePoint are some of the product’s impacted by this month’s update.

CVE-2022-21989 is the single Zero-day vulnerabilities released in Microsoft’s updates for this month. It has a CVSS severity score of 7.8 , a high attack complexity, and this publicly known flaw can be exploited to escalate privileges via the kernel. According to Microsoft, to trigger this exploit a threat actor would have to take additional actions prior to exploitation to prepare the target environment. Additional vulnerabilities of interest in this update are:

• CVE-2022-21989 is a Windows Kernel elevation-of-privilege vulnerability. According to the Microsoft advisory, successful exploitation of this vulnerability requires a threat actor to take additional actions prior to exploitation to prepare the target environment. A successful attack could be performed from a low privilege AppContainer and the threat actor could elevate their privileges and execute code or access resources at a higher integrity level than that of the AppContainer execution environment.
• CVE-2022-21996 is a Win32k elevation of privilege vulnerability listed as more likely to be exploited. The attack may be initiated remotely and only requires simple authentication for exploitation.
• CVE-2022-22005 is a Microsoft SharePoint Server Remote Code Execution vulnerability. The attacker must be authenticated and possess the permissions for page creation to be able to exploit this vulnerability. This permission however is often present for an authenticated user.
• CVE-2022-21984 is a Windows DNS Server Remote Code Execution vulnerability. The server is only affected if dynamic updates are enabled, however this is a relatively common configuration. A threat actor might take control of their target’s DNS and execute code with elevated privileges if this is set up in the target’s environment.

With the amount of stolen login credentials available, it is recommended that organizations pay attention to vulnerabilities that require authentication, particularly when it comes to public-facing servers. Microsoft has a Security Update Guide notification system that accepts standard email addresses during signup rather than only Live IDs. HC3 recommends patching and testing immediately as all vulnerabilities can adversely impact the healthcare industry. For the entire list of vulnerabilities released by Microsoft this month and their rating click here.

View the detailed report below.