KB5011527 for Windows Server 2012 – March Update

Microsoft released a security update and monthly rollup updates for Windows Server 2012 as part of the ‘Patch Tuesday’ program for the month of March 2022. Windows Server 2012 is already the end of mainstream support. Therefore, KB5011527 is to be applied manually. KB5011535, the monthly rollup update can be applied through regular methods that include Windows Update.

The security-only update contains security fixes only. The monthly rollup update will include security and non-security improvements. If you choose to deploy the monthly rollup update for Windows Server 2012, you need not deploy the security-only update. The monthly rollup update is cumulative in nature and contains the current month’s security update as well.

Salient points about security only update KB5011527:

  • Before deploying KB5011527, you will need to deploy all the previous security only updates.
  • You will need to deploy SSU or Service Stack Update KB5011571 on the Windows Server 2012.
  • You will also need to deploy Internet Explorer or IE cumulative update KB5011486. This update can be downloaded from the catalog.
  • The KB5011527 update file is 55.6 MB in size.
  • No adverse feedback shared by early adopters of KB5011527 security only update.
  • This update may require the server to reboot.

What vulnerabilities are resolved in KB5011527 for Windows Server 2012?

There have been 71 vulnerabilities that have been addressed as part of the March security updates. Of these, there are 3 Zero-day vulnerabilities. The zero-day vulnerabilities for March month are:

  • CVE-2022-21990 – this vulnerability affects Windows Server 2012 too. It is a CVSS 8.8 remote code execution vulnerability on the Windows Remote Desktop Client software. This is mitigated in KB5011527.
  • CVE-2022-24512 – .NET Remote Code Execution with CVSS score of 6.3. There is a separate patch for resolving this .NET vulnerability.
  • CVE-2022-24459 – Elevation of Privilege vulnerability on Windows Fax and Scan Service. It has a CVSS score of 7.8 with high impact on the affected infrastructure. This vulnerability affects the Windows Server 2012 as well. This is mitigated in KB5011527.

Apart from the zero-day vulnerabilities mentioned above, there are other vulnerabilities that are more likely to be exploited. The following security vulnerabilities have been resolved in KB5011527 for Windows Server 2012:

CVE-2022-24502 – CVSS 4.3 – Windows HTML Platforms Security

CVE-2022-24502 affects all the Windows versions including the Windows Server 2012. It is more likely to be exploited. This vulnerability affects the MSHTML platform and the scripting engine used by browsers. Mitigation of this vulnerability lies in patching with KB5011527.

Apart from the vulnerabilities stated above, there may be other vulnerabilities that are less likely to be exploited or these may not have been publicly disclosed. To keep things tidy and manageable, we have limited our discussion to the vulnerabilities that are more likely to be exploited.

CVE-2022-23299 – CVSS 7.8 – Elevation of Privilege

This is another high impact vulnerability that exists in Windows PDEV and can lead to the ‘Elevation of Privilege’ on the Windows Server 2012. It carries a CVSS score of 7.8. A Windows PDEV is a logical representation of the physical device. It is characterized by the type of hardware, logical address, and surfaces that can be supported. 

The vulnerability has been patched in KB5011527 for Windows Server 2012.

CVE-2022-23294 – CVSS 8.8 – Remote Code Execution

The high impact vulnerability exists in Windows Event tracing and could lead to a ‘Remote Code Execution’ attack. This is a CVSS 8.8 score. This vulnerability assumes significance in the light of the following points:

  • Non-admin users can launch an attack on the target server.
  • The authenticated attacker could potentially take advantage of this vulnerability to execute malicious code through the Event Log’s Remote Procedure Call (RPC) endpoint on the server-side.
  • As a default configuration, access to the event log service endpoint is blocked. If you run the default configuration, the vulnerability stands mitigated.

For a permanent solution, you still need to patch the Windows Server 2012 with KB5011527 security update or monthly rollup update.

CVE-2022-23285 – CVSS 8.8 – Remote Code Execution

CVE-2022-23285 is a CVSS 8.8 vulnerability that could allow an attacker to launch a ‘Remote Code Execution’ attack on a vulnerable Remote Desktop client machine. This vulnerability is highly likely to be exploited. In the case of a Remote Desktop connection, an attacker with control of a Remote Desktop Server could trigger a remote code execution (RCE) on the RDP client machine when a victim connects to the attacking server with the vulnerable Remote Desktop Client. Mitigation lies in patching the Windows Server 2012 with KB5011527.

CVE-2022-23253 – CVSS 6.5 – Denial of Service

CVE-2022-23253 is a medium impact vulnerability that affects the Point to Point Tunneling Protocol. It can lead to DoS or Denial of Service on the VPN endpoints, leading to failed VPN connectivity between two VPN sites. The vulnerability is patched as part of the KB5011527 security update for Windows Server 2012.

How can I get the KB5011527 security update for Windows Server 2012?

You can deploy the KB5011527 security update manually. The update process is a bit complicated for Windows Server 2012. Before you implement the KB5011527 on Windows Server 2012, you will need to deploy two additional updates:

  • Service Stack update KB5011571 for Windows Server 2012 needs to be downloaded manually and deployed on the Windows Server 2012. You can download it from the Microsoft catalog. The update file has a size of 9.7 MB.
  • Once the SSU is deployed, you will need to install IE cumulative update for March 2022. This update, KB5011486 can be downloaded from the Microsoft Update catalog.

The previous month’s security update should have already been installed. If you have not done that, please follow the instructions about updating Windows Server 2012 with the February month’s update KB5010412.

Upon installing these two updates, you can proceed with the deployment of KB5011527 on Windows Server 2012. Here are the two ways in which you can implement the KB5011527 security update on Windows Server 2012:

  • You can use the WSUS or Windows Server Update Service to import KB5011527 manually. Once imported into the WSUS queue, the update can be pushed on the server.
  • You can download the KB5011527 manually through the Windows Update catalog page here. The MSU update file is of 55.6 MB.

The server may restart to complete the update process.

January issues resolved in KB5011527 for Windows Server 2012

A couple of outstanding issues from January 2022 updates have been resolved through the KB5011527 security update on Windows Server 2012. The issues that have been resolved include:

  • Issues with Active Directory Domains and Trust and Netdom.exe snap-ins have been resolved.
  • An out of band update for resolving .NET framework issues has been released. This update will fix issues on .NET framework for Windows Server 2012. The .NET issue came up after deployment of January updates on the server.

Update .NET framework on Windows Server 2012

The .NET framework needs to be updated manually by using the corresponding update file. Depending on the .NET framework running on the server, you will need to update or apply the patch to the framework as per the information below.

  • .NET framework 4.8 on Windows Server 2012 to be patched with KB5011265. The update file measures only 362 KB.
  • .NET framework  4.6, 4.6.1, 4.6.2, 4.7, 4.7.1 or 4.7.2  to be patched with KB5011262. The update file measures only 375 KB.
  • .NET framework 4.5.2 to be patched with KB5011260. The update file has a size of 54.3 MB for Windows Server 2012.

You would need to patch the security update and upgrade the .NET framework on Windows Server 2012.

Summary

Windows Server 2012 needs to be patched with KB501527 security only update. Alternatively, you may choose to deploy the monthly rollup update KB5011535 on Windows Server 2012. Before you install the patch on Windows Server 2012, please make sure that you have deployed all the previous security updates, KB5011571 SSU and KB5011486 IE cumulative update. Early adopters of the security only update KB5011527 have not reported any adverse impact on the server post updates. So, you may patch the servers without much problems.

You may also like to read more content related to Windows Updates: