KB5013942 Cumulative Update for Windows Server 20H2 Server Core Installation – 10th May, 2022

KB5013942 is the cumulative update for Windows Server 20H2 Server Core Installation. It supersedes April’s cumulative update for Windows Server 20H2 Server Core. KB5012599 is the security update for April. We look at the key aspects of KB5013942 and how it helps us resolve the security threats on the Windows Server 20H2 Server Core Installation.

Salient points about KB5013942 for Window Server 20H2 Server Core Installation

  • KB5013942 is a cumulative update.
  • KB5013942 supersedes KB5012599 cumulative update that was released in April 2022.
  • Windows Server 20H2 Server Core Installation is affected by two zero-day vulnerabilities. CVE-2022-22713 and CVE-2022-26925 impact the server.
  • Windows Server 20H2 Server Core Installation is also affected by the Active Directory Domain Services vulnerability, CVE-2022-26923.
  • The size of the MSU update file for KB5013942 for x64 systems is 666.5 MB.
  • The size of the MSU update file for KB5013942 for ARM64 systems is 696.8 MB.
  • You ought to have installed the cumulative update released in May 2021, KB5003173. If Windows Server 20H2 Server Core has KB5003173 or any later cumulative update, no further action is needed to deploy KB5013942.
  • If the Windows Server 20H2 version has not been patched since April 2021, you can skip all the cumulative updates by installing a special SSU update KB5005260. KB5005260 was released in August 2021. It is a very small update. File size for x64 and ARM64 systems are under 15 MB.
  • There have been reports of authentication issues on the domain controllers that have been patched with May updates. The issue can affect Windows Server 20H2 based domain controllers. To mitigate the issue, Microsoft has released emergency out-of-band updates for Windows Server 20H2. You can read more about the OOB update KB5015020 for Windows Server 20H2 version below.

KB5015020 out-of-band update for Windows Server 20H2

KB5015020 is an out-of-band update that was released by Microsoft on 19th May. It contains a fix for the authentication issues on the domain controllers based on Windows Server 20H2. Here is a brief issue description shared by Microsoft about the authentication problems on domain controllers:

“Addresses a known issue that might prevent some services from authenticating machine accounts on clients or servers. This issue occurs after you install the May 10, 2022 update on domain controllers. “

Salient points about KB5015020 for Windows Server 20H2:

  • KB5015020 is a cumulative update. It supersedes May month’s cumulative update KB5013942.
  • If you have not installed KB5013942 on Windows Server 20H2, you can skip it. You can deploy the KB5015020 cumulative update on the Windows Server 20H2 as it contains all the changes that are part of the KB5013942 update.
  • If you have already installed KB5013942 on Windows Server 20H2, you should still patch the server with KB5015020. In this case, only the incremental changes of KB5015020 will be installed on the Windows Server 20H2.
  • KB5015020 cannot be deployed through Windows Update, WSUS, or Microsoft Update for business. KB5015020 has to be installed manually.
  • You can download KB5015020 from the Microsoft Update Catalog page here.
  • The size of the update file for x64 systems is 665 MB.
  • The size of the update file for ARM64 systems is 699 MB.

KB5013942 – Zero-day Vulnerabilities on Windows Server 20H2 Server Core Installation

In all, Microsoft has released a list of 75 vulnerabilities as part of May month security updates. Out of these, there are 3 zero-day vulnerabilities. Two of these zero-day vulnerabilities affect Windows Server 20H2 Server Core Installation. It is also affected by the Active Directory Domain Services vulnerability. We share the details of all these vulnerabilities below.

CVE-2022-26925 – Windows LSA Spoofing Vulnerability

This zero-day vulnerability is publicly known and exploitation attempts have already been calibrated. It is a CVSS 8.1 vulnerability that involves LSA spoofing. However, it can be combined with the NTLM Relay attacks or the PetitPotam vulnerability to cause damaging attacks on the server. If we were to see PetitPotam and LSA spoofing vulnerability in combination, the combined CVSS rating of the vulnerability would be 9.8. This emphasizes the nature of LSA spoofing vulnerability.

  • An unauthenticated attacker could call a method on the LSARPC interface and coerce the domain controller to authenticate to the attacker using NTLM. This security update detects anonymous connection attempts in LSARPC and disallows them.
  • NTLM relay attacks on the domain controllers could be used in conjunction with CVE-2022-26925. You must take mitigation steps mentioned in the security update KB5005413 to enable Extended Protection for Authentication on the domain controllers, including the domain controllers based on Windows Server 20H2 Server Core Installation. The NTLM relay attacks are part of the PetiiPotam vulnerability on the Windows servers and domain controllers.
  • Since this is a man-in-the-middle (MITM) attack, the attack complexity is complex and it is rated as AC: H.

This vulnerability is patched in KB5013942 for Windows Server 20H2 Server Core Installation. It is advised that the domain controllers must be patched on a priority basis. However, Microsoft has also shared that installing the May security updates on domain controllers may lead to authentication errors on client machines. It has informed the US CISA about the various authentication issues that affect the Windows Server 20H2 Server Core Installation.

Microsoft has, however, acknowledged an issue that may arise on domain controllers that have been patched with KB5013942. The issue, actually, can arise on any domain controller that is patched with May month updates for resolving CVE-2022-26925.

After installing May 10, 2022 rollup update on domain controllers, organizations might experience authentication failures on the server or client for services, such as Network Policy Server (NPS), Routing and Remote access Service (RRAS), Radius, Extensible Authentication Protocol (EAP), and Protected Extensible Authentication Protocol (PEAP). Microsoft notified CISA of this issue, which is related to how the mapping of certificates to machine accounts is being handled by the domain controller.

CISA has issued a clarification in regard to the issues arising out of patching domain controllers with a fix for CVE-2022-26925. You can read more about it on the CISA site. This leaves administrators in a fix. Whether the domain controllers should be patched with May updates or not. We suggest adding the patch to the server. If you run into authentication issues that affect the business side of things, you may uninstall the patch. CVE-2022-26925 is a critical vulnerability. It may not be a good idea to leave it unattended.

CVE-2022-22713 – Windows Hyper V Denial of Service Attack

CVE-2022-22713 has a CVSS score of 5.6. It is publicly disclosed. An attacker needs to win a race condition to cause potential damage to Windows Server 20H2 Server Core installation. Attack complexity is AC: H or high. This vulnerability is patched as part of the KB5013942 cumulative update for Windows Server 20H2 Server Core installation.

Other Vulnerabilities on Windows Server 20H2 Server Core Installation

There may be other vulnerabilities that affect Windows Server 20H2 Server Core installation. Of particular interest is the Active Directory Domain Services vulnerability.

CVE-2022-26923 is a critical vulnerability with a CVSS score of 8.8. It affects Active Directory Domain Services and is caused on account of the Certificate Services running on the server. There is no fix that is available for the Active Directory Domain Services vulnerability.

An authenticated user could manipulate attributes on computer accounts they own or manage, and acquire a certificate from Active Directory Certificate Services that would allow elevation of privilege. The only mitigating recommendation, for now, is to turn off the Active Directory Certificate Services on the domain.

We expect CVE-2022-26923 to be exploited in the next few days and weeks. We also expect a patch to resolve this vulnerability. For now, we suggest applying the mitigation suggested.

Prerequisites for KB5013942 on Windows Server 20H2 Server Core Installation

There is a single dependency for KB5013942 on Windows Server 20H2 Server Core Installation.

  • You need a cumulative update of May 2021 on Windows Server 20H2 Server Core Installation. Any cumulative update that has been deployed after the May 2021 update will also suffice. KB5003173 is the cumulative update that was released for Windows Server 20H2 Server Core in May 2021. If you have not patched Windows Server 20H2 since May 2021, you can skip the cumulative updates and install a standalone update, KB5005260 on the Windows Server 20H2 Server Core.
  • KB5005260 needs to be deployed if you have not installed cumulative updates on Windows Server 20H2 Server Core since May 2021. KB5005260 can be downloaded from the Microsoft Update Catalog page for KB5005260. The MSU update files for x64 and ARM64 are well under 15 MB.

So, either patch Windows Server 20H2 Server Core with May 2021 or later cumulative update or install KB5005260 on the server.

How can I install KB5013942 on Windows Server 20H2 Server Core Installation?

KB5013942 is available for deployment on Windows Server 20H2 Server Core through all the regular update channels.

  • KB5013942 can be applied automatically using the Windows Update process.
  • KB5013942 can be applied automatically using the Microsoft Update for Business.
  • WSUS can also be used to import and install KB5013942 on Windows Server 20H2 Server Core Installation.
  • KB5013942 can be deployed manually through the Microsoft Update Catalog. You can download the MSU update files for x64 and ARM64 systems. KB5013942 is available for download from this catalog page. x64 update file has a size of 666.5 MB and the ARM64 update file for KB5013942 is 696.8 MB.

Summary

KB5013942 is the cumulative update for Windows Server 20H2 Server Core. It resolves CVE-2022-26925 and CVE-2022-22713 vulnerabilities. You need to be aware of the prerequisite. SSU KB5005260 or a cumulative update from May 2021 or later months needs to be on Windows Server 20H2 Server Core installation.

You may like to read more content about Windows Updates for the month of May 2022 on the following pages: