KB5011497 for Windows Server 2022 – March Updates

The ‘Patch Tuesday’ update for Windows Server 2022 was released on 8th March 2022. Microsoft has released a cumulative security update, KB5011497, for the Windows Server 2022 operating system. This update supersedes the cumulative security update for the month of February –KB5010354. It also supersedes the preview or optional update KB5010421 for Windows Server 2022. If you have already patched the Windows Server 2022 with KB5010421, the current month’s update will deploy the incremental changes only. If you did not deploy the KB5010421 on Windows Server 2022, you will deploy the complete update as part of the KB5011497 implementation.

The salient points of the KB5011497 cumulative security update for Windows Server 2022 are:

  • KB5011497 supersedes KB5010354 and KB5010421.
  • The update is available for ARM64 processors.
  • Two zero day vulnerabilities on Windows Server 2022 are mitigated in KB5011497. Details are shared below.
  • No adverse feedback reported by early adopters of the security update.
  • KB5011497 weighs 222.5 MB in size.
  • This update patches vulnerabilities with a high impact for your infrastructure. Details of vulnerabilities of high impact are mentioned below.
  • KB5011497 upgrades the build on your server to OS Build 20348.587.
  • This update may require a server reboot.

What zero day vulnerabilities are resolved in KB5011497?

There have been 71 vulnerabilities that have been addressed as part of the March security updates. Of these, there are 3 Zero-day vulnerabilities. The zero-day vulnerabilities for March month are:

  • CVE-2022-21990 – this vulnerability affects Windows Server 2022 too. It is a CVSS 8.8 remote code execution vulnerability on the Windows Remote Desktop Client software. It is mitigated in KB5011497.
  • CVE-2022-24512 – .NET Remote Code Execution with CVSS score of 6.3. There is a separate update to resolve this vulnerability.
  • CVE-2022-24459 – Elevation of Privilege vulnerability on Windows Fax and Scan Service. It has a CVSS score of 7.8 with high impact on the affected infrastructure. This vulnerability affects the Windows Server 2022 as well. It is mitigated in KB5011497.

Apart from the zero-day vulnerabilities mentioned above, there are other vulnerabilities that are more likely to be exploited. The following security vulnerabilities have been resolved in KB5011497 for Windows Server 2022.

Other vulnerabilities resolved in KB5011497

Microsoft has published a list of vulnerabilities on Windows Server 2022. For the purpose of our discussion, we will keep our focus on those vulnerabilities that are more likely to be exploited. Or, we focus on the vulnerabilities that have been publicly disclosed.

The following vulnerabilities have been reported and shared by Microsoft for the Windows Server 2022 for March 8 updates:

CVE-2022-24508 – CVSS 8.8 – Remote Code Execution vulnerability

CVE-2022-24508 is a CVSS 8.8 vulnerability with a high impact on the infrastructure or target server. The vulnerability resides in SMBv3 compression on the SMBv3 server. An authenticated attacker, external or internal, could exploit the flaws in the SMBv3 compression process to cause a remote code execution attack on the target Windows 2022 server. An unauthenticated attacker cannot exploit this vulnerability.

Workarounds for CVE-2022-24508

There are a few mitigation strategies for CVE-2022-24508:

  • Deploy the security update KB5011497 on an immediate basis.
  • Or, use the PowerShell command below to disable SMBv3 compression on the SMBv3 server:

Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” DisableCompression -Type DWORD -Value 1 -Force

  • Block TCP port 445 on the network perimeter firewall. This will prevent authenticated attackers from launching a remote code execution attack from outside the network.
  • For protecting the SMBv3 clients, you may check this Microsoft document to prevent SMB traffic from lateral connections and entering or leaving the network.

These mitigation steps would take care of the CVE-2022-24508 vulnerability. You can read more about this vulnerability on the Microsoft website.

Once you have the workaround in place, you can patch the server with KB5011497 update. The workaround could be left as it is. Or, you could choose to disable the workaround using the following PowerShell command:

Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” DisableCompression -Type DWORD -Value 0 -Force

CVE-2022-24507- CVSS 7.8 – Elevation of Privilege

This is a high impact CVSS 7.8 vulnerability that can lead to the ‘Elevation of Privileges’ through WinSock on the Windows Ancillary Function Driver. The vulnerability can be resolved by patching the Windows Server 2022 with the March update, KB5011497. There is no separate workaround that needs to be deployed to mitigate this vulnerability.

CVE-2022-23299 – CVSS 7.8 – Elevation of Privilege

This is another high impact vulnerability that exists in Windows PDEV and can lead to the ‘Elevation of Privilege’ on the Windows Server 2022. It carries a CVSS score of 7.8. A Windows PDEV is a logical representation of the physical device. It is characterized by the type of hardware, logical address, and surfaces that can be supported. 

The vulnerability has been patched in KB5011497 for Windows Server 2022.

CVE-2022-23294 – CVSS 8.8 – Remote Code Execution

The high impact vulnerability exists in Windows Event tracing and could lead to a ‘Remote Code Execution’ attack. This is a CVSS 8.8 score. This vulnerability assumes significance in the light of the following points:

  • Non-admin users can launch an attack on the target server.
  • The authenticated attacker could potentially take advantage of this vulnerability to execute malicious code through the Event Log’s Remote Procedure Call (RPC) endpoint on the server-side.
  • As a default configuration, access to the event log service endpoint is blocked. If you run the default configuration, the vulnerability stands mitigated.

For a permanent solution, you still need to patch the Windows Server 2022 with KB5011497 cumulative security update.

CVE-2022-23286 – CVSS 7 – Elevation of Privileges

This high impact vulnerability is an ‘Elevation of Privilege’ vulnerability that affects the Windows Cloud Files Mini driver. However, the attack complexity for this vulnerability is high and it is not easy to exploit it. Mitigation lies in patching the Windows Server 2022 with KB5011497 cumulative security update.

CVE-2022-23285 – CVSS 8.8 – Remote Code Execution

CVE-2022-23285 is a CVSS 8.8 vulnerability that could allow an attacker to launch a ‘Remote Code Execution’ attack on a vulnerable Remote Desktop client machine. This vulnerability is highly likely to be exploited. In the case of a Remote Desktop connection, an attacker with control of a Remote Desktop Server could trigger a remote code execution (RCE) on the RDP client machine when a victim connects to the attacking server with the vulnerable Remote Desktop Client. Mitigation lies in patching the Windows Server 2022 with KB5011497.

CVE-2022-24502 – CVSS 4.3 – Windows HTML Platforms Security

CVE-2022-24502 affects all the Windows versions including the Windows Server 2022. It is more likely to be exploited. This vulnerability affects the MSHTML platform and the scripting engine used by browsers. Mitigation of this vulnerability lies in patching with KB5011497.

Apart from the vulnerabilities stated above, there may be other vulnerabilities that are less likely to be exploited or these may not have been publicly disclosed. To keep things tidy and manageable, we have limited our discussion to the vulnerabilities that are more likely to be exploited.

CVE-2022-23253 – CVSS 6.5 – Denial of Service

CVE-2022-23253 is a medium impact vulnerability that affects the Point to Point Tunneling Protocol. It can lead to DoS or Denial of Service on the VPN endpoints, leading to failed VPN connectivity between two VPN sites. The vulnerability is patched as part of the KB5011503 LCU for Windows Server 2019.

How can I get the KB5011497 security update?

KB5011497 is available through all the normal channels of Windows Update.

  • KB5011497 can be downloaded and applied automatically through the Windows Update program
  • KB5011497 can be downloaded and applied automatically through the Windows Update for Business.
  • KB5011497 can be downloaded through the Windows Server Update Service (WSUS) when it is configured to deploy security updates for ‘Windows Server version 21H2’.
  • You can deploy KB5011497 manually through the Microsoft Update catalog. KB5011497 can be downloaded from the catalog site here. The size of the update file is 222.5 MB.

Before installing this update, make sure you have KB5005039 update on the server. Or, you should have patched Windows Server 2022 with one of the cumulative updates that were released after the KB5005039 update.

.NET Framework update on Windows Server 2022 – KB5011258

The .NET Framework 4.8 on Windows Server 2022 needs to be updated to resolve Active Directory trust issues. The issues were reported after the deployment of January updates. To update the .NET framework on Windows Server 2022, please download and apply the .NET patch from the catalog page here. This update file is of 355 KB size for x64 or ARM64 based systems.

Summary

KB5011497 security update for Windows Server 2022 has been released and applies mitigation to vulnerabilities disclosed by Microsoft. The update is straightforward and early adopters have indicated that there are no issues post-deployment of the security update on Windows Server 2022.

You may want to be aware of the following security vulnerabilities on Windows Server 2022 that are more likely to be exploited:

  • CVE-2022-24508
  • CVE-2022-24507
  • CVE-2022-24502
  • CVE-22022-23299
  • CVE-2022-23294
  • CVE-2022-23286
  • CVE-2022-23285
  • CVE-2022-23284
  • CVE-2022-23287

You may like to read the following content related to Windows Updates: