Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Internet Security | DShield SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Microsoft Patch Tuesday - January 2022

Microsoft fixed 126 different CVEs with this month's update (this includes the Chromium issues patched in Edge). Six of the issues were publicly disclosed, and nine are rated critical. 

Noteworthy updates:

CVE-2022-21907: This is a remote code execution vulnerability in http.sys. http.sys is part of anything in windows processing HTTP requests (e.g. IIS!). The vulnerability is exposed if the "Trailer" feature is enabled. HTTP trailers are used to delay sending headers until the end of the request (or response). They are typically used as part of chunked messages when the entire message is not known until the message has been sent. A "TE: trailers" header needs to be sent, and a "Trailer" header listing the delayed header names. This is potentially a wormable vulnerability, and Microsoft recommends prioritizing this patch. (this does not just affect IIS!). It appears that the Trailer feature is frequently enabled by default which makes this a BIG DEAL [!!! I initially assessed this as less of a risk. But a reader corrected me that the feature is enabled in server 2022, 20H2 core, and various Windows 10 and 11 versions. I misread the Microsoft announcement. This is not enabled by default in Windows Server 2019 and Windows 10 version 1809).

CVE-2022-21846: Another critical remote code execution vulnerability in Exchange. But this vulnerability is not exploitable across the internet and requires the victim and the attacker to share the same network. 

CVE-2021-22947: This vulnerability in curl was originally disclosed in September, which is why it is noted as "Publicly Disclosed". This update fixes several vulnerabilities, not just the listed CVE.

See my dashboard for a more detailed breakout: https://patchtuesdaydashboard.com.

January 2022 Security Updates

Description
CVE Disclosed Exploited Exploitability (old versions) current version Severity CVSS Base (AVG) CVSS Temporal (AVG)
.NET Framework Denial of Service Vulnerability
CVE-2022-21911 No No Less Likely Less Likely Important 7.5 6.5
Active Directory Domain Services Elevation of Privilege Vulnerability
CVE-2022-21857 No No Less Likely Less Likely Critical 8.8 7.7
Chromium: CVE-2022-0096 Use after free in Storage
CVE-2022-0096 No No - - -    
Chromium: CVE-2022-0097 Inappropriate implementation in DevTools
CVE-2022-0097 No No - - -    
Chromium: CVE-2022-0098 Use after free in Screen Capture
CVE-2022-0098 No No - - -    
Chromium: CVE-2022-0099 Use after free in Sign-in
CVE-2022-0099 No No - - -    
Chromium: CVE-2022-0100 Heap buffer overflow in Media streams API
CVE-2022-0100 No No - - -    
Chromium: CVE-2022-0101 Heap buffer overflow in Bookmarks
CVE-2022-0101 No No - - -    
Chromium: CVE-2022-0102 Type Confusion in V8
CVE-2022-0102 No No - - -    
Chromium: CVE-2022-0103 Use after free in SwiftShader
CVE-2022-0103 No No - - -    
Chromium: CVE-2022-0104 Heap buffer overflow in ANGLE
CVE-2022-0104 No No - - -    
Chromium: CVE-2022-0105 Use after free in PDF
CVE-2022-0105 No No - - -    
Chromium: CVE-2022-0106 Use after free in Autofill
CVE-2022-0106 No No - - -    
Chromium: CVE-2022-0107 Use after free in File Manager API
CVE-2022-0107 No No - - -    
Chromium: CVE-2022-0108 Inappropriate implementation in Navigation
CVE-2022-0108 No No - - -    
Chromium: CVE-2022-0109 Inappropriate implementation in Autofill
CVE-2022-0109 No No - - -    
Chromium: CVE-2022-0110 Incorrect security UI in Autofill
CVE-2022-0110 No No - - -    
Chromium: CVE-2022-0111 Inappropriate implementation in Navigation
CVE-2022-0111 No No - - -    
Chromium: CVE-2022-0112 Incorrect security UI in Browser UI
CVE-2022-0112 No No - - -    
Chromium: CVE-2022-0113 Inappropriate implementation in Blink
CVE-2022-0113 No No - - -    
Chromium: CVE-2022-0114 Out of bounds memory access in Web Serial
CVE-2022-0114 No No - - -    
Chromium: CVE-2022-0115 Uninitialized Use in File API
CVE-2022-0115 No No - - -    
Chromium: CVE-2022-0116 Inappropriate implementation in Compositing
CVE-2022-0116 No No - - -    
Chromium: CVE-2022-0117 Policy bypass in Service Workers
CVE-2022-0117 No No - - -    
Chromium: CVE-2022-0118 Inappropriate implementation in WebShare
CVE-2022-0118 No No - - -    
Chromium: CVE-2022-0120 Inappropriate implementation in Passwords
CVE-2022-0120 No No - - -    
Clipboard User Service Elevation of Privilege Vulnerability
CVE-2022-21869 No No Less Likely Less Likely Important 7.0 6.1
Connected Devices Platform Service Elevation of Privilege Vulnerability
CVE-2022-21865 No No Less Likely Less Likely Important 7.0 6.1
DirectX Graphics Kernel File Denial of Service Vulnerability
CVE-2022-21918 No No Less Likely Less Likely Important 6.5 5.7
DirectX Graphics Kernel Remote Code Execution Vulnerability
CVE-2022-21912 No No Less Likely Less Likely Critical 7.8 6.8
CVE-2022-21898 No No Less Likely Less Likely Critical 7.8 6.8
HEVC Video Extensions Remote Code Execution Vulnerability
CVE-2022-21917 No No Less Likely Less Likely Critical 7.8 7.0
HTTP Protocol Stack Remote Code Execution Vulnerability
CVE-2022-21907 No No More Likely More Likely Critical 9.8 8.5
Libarchive Remote Code Execution Vulnerability
CVE-2021-36976 Yes No Less Likely Less Likely Important    
Local Security Authority (Domain Policy) Remote Protocol Security Feature Bypass
CVE-2022-21913 No No Less Likely Less Likely Important 5.3 4.8
Local Security Authority Subsystem Service Elevation of Privilege Vulnerability
CVE-2022-21884 No No Less Likely Less Likely Important 7.8 6.8
Microsoft Cluster Port Driver Elevation of Privilege Vulnerability
CVE-2022-21910 No No Less Likely Less Likely Important 7.8 6.8
Microsoft Cryptographic Services Elevation of Privilege Vulnerability
CVE-2022-21835 No No Less Likely Less Likely Important 7.8 6.8
Microsoft Diagnostics Hub Standard Collector Runtime Elevation of Privilege Vulnerability
CVE-2022-21871 No No Less Likely Less Likely Important 7.0 6.1
Microsoft Dynamics 365 (on-premises) Spoofing Vulnerability
CVE-2022-21891 No No Less Likely Less Likely Important 7.6 6.6
Microsoft Dynamics 365 Customer Engagement Cross-Site Scripting Vulnerability
CVE-2022-21932 No No Less Likely Less Likely Important 7.6 6.6
Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability
CVE-2022-21954 No No Less Likely Less Likely Important 6.1 5.3
CVE-2022-21970 No No Less Likely Less Likely Important 6.1 5.3
Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability
CVE-2022-21929 No No Less Likely Less Likely Moderate 2.5 2.3
CVE-2022-21930 No No Less Likely Less Likely Important 4.2 3.8
CVE-2022-21931 No No Less Likely Less Likely Important 4.2 3.8
Microsoft Excel Remote Code Execution Vulnerability
CVE-2022-21841 No No Less Likely Less Likely Important 7.8 6.8
Microsoft Exchange Server Remote Code Execution Vulnerability
CVE-2022-21846 No No More Likely More Likely Critical 9.0 7.8
CVE-2022-21855 No No More Likely More Likely Important 9.0 7.8
CVE-2022-21969 No No More Likely More Likely Important 9.0 7.8
Microsoft Office Remote Code Execution Vulnerability
CVE-2022-21840 No No Less Likely Less Likely Critical 8.8 7.7
Microsoft SharePoint Server Remote Code Execution Vulnerability
CVE-2022-21837 No No Less Likely Less Likely Important 8.3 7.2
Microsoft Word Remote Code Execution Vulnerability
CVE-2022-21842 No No Less Likely Less Likely Important 7.8 6.8
Open Source Curl Remote Code Execution Vulnerability
CVE-2021-22947 Yes No Less Likely Less Likely Critical    
Remote Desktop Client Remote Code Execution Vulnerability
CVE-2022-21850 No No Less Likely Less Likely Important 8.8 7.7
CVE-2022-21851 No No Less Likely Less Likely Important 8.8 7.7
Remote Desktop Licensing Diagnoser Information Disclosure Vulnerability
CVE-2022-21964 No No Less Likely Less Likely Important 5.5 4.8
Remote Desktop Protocol Remote Code Execution Vulnerability
CVE-2022-21893 No No Less Likely Less Likely Important 8.8 7.7
Remote Procedure Call Runtime Remote Code Execution Vulnerability
CVE-2022-21922 No No Less Likely Less Likely Important 8.8 7.7
Secure Boot Security Feature Bypass Vulnerability
CVE-2022-21894 No No Less Likely Less Likely Important 4.4 3.9
Storage Spaces Controller Information Disclosure Vulnerability
CVE-2022-21877 No No Less Likely Less Likely Important 5.5 4.8
Tablet Windows User Interface Application Core Elevation of Privilege Vulnerability
CVE-2022-21870 No No Less Likely Less Likely Important 7.0 6.1
Task Flow Data Engine Elevation of Privilege Vulnerability
CVE-2022-21861 No No Less Likely Less Likely Important 7.0 6.1
Tile Data Repository Elevation of Privilege Vulnerability
CVE-2022-21873 No No Less Likely Less Likely Important 7.0 6.1
Virtual Machine IDE Drive Elevation of Privilege Vulnerability
CVE-2022-21833 No No Less Likely Less Likely Critical 7.8 6.8
Win32k Elevation of Privilege Vulnerability
CVE-2022-21882 No No More Likely More Likely Important 7.0 6.1
CVE-2022-21887 No No More Likely More Likely Important 7.0 6.1
Win32k Information Disclosure Vulnerability
CVE-2022-21876 No No Less Likely Less Likely Important 5.5 4.8
Windows Accounts Control Elevation of Privilege Vulnerability
CVE-2022-21859 No No Less Likely Less Likely Important 7.0 6.1
Windows AppContracts API Server Elevation of Privilege Vulnerability
CVE-2022-21860 No No Less Likely Less Likely Important 7.0 6.1
Windows Application Model Core API Elevation of Privilege Vulnerability
CVE-2022-21862 No No Less Likely Less Likely Important 7.0 6.1
Windows BackupKey Remote Protocol Security Feature Bypass Vulnerability
CVE-2022-21925 No No Less Likely Less Likely Important 5.3 4.8
Windows Bind Filter Driver Elevation of Privilege Vulnerability
CVE-2022-21858 No No Less Likely Less Likely Important 7.8 6.8
Windows Certificate Spoofing Vulnerability
CVE-2022-21836 Yes No Less Likely Less Likely Important 7.8 7.0
Windows Cleanup Manager Elevation of Privilege Vulnerability
CVE-2022-21838 No No Less Likely Less Likely Important 5.5 4.8
Windows Common Log File System Driver Elevation of Privilege Vulnerability
CVE-2022-21916 No No More Likely More Likely Important 7.8 6.8
CVE-2022-21897 No No More Likely More Likely Important 7.8 6.8
Windows DWM Core Library Elevation of Privilege Vulnerability
CVE-2022-21852 No No Less Likely Less Likely Important 7.8 6.8
CVE-2022-21902 No No Less Likely Less Likely Important 7.8 6.8
CVE-2022-21896 No No Less Likely Less Likely Important 7.0 6.1
Windows Defender Application Control Security Feature Bypass Vulnerability
CVE-2022-21906 No No Less Likely Less Likely Important 5.5 4.8
Windows Defender Credential Guard Security Feature Bypass Vulnerability
CVE-2022-21921 No No Less Likely Less Likely Important 4.4 3.9
Windows Devices Human Interface Elevation of Privilege Vulnerability
