KB5011495 for Windows Server 2016 - March Security Update

KB5011495, the cumulative security update for the month of March for Windows Server 2016 has been released by Microsoft on 8th March 2022. The update supersedes February month’s cumulative update KB5010359. This one is a massive update file of size 1543 MB. So, you may want to plan for an update window to ensure there are no complications during the maintenance window.

Salient points about the KB5011495 security update for Windows Server 2016:

KB5011495 supersedes KB5010359 update, the security update of February.
KB5011495 addresses high impact vulnerabilities that are likely to be exploited or are known publicly.
There are 3 zero-day vulnerabilites in March updates. Out of these 2 zero-day vulnerabilities affect Windows Server 2016. These are mitigated in KB5011495.
KB5011495 will update the build on Windows Server 2016 to OS Build 14393.5006.
Service Stack update KB5011570 will be offered before you deploy KB5011495 on the server. The update file is of 11.6 MB.
KB5011495 is a slightly heavier update as the size of the MSU file is 1543 MB.

We look at the various improvements and vulnerabilities that have been resolved as part of this latest cumulative update.

Topics covered in this post

KB5011495 improvements in Windows Server 2016

Windows Server 2016 did not get any preview update after February month’s KB5010359 update. Most improvements on Windows Server 2016 are, therefore, a part of March month’s security update KB5011495. This also explains the size of the MSU update file.

Addresses an issue that prevents printing from operating properly for some low integrity process apps.
Addresses an issue that causes Windows to go into BitLocker recovery after a servicing update.
Addresses an issue that occurs when you try to write a service principal name (SPN) alias (such as www/contoso) and HOST/NAME already exists on another object. If the RIGHT_DS_WRITE_PROPERTY is on the SPN attribute of the colliding object, you receive an “Access Denied” error.
Addresses an issue by checking if CSharedLock in the Remote Procedure Call Server Service (RPCSS) was acquired recursively and only sets exclusive_owner to 0 when the recursive count is 0.
Addresses a memory leak in the wmipicmp.dll module that causes a lot of false alarms in the System Center Operations Manager (SCOM) datacenter monitoring system.
Addresses an issue that causes the DnsServerPsProvider module to leak memory inside a WmiPrvSE.exe process.
Addresses an issue that causes a mismatch between a Remote Desktop session’s keyboard and the Remote Desktop Protocol (RDP) client when signing in.

What zero vulnerabilities are resolved in KB5011495 for Windows Server 2016?

There have been 71 vulnerabilities that have been addressed as part of the March security updates. Of these, there are 3 Zero-day vulnerabilities. The zero-day vulnerabilities for March month are:

CVE-2022-21990 – this vulnerability affects Windows Server 2016 too. It is a CVSS 8.8 remote code execution vulnerability on the Windows Remote Desktop Client software. This vulnerability stands resolved in KB5011495.
CVE-2022-24512 – .NET Remote Code Execution with CVSS score of 6.3. A separate patch for .NET is needed to fix this zero-day.
CVE-2022-24459 – Elevation of Privilege vulnerability on Windows Fax and Scan Service. It has a CVSS score of 7.8 with high impact on the affected infrastructure. This vulnerability affects the Windows Server 2016 as well and is resolved in KB5011495.

Other vulnerabilities resolved in KB5011495

Apart from the zero-day vulnerabilities mentioned above, there are other vulnerabilities that are more likely to be exploited. The following security vulnerabilities have been resolved in KB5011495 for Windows Server 2016.

We discuss vulnerabilities that have been publicly disclosed or are more likely to be exploited. This will give you a fair idea about the threat matrix that has been shared by Microsoft for the month of March 2022. The following vulnerabilities are more likely to be targeted by attackers. These vulnerabilities have a high or medium impact on your infrastructure comprising of Windows Server 2016.

CVE-2022-24507- CVSS 7.8 – Elevation of Privilege

This is a high impact CVSS 7.8 vulnerability that can lead to the ‘Elevation of Privileges’ through WinSock on the Windows Ancillary Function Driver. The vulnerability can be resolved by patching the Windows Server 2016 with the March update, KB5011495. There is no separate workaround that needs to be deployed to mitigate this vulnerability.

CVE-2022-24502 – CVSS 4.3 – Windows HTML Platforms Security

CVE-2022-24502 affects all the Windows versions including the Windows Server 2016. It is more likely to be exploited. This vulnerability affects the MSHTML platform and the scripting engine used by browsers. Mitigation of this vulnerability lies in patching with KB5011495.

Apart from the vulnerabilities stated above, there may be other vulnerabilities that are less likely to be exploited or these may not have been publicly disclosed. To keep things tidy and manageable, we have limited our discussion to the vulnerabilities that are more likely to be exploited.

CVE-2022-23299 – CVSS 7.8 – Elevation of Privilege

This is another high impact vulnerability that exists in Windows PDEV and can lead to the ‘Elevation of Privilege’ on the Windows Server 2016. It carries a CVSS score of 7.8. A Windows PDEV is a logical representation of the physical device. It is characterized by the type of hardware, logical address, and surfaces that can be supported.

The vulnerability has been patched in KB5011495 for Windows Server 2016.

CVE-2022-23294 – CVSS 8.8 – Remote Code Execution

The high impact vulnerability exists in Windows Event tracing and could lead to a ‘Remote Code Execution’ attack. This is a CVSS 8.8 score. This vulnerability assumes significance in the light of the following points:

Non-admin users can launch an attack on the target server.
The authenticated attacker could potentially take advantage of this vulnerability to execute malicious code through the Event Log’s Remote Procedure Call (RPC) endpoint on the server-side.
As a default configuration, access to the event log service endpoint is blocked. If you run the default configuration, the vulnerability stands mitigated.

For a permanent solution, you still need to patch the Windows Server 2016 with KB5011495 cumulative security update.

CVE-2022-23285 – CVSS 8.8 – Remote Code Execution

CVE-2022-23285 is a CVSS 8.8 vulnerability that could allow an attacker to launch a ‘Remote Code Execution’ attack on a vulnerable Remote Desktop client machine. This vulnerability is highly likely to be exploited. In the case of a Remote Desktop connection, an attacker with control of a Remote Desktop Server could trigger a remote code execution (RCE) on the RDP client machine when a victim connects to the attacking server with the vulnerable Remote Desktop Client. Mitigation lies in patching the Windows Server 2016 with KB5011495.

CVE-2022-23253 – CVSS 6.5 – Denial of Service

CVE-2022-23253 is a medium impact vulnerability that affects the Point to Point Tunneling Protocol. It can lead to DoS or Denial of Service on the VPN endpoints, leading to failed VPN connectivity between two VPN sites. The vulnerability is patched as part of the KB5011495 LCU for Windows Server 2016.

Update .NET framework on Windows Server 2016

Microsoft suggests updating the .NET framework on Windows Server 2016. This would resolve issues with Active Directory trust issues on the AD forest. For Windows Server 2016, you may have to apply the update to .NET framework version 4.8 or to the .NET framework versions 4.6.2, 4.7, 4.7.1 or 4.7.2.

.NET framework 4.8 needs to be updated with the KB5011264 update. The update file is of 358 KB size.
.NET framework 4.6.2, 4.7, 4.7.1 or 4.7.2 needs to be updated with the KB5011329 update. The update file is 371 KB.

The .NET framework issue has been there for some time now. It merits a fix by applying the update to the respective .NET framework version on your Windows Server 2016.

How can I get the KB5011495 security update for Windows Server 2016?

KB5011495 security update for Windows Server 2016 is available through all the normal channels of Windows Update. You can update Windows Server 2016 using any of the following ways:

KB5011495 update for Windows Server 2016 can be downloaded and applied automatically through the Windows Update program.
KB5011495 can also be applied through the Windows Update for Business.
WSUS or the Windows Server Update Service can be used to import KB5011495 and apply it automatically for the product configuration of Windows Server 2016.
You can also deploy KB5011495 manually through the Microsoft Update catalog. The update can be downloaded from the Microsoft Catalog page here.

SSU KB5011570 is to be deployed before implementing KB5011495 on Windows Server 2016. If you use the Windows Update program to patch KB5011495, SSU KB5011570 will be offered at the time of applying the update. Or, else, you can download the patch manually from the Microsoft catalog page here. The SSU update file is 11.7 MB in size. So, SSU update should be a quick affair on Windows Server 2016.

Summary

KB5011495 for Windows Server 2016 addresses performance improvements and vulnerability fixes on the server. It supersedes the KB5010359 security update for Windows Server 2016. Early adopters of the security update have not shared any adverse report after the deployment of the KB5011495 cumulative security update. Do ensure that you have patched the SSU KB5001570 on Windows Server 2016 before applying the KB5011495 update.

You may also like to read more content related to Windows Updates:

Rajesh Dhawan

Rajesh Dhawan is a technology professional who loves to blog about smart wearables, Cloud computing and Microsoft technologies. He loves to break complex problems into manageable chunks of meaningful information.