KB5011535 Monthly Rollup Update for Windows Server 2012 – March Updates

The monthly rollup update for Windows Server 2012 has been published by Microsoft on 8th March 2022. The monthly rollup contains security updates and non-security improvements for Windows Server 2012. The monthly rollup supersedes February month’s monthly rollup update KB5010392. We discuss the various vulnerabilities that are resolved as part of the KB5011535 update. We also discuss about the feature improvements that have been brought about in the current month’s rollup update for Windows Server 2012.

Salient points about monthly rollup update KB5011535 for Windows Server 2012

  • Monthly rollup KB5011535 contains all changes that are a part of KB5011527.
  • The update file for x64 servers is 398.7 MB in size.
  • KB5011535 supersedes KB5010392. There has been no preview or optional update for Windows Server 2012 between February and March monthly rollup updates.
  • .NET framework on Windows Server 2012 ought to be updated. The framework was affected due to January updates, causing issues in Active Directory trust relationships.
  • There are a couple of zero day vulnerabilities that have been resolved in KB5011535 update.
  • The five vulnerabilities that are likely to be exploited or are publicly disclosed are covered in the document below.
  • The update may require server reboot. Plan your change ticket accordingly.

What vulnerabilities are resolved in KB5011535?

There have been 71 vulnerabilities that have been addressed as part of the March security updates. Of these, there are 3 Zero-day vulnerabilities. The zero-day vulnerabilities for March month are:

  • CVE-2022-21990 – this vulnerability affects Windows Server 2012 too. It is a CVSS 8.8 remote code execution vulnerability on the Windows Remote Desktop Client software. It is mitigated in KB5011527 and KB5011535.
  • CVE-2022-24512 – .NET Remote Code Execution with CVSS score of 6.3. There is a separate patch for resolving the .NET vulnerability.
  • CVE-2022-24459 – Elevation of Privilege vulnerability on Windows Fax and Scan Service. It has a CVSS score of 7.8 with high impact on the affected infrastructure. This vulnerability affects the Windows Server 2012 as well. It is mitigated in KB5011527 and KB5011535.

Apart from the zero-day vulnerabilities mentioned above, there are other vulnerabilities that are more likely to be exploited. The following security vulnerabilities have been resolved in KB5011535 for Windows Server 2012:

CVE-2022-24502 – CVSS 4.3 – Windows HTML Platforms Security

CVE-2022-24502 affects all the Windows versions including the Windows Server 2012. It is more likely to be exploited. This vulnerability affects the MSHTML platform and the scripting engine used by browsers. Mitigation of this vulnerability lies in patching with KB5011527 or KB5011535.

Apart from the vulnerabilities stated above, there may be other vulnerabilities that are less likely to be exploited or these may not have been publicly disclosed. To keep things tidy and manageable, we have limited our discussion to the vulnerabilities that are more likely to be exploited.

CVE-2022-23299 – CVSS 7.8 – Elevation of Privilege

This is another high impact vulnerability that exists in Windows PDEV and can lead to the ‘Elevation of Privilege’ on the Windows Server 2012. It carries a CVSS score of 7.8. A Windows PDEV is a logical representation of the physical device. It is characterized by the type of hardware, logical address, and surfaces that can be supported. 

The vulnerability has been patched in KB5011527 and KB5011535 for Windows Server 2012.

CVE-2022-23294 – CVSS 8.8 – Remote Code Execution

The high impact vulnerability exists in Windows Event tracing and could lead to a ‘Remote Code Execution’ attack. This is a CVSS 8.8 score. This vulnerability assumes significance in the light of the following points:

  • Non-admin users can launch an attack on the target server.
  • The authenticated attacker could potentially take advantage of this vulnerability to execute malicious code through the Event Log’s Remote Procedure Call (RPC) endpoint on the server-side.
  • As a default configuration, access to the event log service endpoint is blocked. If you run the default configuration, the vulnerability stands mitigated.

For a permanent solution, you still need to patch the Windows Server 2012 with KB5011527 security update or monthly rollup update KB5011535.

CVE-2022-23285 – CVSS 8.8 – Remote Code Execution

CVE-2022-23285 is a CVSS 8.8 vulnerability that could allow an attacker to launch a ‘Remote Code Execution’ attack on a vulnerable Remote Desktop client machine. This vulnerability is highly likely to be exploited. In the case of a Remote Desktop connection, an attacker with control of a Remote Desktop Server could trigger a remote code execution (RCE) on the RDP client machine when a victim connects to the attacking server with the vulnerable Remote Desktop Client. Mitigation lies in patching the Windows Server 2012 with KB5011527 or KB5011535.

CVE-2022-23253 – CVSS 6.5 – Denial of Service

CVE-2022-23253 is a medium impact vulnerability that affects the Point to Point Tunneling Protocol. It can lead to DoS or Denial of Service on the VPN endpoints, leading to failed VPN connectivity between two VPN sites. The vulnerability is patched as part of the KB5011535 monthly rollup update for Windows Server 2012.

How can I get KB5011535 for Windows Server 2012?

The monthly rollup update for Windows Server 2012 is available through the regular Windows update channel. Before applying the patch on Windows Server 2012, please ensure that you have installed KB5011572 Servicing Stack Update (SSU) on the server. This can be applied through Windows Update or through the Microsoft Update catalog. You can download KB5011571 from this page on the Microsoft Update catalog. The update file is 9.7 MB in size. Once the SSU has been implemented, you can proceed with implementing the KB5011535 update on Windows Server 2012.

You could apply the KB5011535 update in one of the following ways:

  • KB5011535 can be applied through Windows Update program.
  • KB5011535 can be applied through WSUS or the Windows Update Service automatically.
  • You can download the monthly rollup update KB5011535 from the Microsoft Update catalog. It is available for download from this page. The update file is 398.7 MB in size.

January issues resolved in KB5011535 for Windows Server 2012

A couple of outstanding issues from January 2022 updates have been resolved through the KB5011535 security update. The issues that have been resolved include:

  • Issues with Active Directory Domains and Trust and Netdom.exe snap-ins have been resolved.
  • An out of band update for resolving .NET framework issues has been released. This update will fix issues on .NET framework for Windows Server 2012. The .NET issue came up after deployment of January updates on the server.

.NET Framework Update – Windows Server 2012

The .NET Framework on Windows Server 2012 needs to be updated. There have been issues in the Active Directory trust relationships since the January 2022 update. To resolve these issues, the .NET Framework needs to be patched. Depending on the .NET Framework version on your server, you may take one of the following approaches to resolve the .NET Framework issue on Windows Server 2012.

  • .NET framework 4.8 on Windows Server 2012 to be patched with KB5011265. The update file measures only 362 KB.
  • .NET framework  4.6, 4.6.1, 4.6.2, 4.7, 4.7.1 or 4.7.2  to be patched with KB5011262. The update file measures only 375 KB.
  • .NET framework 4.5.2 to be patched with KB5011260. The update file has a size of 54.3 MB for Windows Server 2012.

Summary

KB5011535 monthly rollup update for Windows Server 2012 addresses issues reported after January updates. It also patches five vulnerabilities that affect all the Windows versions and have been reported during February and March. A few performance improvements have also been made a part of the KB5011535 monthly updates.

You may also like to read the following content related to Windows Updates: