KB5011503 for Windows Server 2019 – March Security Update

The cumulative security update, KB5011503, for Windows Server 2019 has been released on March 8, 2022. The latest cumulative update will supersede the security update for February, KB5010351, and a preview update KB5010427. The preview update or optional update for Windows Server 2019, KB5010427 was released on 16th February. It brought about performance improvements on Windows Server 2019. If you did install KB5010427, only incremental changes will be downloaded as part of the KB5011503 update on Windows Server 2019. If the last update on your Windows Server 2019 is KB5010351, the complete MSU update file for Windows Server 2019 will be downloaded as part of the KB5011503 update.

Aside from the various improvements, KB5011503 also patches vulnerabilities with varying impacts on the server. We discuss these vulnerabilities below.

Salient points about KB5011503 cumulative security update for Windows Server 2019:

  • KB5011503 supersedes KB5010351 and KB5010427.
  • The MSU update file for KB5011503 is 560 MB in size.
  • Two zero day vulnerabilities that affect Windows Server 2019 are resolved in KB5011503. Details are given below.
  • This update resolves multiple vulnerabilities that have a high impact on the infrastructure.
  • Upon upgrading with KB5011503, the build on your Windows Server 2019 changes to OS Build 17763.2686.
  • The update may require a server reboot.
  • No issues have been reported on Windows Server 2019 by early adopters of the KB5011503 LCU or latest cumulative update.

What zero day vulnerabilities are resolved by KB5011503?

There have been 71 vulnerabilities that have been addressed as part of the March security updates. Of these, there are 3 Zero-day vulnerabilities. The zero-day vulnerabilities for March month are:

  • CVE-2022-21990 – this vulnerability affects Windows Server 2019 too. It is a CVSS 8.8 remote code execution vulnerability on the Windows Remote Desktop Client software. It is mitigate in KB5011503.
  • CVE-2022-24512 – .NET Remote Code Execution with CVSS score of 6.3. This vulnerability requires a .NET patch to resolve.
  • CVE-2022-24459 – Elevation of Privilege vulnerability on Windows Fax and Scan Service. It has a CVSS score of 7.8 with high impact on the affected infrastructure. This vulnerability affects the Windows Server 2019 as well. It is mitigated in KB5011503.

Other vulnerabilities resolved in KB5011503

Apart from the zero-day vulnerabilities mentioned above, there are other vulnerabilities that are more likely to be exploited.

For the purpose of our study, we limit our efforts to finding zero-day vulnerabilities or those vulnerabilities that are more likely to be exploited. Or, we discuss those vulnerabilities that have been publicly disclosed to cause potential exploitation. KB5011503 resolves 10 such vulnerabilities that have a high impact on the target infrastructure. These vulnerabilities are more likely to be exploited or attempts of exploitation have already been detected. The following security vulnerabilities have been resolved in KB5011503 for Windows Server 2019.

CVE-2022-24507- CVSS 7.8 – Elevation of Privilege

This is a high impact CVSS 7.8 vulnerability that can lead to the ‘Elevation of Privileges’ through WinSock on the Windows Ancillary Function Driver. The vulnerability can be resolved by patching the Windows Server 2019 with the March update, KB5011503. There is no separate workaround that needs to be deployed to mitigate this vulnerability.

CVE-2022-24502 – CVSS 4.3 – Windows HTML Platforms Security

CVE-2022-24502 affects all the Windows versions including the Windows Server 2019. It is more likely to be exploited. This vulnerability affects the MSHTML platform and the scripting engine used by browsers. Mitigation of this vulnerability lies in patching with KB5011503.

CVE-2022-23299 – CVSS 7.8 – Elevation of Privilege

This is another high impact vulnerability that exists in Windows PDEV and can lead to the ‘Elevation of Privilege’ on the Windows Server 2019. It carries a CVSS score of 7.8. A Windows PDEV is a logical representation of the physical device. It is characterized by the type of hardware, logical address, and surfaces that can be supported. 

The vulnerability has been patched in KB5011503 for Windows Server 2019.

CVE-2022-23294 – CVSS 8.8 – Remote Code Execution

The high impact vulnerability exists in Windows Event tracing and could lead to a ‘Remote Code Execution’ attack. This is a CVSS 8.8 score. This vulnerability assumes significance in the light of the following points:

  • Non-admin users can launch an attack on the target server.
  • The authenticated attacker could potentially take advantage of this vulnerability to execute malicious code through the Event Log’s Remote Procedure Call (RPC) endpoint on the server-side.
  • As a default configuration, access to the event log service endpoint is blocked. If you run the default configuration, the vulnerability stands mitigated.

For a permanent solution, you still need to patch the Windows Server 2019 with KB5011503 cumulative security update.

CVE-2022-23286 – CVSS 7 – Elevation of Privileges

This high impact vulnerability is an ‘Elevation of Privilege’ vulnerability that affects the Windows Cloud Files Mini driver. However, the attack complexity for this vulnerability is high and it is not easy to exploit it. Mitigation lies in patching the Windows Server 2019 with KB5011503 cumulative security update.

CVE-2022-23285 – CVSS 8.8 – Remote Code Execution

CVE-2022-23285 is a CVSS 8.8 vulnerability that could allow an attacker to launch a ‘Remote Code Execution’ attack on a vulnerable Remote Desktop client machine. This vulnerability is highly likely to be exploited. In the case of a Remote Desktop connection, an attacker with control of a Remote Desktop Server could trigger a remote code execution (RCE) on the RDP client machine when a victim connects to the attacking server with the vulnerable Remote Desktop Client. Mitigation lies in patching the Windows Server 2019 with KB5011503.

CVE-2022-23253 – CVSS 6.5 – Denial of Service

CVE-2022-23253 is a medium impact vulnerability that affects the Point to Point Tunneling Protocol. It can lead to DoS or Denial of Service on the VPN endpoints, leading to failed VPN connectivity between two VPN sites. The vulnerability is patched as part of the KB5011503 LCU for Windows Server 2019.

CVE-2022-21999 – CVSS 7.8 – Elevation of Privilege

This vulnerability resides in the Windows Print Spooler service and carries a CVSS score of 7.8. It has a high impact on the affected infrastructure. Incidentally, this vulnerability was fixed in the security update KB5010351 for the month of February. If you did not patch your servers in February, the March update will patch this vulnerability as well.

CVE-2022-22000 – CVSS 7.8 – Elevation of Privilege

This vulnerability resides in the Windows Common Log File System Driver and was resolved as part of the February security update, KB5010351. It has a high impact on the target server and associated infrastructure. However, if you did not patch it last month, the current month’s KB5011503 update will resolve this vulnerability. No further action is required once the server has been patched with KB5011503.

CVE-2022-22718 – CVSS 7.8 – Elevation of Privilege

Another vulnerability on the Windows Print Spooler service. This vulnerability has a CVSS score of 7.8. It was resolved as part of February updates for Windows Server 2019 KB5010351. If you did not patch the vulnerability at that point in time, the current month’s update will resolve the security vulnerability. No further action is needed once the server is patched with KB5011503.

Apart from the vulnerabilities mentioned above, there are other vulnerabilities that have a high impact. However, such vulnerabilities are less likely to be exploited. Examples of such vulnerabilities are the CVE-2022-23287 and CVE-2022-23284 security vulnerabilities that pose a high threat to the affected infrastructure of Windows Servers. But, these vulnerabilities are unlikely to be exploited or have not been publicly disclosed to cause potential exploitation.

How can I get KB5011503 cumulative update?

KB5011503 is available through regular Windows update channels. Before installing KB5011503, you need to ensure that the Service Stack Update KB5005112 is installed on Windows Server 2019. The SSU update is a small file of 13.8 MB. Once you have installed the SSU KB5005112, you could choose to deploy KB5011503 LCU on the Windows Server 2019 in any of the following ways:

  • KB5011503 can be downloaded and applied automatically using Windows Update.
  • Windows Update for Business can be used to deploy KB5011503.
  • WSUS or Windows Server Update Service can be configured to import the security updates for product type Windows Server 2019. WSUS will import and patch the server automatically.
  • Or, you could deploy the KB5011503 manually through the Microsoft update catalog website. You can download the MSU file of 560 MB from the catalog page here. The update file for x64 systems needs to be downloaded. It is 560 MB in size.

Do remember that the server may require a reboot after deploying the KB5011503 patch on Windows Server 2019. Thankfully, early adopters have given positive feedback on the security update. No issues are reported after patching the servers with KB5011503.

Summary

KB5011503 follows up with KB5010351 and KB5010427 security and preview updates. The update takes care of security threats on Windows Server 2019. Out of the 7 vulnerabilities that are likely to be exploited, there are a few that have high CVSS scores and high impact on the affected infrastructure. We advise patching KB5011503 on Windows Server 2019 at your earliest convenience. Do make sure you have SSU KB5005112 installed on the server prior to installing KB5011503.

You may like to read more content related to Windows Updates in the following pages: