Microsoft has confirmed it fixed a previously disclosed ‘ShadowCoerce’ vulnerability as part of the June 2022 updates that enabled attackers to target Windows servers in NTLM relay attacks.
This NTLM relay attack method can be used by threat actors to force unpatched servers to authenticate against servers under the attacker’s control, leading to a takeover of the Windows domain.
As BleepingComputer was told by a Microsoft spokesperson, while there was no public announcement made regarding this issue, the “MS-FSRVP coercion abuse PoC aka ‘ShadowCoerce’ was mitigated with CVE-2022-30154, which affected the same component.”
BleepingComputer emailed Redmond after ACROS Security CEO Mitja Kolsek discovered that ShadowCoerce was silently patched while researching it with the 0Patch team to issue a micropatch.
While it is good that Microsoft has fixed this vulnerability, they have not yet provided any details publicly and is yet to assign a CVE ID.
This has prompted security firms and researchers [1, 2, 3, 4] to ask Redmond for more transparency and to include more info on what’s fixed in its security bulletins.
It would be nice if MS were more open about this. I find unbelievable that in many ways MS is more secretive about security now than in the “bad old days” unless they can throw a marketing spin on it. Material security changes should be clearly documented in security bulletins.
— James Forshaw (@tiraniddo) July 4, 2022
Roy Miehe | MspPortal Partners Inc. | Ceo/President
Security Software Distributor: Bitdefender , Barracuda, RackSpace, Axcient
“Where Service and Technical Skills Count”
