The cumulative security update for Windows Server 2016 and Windows Server 2016 Server Core Installation has been released on 12th April 2022. KB5011296 security update supersedes the previous month’s security update KB5011495. If you have not patched the Windows Server 2016 or Windows Server 2016 (Server Core Installation), please follow the instructions given in the document for KB5011495. Over here, we will look at the key aspects of the KB5012596 cumulative security update. We will also list the vulnerabilities that affect Windows Server 2016 and Windows Server 2016 (Server Core Installation).
Salient points about KB5012596 for Windows Server 2016 and Windows Server 2016 (Server Core Installation)
- KB5012596 supersedes KB5011495 for Windows Server 2016 and Windows Server 2016 Server Core Installation.
- KB5011570 SSU needs to be installed prior to patching Windows Server 2016 with KB5012596.
- Two zero-day vulnerabilities affect Windows Server 2016 and Windows Server 2016 Server Core. Both are patched as part of KB5012596. The zero-day threats are CVE-2022-26904 and CVE-2022-24521.
- Over and above the zero-day threats, we found 12 other threats of critical or high significance for Windows Server 2016. Details are shared below. Some of these have a CVSS score of 9.8.
- The server requires a reboot after the deployment of KB5012596.
- The update file for KB5012596 is 1544.6 MB in size. Please plan a change ticket as the update process may not be as brisk as you want it to be.
- KB5012596 resolves the issue with resetting passwords on the Windows Server 2016 after the passwords have expired.
- If you did not install KB5011495, KB5012596 can be deployed straight away.
KB5013952 is the cumulative update for Windows Server 2016 for the month of May 2022. You can read more about the May month’s KB5013952 cumulative update for Windows Server 2016 on this page.
Zero-Day Vulnerabilities on Windows Server 2016
There are two zero-day vulnerabilities that affect Windows Server 2016 and Windows Server 2016 (Server Core Installation). Both are patched as part of the KB5012596 security update released on 12th April. We list the vulnerabilities with a brief description below:
CVE-2022-26904 – CVSS 7 – Windows User Profile Service
KB5012596 security update contains a fix for the zero-day vulnerability in the User Profile Service on Windows operating system across the server and desktop versions. The vulnerability carries a CVSS score of 7 and has a ‘high impact’ on the associated infrastructure based on the Windows Server or Desktop operating systems. It could be exploited and lead to the elevation of privileges on the Windows Server 2016.
Since this vulnerability is publicly known and is more likely to be exploited, we suggest deploying the KB5012596 security updates for April Patch Tuesday on a priority basis.
CVE-2022-24521 – CVSS 7.8 – Windows Log File System Driver
This is the second zero-day vulnerability disclosed by Microsoft on 12th April. It affects the Windows Log File System Driver and can lead to ‘Elevation of Privileges’. It has not been publicly shared earlier. However, the vulnerability has been found to be under active exploitation attempts. It carries a CVSS score of 7.8, leading to a high-level impact on the target Windows Server 2016. KB5012596 resolves the security threat on Windows Server 2016 and Windows Server 2016 (Server Core).
Other Vulnerabilities on Windows Server 2016 – KB5012596
We list the vulnerabilities that carry significant risks for the infrastructure compirsing of Windows Server 2016. All these vulnerabilities are more likely to be exploited on Windows Server 2016 or Windows Server 2016 Server Core installation.
- CVE-2022-24474 – Windows Win32k Elevation of Privilege Vulnerability – This vulnerability exists in the Win32K module and can cause ‘Elevation of Privileges’ on the target Windows 2016 server. It has a CVSS score of 7.8 and a high impact on the associated infrastructure.
- CVE-2022-24481 – Windows Common Log File System Driver Elevation of Privilege Vulnerability – This vulnerability exists in the Windows Common Log File System Driver and could lead to ‘elevation of privileges’. The CVSS score is 7.8.
- CVE-2022-24491 – Windows Network File System Remote Code Execution Vulnerability – This is a Remote Code Execution vulnerability on the Windows Network File System. It has a critical severity with a CVSS score of 9.8.
- CVE-2022-26809 – Remote Procedure Call Runtime Remote Code Execution Vulnerability – This is a critical Remote Code Execution vulnerability with a CVSS score of 9.8. You can mitigate this vulnerability from external traffic by blocking TCP port 445 on the firewall. For the internal traffic, you will need to take steps to secure the SMB traffic.
- CVE-2022-26904 – Windows User Profile Service Elevation of Privilege Vulnerability – This is the zero-day vulnerability that has already been discussed above.
- CVE-2022-24542 – Windows Win32k Elevation of Privilege Vulnerability – This vulnerability affects the Win32K module and could lead to ‘Elevation of Privileges’. It has a CVSS score of 7.8.
- CVE-2022-24547 – Windows Digital Media Receiver Elevation of Privilege Vulnerability – This is an Elevation of Privilege vulnerability with a CVSS score of 7.8. It affects the Windows Digital Media Receiver on specific versions of Windows operating systems.
The zero-day vulnerability CVE-2022-26904 is also more likely to be exploited. However, no exploitation attempt has been detected by Microsoft as yet.
RCE Vulnerabilities Windows Server 2016 – KB5012596
Over and above the vulnerabilities that we have shared above, there are a few more security threats that you need to be aware of. All these vulnerabilities can lead to ‘Remote Code Execution.
These RCE vulnerabilities have critical severity or high-level impact on your infrastructure. The vulnerabilities of interest are mentioned below for a quick summary and action points:
- CVE-2022-24497 – CVSS 9.8 – RCE on Windows Network File System.
- CVE-2022-24541 – CVSS 8.8 – RCE on Windows Server Service.
- CVE-2022-24500 – CVSS 8.8 – RCE on Windows SMB.
- CVE-2022-26919 – CVSS 8.1 – RCE on Windows LDAP.
- CVE-2022-22008 – CVSS 7.7 – RCE on Hyper-V.
- CVE-2022-24537 – CVSS 7.7 – RCE on Hyper-V.
SSU with KB5012596 for Windows Server 2016
Servicing Stack Update KB5011570 will need to be deployed prior to installing the KB5012596 security update for Windows Server 2016. If you will use the Windows Update for automatic patching, KB5011570 will be deployed automatically before KB5012596 is deployed. If you will patch the Windows Server 2016 manually, please download the SSU KB5011570 from this page to patch it before deploying KB5012596. The SSU update is a small file of 11.6 MB.
How to get KB5012596 for Windows Server 2016?
All regular methods to update Windows Server 2016 are available for installing the KB5012596. Windows Server 2016 can be patched in any of the following methods.
- Windows Update can be used to automatically deploy KB5012596. SSU KB5011570 will be deployed automatically.
- Windows Update for Business can deploy KB5012596 and the SSU KB5011570 automatically.
- WSUS can be used for automatic patching of Windows Server 2016. Both, KB5011570 and KB5012596 will be installed automatically.
- You can choose to manually install the KB5012596 cumulative security update. The file is a little over 1.5 GB in size and downloaded from this KB5012596 page.
KB5012596 – Other Issues resolved in security update
- KB5012596 also resolves CVE-2022-26784, a Denial of Service vulnerability on the Cluster Shared Volumes (CSV). This is a CVSS 6.5 vulnerability.
- .NET framework issues with Active Directory Trust information developed post-deployment of January updates. The .NET framework on Windows Server 2016 and the Windows Server 2016 Server Core need to be upgraded with the corresponding .NET patches.
- .NET Framework 4.6.2, 4.7, 4.7.1 or 4.7.2 should be patched with KB5011329. File size is 371 KB.
- .NET Framework 4.8 should be patched with KB5011264. File size is 358 KB.
- There have been reports of the Recovery Discs not working after deployment of January security updates. The recovery discs created through the Backup and Restore program do not load on the affected servers. This issue remains unresolved for now.
- The KB5012596 security update also resolved the issue with password reset problems. KB5012596 addresses an issue that prevents you from changing a password that has expired when you sign in to a Windows device.
KB5012596 supersedes KB5011495 security update and resolves zero-day vulnerabilities. It also resolves issues with password reset on the servers after deploying the January updates. SSU KB5011570 will need to be installed before deployin KB5012596. We also suggest patching the .NET Framework with the corresponding .NET patches for Windows Server 2016.
You may also like to read the following content related to Windows Updates:
- Zero-day vulnerability in Microsoft April Updates
- KB5011495 for Windows Server 2016 – March Security Update
Rajesh Dhawan is a technology professional who loves to blog about smart wearables, Cloud computing and Microsoft technologies. He loves to break complex problems into manageable chunks of meaningful information.