Today is Microsoft’s February 2022 Patch release day and Microsoft has released 51 new patches addressing CVEs in Microsoft Windows and Windows Components, Azure Data Explorer, Kestrel Web Server, Microsoft Edge (Chromium-based), Windows Codecs Library, Microsoft Dynamics, Microsoft Dynamics GP, Microsoft Office and Office Components, Windows Hyper-V Server, SQL Server, Visual Studio Code, and Microsoft Teams. A total of five of these bugs came through the ZDI program.
This is in addition to the 19 CVEs patched by Microsoft Edge (Chromium-based) earlier this month, which brings the February total to 70 CVEs. The number of each type of vulnerability is listed below:
16 Elevation of Privilege Vulnerabilities
3 Security Feature Bypass Vulnerabilities
16 Remote Code Execution Vulnerabilities
5 Information Disclosure Vulnerabilities
5 Denial of Service Vulnerabilities
3 Spoofing Vulnerabilities
22 Edge – Chromium Vulnerabilities
Executive Summary
Microsoft released security updates for all supported client and server versions of Windows.
Microsoft released no critical updates for Windows on this Patch Day.
Security updates were also released for other Microsoft products, including Microsoft Dynamics, Microsoft Office, Microsoft Edge, SQL Server, Power BI, Visual Studio Code and Kestrel Web Server
The following client operating systems have known issues: Windows 7, Windows 8.1, Windows 10 version 1809, Windows 10 version 20H2, 21H1, 21H2,
The following server operating systems have known issues: Windows Server 2008 and 2008 R2, Windows Server 2012 and 2012 R2, Windows Server 2019, Windows Server 2022
Taking a closer look at some of the more interesting updates for this month;
– CVE-2022-21984 – Windows DNS Server Remote Code Execution Vulnerability
This patch fixes a remote code execution bug in the Microsoft DNS server. The server is only affected if dynamic updates are enabled, but this is a relatively common configuration. If you have this setup in your environment, an attacker could completely take over your DNS and execute code with elevated privileges. Since dynamic updates aren’t enabled by default, this doesn’t get a Critical rating. However, if your DNS servers do use dynamic updates, you should treat this bug as Critical.
– CVE-2022-23280 – Microsoft Outlook for Mac Security Feature Bypass Vulnerability
This Outlook bug could allow images to appear in the Preview Pane automatically, even if this option is disabled. On its own, exploiting this will only expose the target’s IP information. However, it’s possible a second bug affecting image rendering could be paired with this bug to allow remote code execution. If you are using Outlook for Mac, you should double-check to ensure your version has been updated to an unaffected version.
– CVE-2022-21995 – Windows Hyper-V Remote Code Execution Vulnerability
This patch fixes a guest-to-host escape in Hyper-V server. Microsoft marks the CVSS exploit complexity as High here stating an attacker, “must prepare the target environment to improve exploit reliability.” Since this is the case for most exploits, it’s not clear how this vulnerability is different. If you rely on Hyper-V servers in your enterprise, it’s recommended to treat this as a Critical update.
– CVE-2022-22005 – Microsoft SharePoint Server Remote Code Execution Vulnerability
This patch fixes a bug in SharePoint Server that could allow an authenticated user to execute any arbitrary .NET code on the server under the context and permissions of the service account of SharePoint Web Application. An attacker would need “Manage Lists” permissions to exploit this, by default, authenticated users are able to create their own sites and, in this case, the user will be the owner of this site and will have all necessary permissions. This case came through the ZDI, and we’ll have additional details out about it in the near future.
Operating System Distribution
Windows 7 (extended support only): 11 vulnerabilities: 0 critical and 11 important
Windows 8.1: 14 vulnerabilities: 0 critical and 14 important
Windows 10 version 1909: 22 vulnerabilities: 0 critical and 22 important
Windows 10 version 2004, 20H2, 21H1 and 21H2 : 22 vulnerabilities, 0 critical and 22 important
Windows 11: 23 vulnerabilities, 0 critical and 23 important
Windows Server products
Windows Server 2008 R2 (extended support only): 11 vulnerabilities: 0 critical and 11 important
Windows Server 2012 R2: 14 vulnerabilities: 0 critical and 14 important
Windows Server 2016: 17 vulnerabilities: 0 critical and 17 important
Windows Server 2019: 21 vulnerabilities: 0critical and 21 important
Windows Server 2022: 22 vulnerabilities: 0 critical and 22 important
Known Issues
Windows 7 SP1 and Windows Server 2008 R2
Updates may show as failed and may be uninstalled because the machine is not on ESU.
Expected behaviour.
Certain operations such as rename may fail on Cluster Shared Volumes.
Perform the operation from a process with administrator privileges.
Perform the operation from a node that does not have CSV ownership.
Windows 8.1 and Server 2012 R2
Certain operations such as rename may fail on Cluster Shared Volumes.
Perform the operation from a process with administrator privileges.
Perform the operation from a node that does not have CSV ownership.
(NEW) Issues with apps using the ” Microsoft .NET Framework to acquire or set Active Directory Forest Trust Information”. These may fail, close, or may throw errors messages such as access violation (0xc0000005).
Install out-of-band updates for the .NET Framework version that the app in question uses. Microsoft has links to these on the support page.
Windows 10 versions 2004, 20H2, 21H1 and 21H2
Custom installations may not receive the new Microsoft Edge web browser, while the old version may be removed.
Workaround described on the support page.
Some devices can’t install updates after installation of KB5003690 (June 21, 2021). Error PSFX_E_MATCHING_BINARY_MISSING is displayed.
Workaround instructions are available here.
Connections may fail to authentication when using smart card authentication in Remote Desktop Connections.
Resolved according to Microsoft, should not be experienced anymore.
CVE | Title | Severity | CVSS | Public | Exploited | Type |
CVE-2022-21989 | Windows Kernel Elevation of Privilege Vulnerability | Important | 7.8 | Yes | No | EoP |
CVE-2022-21984 | Windows DNS Server Remote Code Execution Vulnerability | Important | 8.8 | No | No | RCE |
CVE-2022-23280 | Microsoft Outlook for Mac Security Feature Bypass Vulnerability | Important | 5.3 | No | No | SFB |
CVE-2022-21995 | Windows Hyper-V Remote Code Execution Vulnerability | Important | 7.9 | No | No | RCE |
CVE-2022-22005 | Microsoft SharePoint Server Remote Code Execution Vulnerability | Important | 8.8 | No | No | RCE |
CVE-2022-21986 | .NET Denial of Service Vulnerability | Important | 7.5 | No | No | DoS |
CVE-2022-23256 | Azure Data Explorer Spoofing Vulnerability | Important | 8.1 | No | No | Spoofing |
CVE-2022-21844 | HEVC Video Extensions Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE |
CVE-2022-21926 | HEVC Video Extensions Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE |
CVE-2022-21927 | HEVC Video Extensions Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE |
CVE-2022-21957 | Microsoft Dynamics 365 (on-premises) Remote Code Execution Vulnerability | Important | 7.2 | No | No | RCE |
CVE-2022-23271 | Microsoft Dynamics GP Elevation Of Privilege Vulnerability | Important | 6.5 | No | No | EoP |
CVE-2022-23272 | Microsoft Dynamics GP Elevation Of Privilege Vulnerability | Important | 8.1 | No | No | EoP |
CVE-2022-23273 | Microsoft Dynamics GP Elevation Of Privilege Vulnerability | Important | 7.1 | No | No | EoP |
CVE-2022-23274 | Microsoft Dynamics GP Remote Code Execution Vulnerability | Important | 8.3 | No | No | RCE |
CVE-2022-23269 | Microsoft Dynamics GP Spoofing Vulnerability | Important | 6.9 | No | No | Spoofing |
CVE-2022-23262 | Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability | Important | 6.3 | No | No | EoP |
CVE-2022-23263 | Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability | Important | 7.7 | No | No | EoP |
CVE-2022-22716 | Microsoft Excel Information Disclosure Vulnerability | Important | 5.5 | No | No | Info |
CVE-2022-22004 | Microsoft Office ClickToRun Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE |
CVE-2022-22003 | Microsoft Office Graphics Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE |
CVE-2022-23252 | Microsoft Office Information Disclosure Vulnerability | Important | 5.5 | No | No | Info |
CVE-2022-21988 | Microsoft Office Visio Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE |
CVE-2022-23255 | Microsoft OneDrive for Android Security Feature Bypass Vulnerability | Important | 5.9 | No | No | SFB |
CVE-2022-23254 | Microsoft Power BI Elevation of Privilege Vulnerability | Important | 4.9 | No | No | EoP |
CVE-2022-21968 | Microsoft SharePoint Server Security Feature BypassVulnerability | Important | 4.3 | No | No | SFB |
CVE-2022-21987 | Microsoft SharePoint Server Spoofing Vulnerability | Important | 8 | No | No | Spoofing |
CVE-2022-21965 | Microsoft Teams Denial of Service Vulnerability | Important | 7.5 | No | No | DoS |
CVE-2022-22715 | Named Pipe File System Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
CVE-2022-21974 | Roaming Security Rights Management Services Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE |
CVE-2022-23276 | SQL Server for Linux Containers Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |