Executive Summary

  • All supported client and server versions of Windows are affected by at least 4 critical security issues.
  • Windows clients with known issues: Windows 7, Windows 8.1, Windows 10 version 1607, 1809, 1909, 20H2, 21H1, 21H2, and Windows 11
  • Windows server versions with known issues: Windows Server 2008, 2008 R2, 2012, 2012 R2, 2016, and 2022
  • Other Microsoft products with security updates: .NET Framework, Azure SDK, Active Directory Domain Services, Azure Site Recovery, Microsoft Edge, LDAP, Visual Studio, Microsoft Office, and others.
  • Windows 10 version 20h2 Pro and Home are reaching end of servicing next month.

Taking a closer look at some of the more interesting updates for this month.

 CVE-2022-26809 – RPC Runtime Library Remote Code Execution Vulnerability
This bug is rated as a CVSS 9.8, and the exploit index notes exploitation is more likely. The vulnerability could allow a remote attacker to executed code at high privileges on an affected system. Since no user interaction is required, these factors combine to make this wormable, at least between machine where RPC can be reached. However, the static port used here (TCP port 135) is typically blocked at the network perimeter. Still, this bug could be used for lateral movement by an attacker. Definitely test and deploy this one quickly.

 CVE-2022-24491/24497 – Windows Network File System Remote Code Execution Vulnerability
Speaking of nearly wormable bugs, these two NFS vulnerabilities also rate a 9.8 CVSS and are listed as exploitation more likely. On systems where the NFS role is enabled, a remote attacker could execute their code on an affected system with high privileges and without user interaction. Again, that adds up to a wormable bug – at least between NFS servers. Similar to RPC, this is often blocked at the network perimeter. However, Microsoft does provide guidance on how the RPC port multiplexer (port 2049) “is firewall-friendly and simplifies deployment of NFS.” Check your installations and roll out these patches rapidly.

 CVE-2022-26815 – Windows DNS Server Remote Code Execution Vulnerability
This vulnerability is the most severe of the 18(!) DNS Server bugs receiving patches this month. This bug is also very similar to one patched back in February, which makes one wonder if this bug is the result of a failed patch. There are a couple of important mitigations to point out here. The first is that dynamic updates must be enabled for a server to be affected by this bug. The CVSS also lists some level of privileges to exploit. Still, any chance of an attacker getting RCE on a DNS server is one too many, so get your DNS servers patched.

 CVE-2022-26904 – Windows User Profile Service Elevation of Privilege Vulnerability
This is one of the publicly known bugs patched this month, and not only is PoC out there for it, there’s a Metasploit module as well. This privilege escalation vulnerability allows an attacker to gain code execution at SYSTEM level on affected systems. They would, of course, need some level privileges before they could escalate. That’s why these types of bugs are often paired with code execution bugs like the ones in Adobe Reader (mentioned above) to completely take over a system.

 

Operating System Distribution

  • Windows 7 (extended support only): 41 vulnerabilities: 4 critical and 37 important
    • Windows SMB Remote Code Execution Vulnerability — CVE-2022-24500
    • Windows Server Service Remote Code Execution Vulnerability — CVE-2022-24541
    • Remote Procedure Call Runtime Remote Code Execution Vulnerability — CVE-2022-26809
    • Windows LDAP Remote Code Execution Vulnerability — CVE-2022-26919
  • Windows 8.1: 51 vulnerabilities: 7 critical and 44 important
    • Windows SMB Remote Code Execution Vulnerability — CVE-2022-24500
    • Windows Network File System Remote Code Execution Vulnerability — CVE-2022-24497
    • Windows Hyper-V Remote Code Execution Vulnerability — CVE-2022-22008
    • Windows Network File System Remote Code Execution Vulnerability — CVE-2022-24491
    • Windows Server Service Remote Code Execution Vulnerability — CVE-2022-24541
    • Remote Procedure Call Runtime Remote Code Execution Vulnerability — CVE-2022-26809
    • Windows LDAP Remote Code Execution Vulnerability — CVE-2022-26919
  • Windows 10 version 1909: 68 vulnerabilities: 8 critical and 60 important
    • Windows Network File System Remote Code Execution Vulnerability — CVE-2022-24497
    • Windows SMB Remote Code Execution Vulnerability — CVE-2022-24500
    • Windows Hyper-V Remote Code Execution Vulnerability — CVE-2022-22008
    • Windows Hyper-V Remote Code Execution Vulnerability — CVE-2022-24537
    • Windows Network File System Remote Code Execution Vulnerability — CVE-2022-24491
    • Windows Server Service Remote Code Execution Vulnerability — CVE-2022-24541
    • Remote Procedure Call Runtime Remote Code Execution Vulnerability — CVE-2022-26809
    • Windows LDAP Remote Code Execution Vulnerability — CVE-2022-26919
  • Windows 10 version 20H2, 21H1 and 21H2 : 72 vulnerabilities, 9 critical and 63 important
    • Windows LDAP Remote Code Execution Vulnerability — CVE-2022-26919
    • Remote Procedure Call Runtime Remote Code Execution Vulnerability — CVE-2022-26809
    • Windows Server Service Remote Code Execution Vulnerability — CVE-2022-24541
    • Windows Network File System Remote Code Execution Vulnerability — CVE-2022-24491
    • Windows Hyper-V Remote Code Execution Vulnerability — CVE-2022-24537
    • Windows Hyper-V Remote Code Execution Vulnerability — CVE-2022-23257
    • Windows Hyper-V Remote Code Execution Vulnerability — CVE-2022-22008
    • Windows SMB Remote Code Execution Vulnerability — CVE-2022-24500
    • Windows Network File System Remote Code Execution Vulnerability — CVE-2022-24497
  • Windows 11:  69 vulnerabilities, 9 critical and 60 important
    • Windows LDAP Remote Code Execution Vulnerability — CVE-2022-26919
    • Remote Procedure Call Runtime Remote Code Execution Vulnerability — CVE-2022-26809
    • Windows Server Service Remote Code Execution Vulnerability — CVE-2022-24541
    • Windows Network File System Remote Code Execution Vulnerability — CVE-2022-24491
    • Windows Hyper-V Remote Code Execution Vulnerability — CVE-2022-24537
    • Windows Hyper-V Remote Code Execution Vulnerability — CVE-2022-23257
    • Windows Hyper-V Remote Code Execution Vulnerability — CVE-2022-22008
    • Windows SMB Remote Code Execution Vulnerability — CVE-2022-24500
    • Windows Network File System Remote Code Execution Vulnerability — CVE-2022-24497

Windows Server products

  • Windows Server 2008 R2 (extended support only): 51 vulnerabilities: 4 critical and 47 important
    • Windows SMB Remote Code Execution Vulnerability — CVE-2022-24500
    • Windows Server Service Remote Code Execution Vulnerability — CVE-2022-24541
    • Remote Procedure Call Runtime Remote Code Execution Vulnerability — CVE-2022-26809
    • Windows LDAP Remote Code Execution Vulnerability — CVE-2022-26919
  • Windows Server 2012 R2: 66 vulnerabilities: 5 critical and 22 important
    • Windows SMB Remote Code Execution Vulnerability — CVE-2022-24500
    • Windows Network File System Remote Code Execution Vulnerability — CVE-2022-24497
    • Windows Hyper-V Remote Code Execution Vulnerability — CVE-2022-22008
    • Windows Network File System Remote Code Execution Vulnerability — CVE-2022-24491
    • Windows Server Service Remote Code Execution Vulnerability — CVE-2022-24541
    • Remote Procedure Call Runtime Remote Code Execution Vulnerability — CVE-2022-26809
    • Windows LDAP Remote Code Execution Vulnerability — CVE-2022-26919
  • Windows Server 2016: 86 vulnerabilities: 8 critical and 78 important
    • Windows Network File System Remote Code Execution Vulnerability — CVE-2022-24497
    • Windows SMB Remote Code Execution Vulnerability — CVE-2022-24500
    • Windows Hyper-V Remote Code Execution Vulnerability — CVE-2022-22008
    • Windows Hyper-V Remote Code Execution Vulnerability — CVE-2022-24537
    • Windows Network File System Remote Code Execution Vulnerability — CVE-2022-24491
    • Windows Server Service Remote Code Execution Vulnerability — CVE-2022-24541
    • Remote Procedure Call Runtime Remote Code Execution Vulnerability — CVE-2022-26809
    • Windows LDAP Remote Code Execution Vulnerability — CVE-2022-26919
  • Windows Server 2019: 93 vulnerabilities: 0critical and 28 important
    • Windows Network File System Remote Code Execution Vulnerability — CVE-2022-24497
    • Windows SMB Remote Code Execution Vulnerability — CVE-2022-24500
    • Windows Hyper-V Remote Code Execution Vulnerability — CVE-2022-22008
    • Windows Hyper-V Remote Code Execution Vulnerability — CVE-2022-24537
    • Windows Network File System Remote Code Execution Vulnerability — CVE-2022-24491
    • Windows Server Service Remote Code Execution Vulnerability — CVE-2022-24541
    • Remote Procedure Call Runtime Remote Code Execution Vulnerability — CVE-2022-26809
    • Windows LDAP Remote Code Execution Vulnerability — CVE-2022-26919
  • Windows Server 2022: 98 vulnerabilities: 0 critical and 28 important
    • Windows LDAP Remote Code Execution Vulnerability — CVE-2022-26919
    • Remote Procedure Call Runtime Remote Code Execution Vulnerability — CVE-2022-26809
    • Windows Server Service Remote Code Execution Vulnerability — CVE-2022-24541
    • Windows Network File System Remote Code Execution Vulnerability — CVE-2022-24491
    • Windows Hyper-V Remote Code Execution Vulnerability — CVE-2022-24537
    • Windows Hyper-V Remote Code Execution Vulnerability — CVE-2022-23257
    • Windows Hyper-V Remote Code Execution Vulnerability — CVE-2022-22008
    • Windows SMB Remote Code Execution Vulnerability — CVE-2022-24500
    • Windows Network File System Remote Code Execution Vulnerability — CVE-2022-24497

Known Issues

Windows 7 SP1 and Windows Server 2008 R2

  • (Old) Updates may show as failed and may be uninstalled because the machine is not on ESU.
    • Expected behaviour.
  • (Old) Certain operations such as rename may fail on Cluster Shared Volumes.
    • Perform the operation from a process with administrator privileges.
    • Perform the operation from a node that does not have CSV ownership.

Windows 8.1 and Windows Server 2012 R2

  • (Old) Certain operations such as rename may fail on Cluster Shared Volumes.
    • Perform the operation from a process with administrator privileges.
    • Perform the operation from a node that does not have CSV ownership.
  • (Old) Issues with apps using the ” Microsoft .NET Framework to acquire or set Active Directory Forest Trust Information”. These may fail, close, or may throw errors messages such as access violation (0xc0000005).
    • Install out-of-band updates for the .NET Framework version that the app in question uses. Microsoft has links to these on the support page.

Windows 10 versions 20H2, 21H1 and 21H2

  • (Old) Custom installations may not receive the new Microsoft Edge web browser, while the old version may be removed.
  • (Old) Some devices can’t install updates after installation of KB5003690 (June 21, 2021). Error PSFX_E_MATCHING_BINARY_MISSING is displayed.
    • Workaround instructions are available here.
  • (Old) Connections may fail to authentication when using smart card authentication in Remote Desktop Connections.
    • Resolved according to Microsoft, should not be experienced anymore.
  • (NEW) After installing the January 11, 2022 updates or later updates, recovery discs on CD or DVD created using the Backup and Restore tool (Windows 7) may be unable to start. Recovery discs created earlier are not affected.
    • Microsoft is working on a resolution.

Windows 11

  • (NEW) After installing the January 11, 2022 updates or later updates, recovery discs on CD or DVD created using the Backup and Restore tool (Windows 7) may be unable to start. Recovery discs created earlier are not affected.
    Microsoft is working on a resolution.

CVE

Title

Severity

CVSS

Public

Exploited

Type

CVE-2022-24521

Windows Common Log File System Driver Elevation of Privilege Vulnerability

Important

7.8

No

Yes

EoP

CVE-2022-26904

Windows User Profile Service Elevation of Privilege Vulnerability

Important

7

Yes

No

EoP

CVE-2022-23259

Microsoft Dynamics 365 (on-premises) Remote Code Execution Vulnerability

Critical

8.8

No

No

RCE

CVE-2022-26809

RPC Runtime Library Remote Code Execution Vulnerability

Critical

9.8

No

No

RCE

CVE-2022-22008

Windows Hyper-V Remote Code Execution Vulnerability

Critical

7.7

No

No

RCE

CVE-2022-23257

Windows Hyper-V Remote Code Execution Vulnerability

Critical

8.6

No

No

RCE

CVE-2022-24537

Windows Hyper-V Remote Code Execution Vulnerability

Critical

7.7

No

No

RCE

CVE-2022-26919

Windows LDAP Remote Code Execution Vulnerability

Critical

8.1

No

No

RCE

CVE-2022-24491

Windows Network File System Remote Code Execution Vulnerability

Critical

9.8

No

No

RCE

CVE-2022-24497

Windows Network File System Remote Code Execution Vulnerability

Critical

9.8

No

No

RCE

CVE-2022-24541

Windows Server Service Remote Code Execution Vulnerability

Critical

8.8

No

No

RCE

CVE-2022-24500

Windows SMB Remote Code Execution Vulnerability

Critical

8.8

No

No

RCE

CVE-2022-26832

.NET Framework Denial of Service Vulnerability

Important

7.5

No

No

DoS

CVE-2022-26907

Azure SDK for .NET Information Disclosure Vulnerability

Important

5.3

No

No

Info

CVE-2022-26896

Azure Site Recovery Elevation of Privilege Vulnerability

Important

4.9

No

No

EoP

CVE-2022-26897

Azure Site Recovery Elevation of Privilege Vulnerability

Important

4.9

No

No

EoP

CVE-2022-26898

Azure Site Recovery Remote Code Execution Vulnerability

Important

7.2

No

No

RCE

CVE-2022-24489

Cluster Client Failover (CCF) Elevation of Privilege Vulnerability

Important

7.8

No

No

EoP

CVE-2022-24479

Connected User Experiences and Telemetry Elevation of Privilege Vulnerability

Important

7.8

No

No

EoP

CVE-2022-26830

DiskUsage.exe Remote Code Execution Vulnerability

Important

7.5

No

No

RCE

CVE-2022-24767

GitHub: Git for Windows’ uninstaller vulnerable to DLL hijacking when run under the SYSTEM user account

Important

Unknown

No

No

EoP

CVE-2022-24765

GitHub: Uncontrolled search for the Git directory in Git for Windows

Important

Unknown

No

No

EoP

CVE-2022-24532

HEVC Video Extensions Remote Code Execution Vulnerability

Important

7.8

No

No

RCE

CVE-2022-24496

Local Security Authority (LSA) Elevation of Privilege Vulnerability

Important