CVE-2022-21868 No No Less Likely Less Likely Important 7.0 6.1
Windows Event Tracing Discretionary Access Control List Denial of Service Vulnerability
CVE-2022-21839 Yes No Less Likely Less Likely Important 6.1 5.5
Windows Event Tracing Elevation of Privilege Vulnerability
CVE-2022-21872 No No Less Likely Less Likely Important 7.0 6.1
Windows Extensible Firmware Interface Security Feature Bypass Vulnerability
CVE-2022-21899 No No Less Likely Less Likely Important 5.5 4.8
Windows GDI Elevation of Privilege Vulnerability
CVE-2022-21903 No No More Likely More Likely Important 7.0 6.1
Windows GDI Information Disclosure Vulnerability
CVE-2022-21904 No No Less Likely Less Likely Important 7.5 6.5
Windows GDI+ Information Disclosure Vulnerability
CVE-2022-21915 No No Less Likely Less Likely Important 6.5 5.7
CVE-2022-21880 No No Less Likely Less Likely Important 7.5 6.5
Windows Geolocation Service Remote Code Execution Vulnerability
CVE-2022-21878 No No Less Likely Less Likely Important 7.8 6.8
Windows Hyper-V Denial of Service Vulnerability
CVE-2022-21847 No No Less Likely Less Likely Important 6.5 5.7
Windows Hyper-V Elevation of Privilege Vulnerability
CVE-2022-21901 No No Less Likely Less Likely Important 9.0 7.8
Windows Hyper-V Security Feature Bypass Vulnerability
CVE-2022-21900 No No Less Likely Less Likely Important 4.6 4.0
CVE-2022-21905 No No Less Likely Less Likely Important 4.6 4.0
Windows IKE Extension Denial of Service Vulnerability
CVE-2022-21843 No No Less Likely Less Likely Important 7.5 6.5
CVE-2022-21883 No No Less Likely Less Likely Important 7.5 6.5
CVE-2022-21848 No No Less Likely Less Likely Important 7.5 6.5
CVE-2022-21889 No No Less Likely Less Likely Important 7.5 6.5
CVE-2022-21890 No No Less Likely Less Likely Important 7.5 6.7
Windows IKE Extension Remote Code Execution Vulnerability
CVE-2022-21849 No No Less Likely Less Likely Important 9.8 8.5
Windows Installer Elevation of Privilege Vulnerability
CVE-2022-21908 No No More Likely More Likely Important 7.8 6.8
Windows Kerberos Elevation of Privilege Vulnerability
CVE-2022-21920 No No Less Likely Less Likely Important 8.8 7.7
Windows Kernel Elevation of Privilege Vulnerability
CVE-2022-21879 No No Less Likely Less Likely Important 5.5 4.8
CVE-2022-21881 No No More Likely More Likely Important 7.0 6.1
Windows Modern Execution Server Remote Code Execution Vulnerability
CVE-2022-21888 No No Less Likely Less Likely Important 7.8 6.8
Windows Push Notifications Apps Elevation Of Privilege Vulnerability
CVE-2022-21867 No No Less Likely Less Likely Important 7.0 6.1
Windows Remote Access Connection Manager Elevation of Privilege Vulnerability
CVE-2022-21885 No No More Likely More Likely Important 7.8 6.8
CVE-2022-21914 No No More Likely More Likely Important 7.8 6.8
Windows Resilient File System (ReFS) Remote Code Execution Vulnerability
CVE-2022-21892 No No Less Likely Less Likely Important 6.8 6.1
CVE-2022-21958 No No Less Likely Less Likely Important 6.8 6.1
CVE-2022-21959 No No Less Likely Less Likely Important 6.8 6.1
CVE-2022-21960 No No Less Likely Less Likely Important 6.8 6.1
CVE-2022-21961 No No Less Likely Less Likely Important 6.8 6.1
CVE-2022-21962 No No Less Likely Less Likely Important 6.8 6.1
CVE-2022-21963 No No Less Likely Less Likely Important 6.4 5.6
CVE-2022-21928 No No Less Likely Less Likely Important 6.3 5.7
Windows Security Center API Remote Code Execution Vulnerability
CVE-2022-21874 Yes No Less Likely Less Likely Important 7.8 6.8
Windows StateRepository API Server file Elevation of Privilege Vulnerability
CVE-2022-21863 No No Less Likely Less Likely Important 7.0 6.1
Windows Storage Elevation of Privilege Vulnerability
CVE-2022-21875 No No Less Likely Less Likely Important 7.0 6.1
Windows System Launcher Elevation of Privilege Vulnerability
CVE-2022-21866 No No Less Likely Less Likely Important 7.0 6.1
Windows UI Immersive Server API Elevation of Privilege Vulnerability
CVE-2022-21864 No No Less Likely Less Likely Important 7.0 6.1
Windows User Profile Service Elevation of Privilege Vulnerability
CVE-2022-21919 Yes No More Likely More Likely Important 7.0 6.3
CVE-2022-21895 No No Less Likely Less Likely Important 7.8 6.8
Windows User-mode Driver Framework Reflector Driver Elevation of Privilege Vulnerability
CVE-2022-21834 No No Less Likely Less Likely Important 7.0 6.1
Workstation Service Remote Protocol Security Feature Bypass Vulnerability
CVE-2022-21924 No No Less Likely Less Likely Important 5.3 4.8

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

I will be teaching next: Intrusion Detection In-Depth - SANS Doha March 2022

Johannes

4350 Posts
ISC Handler
Jan 11th 2022
Hi, Just wanted to let you know the link you provided to https://patchtuesdaydashboard.com presents a certificate chain with an expired intermediate certificate. You can verify that using ssl labs https://www.ssllabs.com/ssltest/analyze.html?d=patchtuesdaydashboard.com
Anonymous
We are seeing an issue on our Windows 2012R2 Domain Controllers going into a slow reboot loop after applying this month's patches.

By "slow" I mean they reboot after being up for a short time approx 15 to 20 minutes.

System Event Log shows lsass.exe crashing and triggering the reboot.

I've seen another report of this issue here https://borncity.com/win/2022/01/12/patchday-windows-8-1-server-2012-r2-updates-11-januar-2022-mgliche-boot-probleme/

Uninstalling all patches released today appears to have solved this.

Confusingly this issue only started to happen once we had updated all 3 DC's at one site. Removing the patches on 2 of the DC's has solved the problem, even with the still patched third server it has stopped rebooting itself like the now unpatched other two.

Sample Event Log entries:

Log Name: System
Source: User32
Event ID: 1074
Level: Information
Keywords: Classic
User: SYSTEM
Description:
The process wininit.exe has initiated the restart of computer [name] on behalf of user for the following reason: No title for this reason could be found
Reason Code: 0x50006
Shutdown Type: restart
Comment: The system process 'C:\Windows\system32\lsass.exe' terminated unexpectedly with status code -1073741819. The system will now shut down and restart.


Log Name: System
Source: Application Popup
Event ID: 26
Task Category: None
Level: Information
Keywords:
User: SYSTEM
Description:
Application popup: lsass.exe - Application Error : The instruction at 0x820d2663 referenced memory at 0x00000058. The memory could not be read.
frankfil

1 Posts
I have seen the same reboot issue although I only have 1 Windows 2021RC DC. Removing KB5009624 resolved the issue for me.
PW

68 Posts
Microsoft has rereleased the updates please see https://docs.microsoft.com/ro-ro/windows/release-health/windows-message-center for additional information.
PW

68 Posts
Well after 5 days of stability the server decided to crash twice due to the original issue that was reported. So looks like uninstalling the update was not a solution.

I have now installed all currently offered update from MS and will hopefully not have any additional crashes.
PW

68 Posts

Sign Up for Free or Log In to start participating in the conversation!