KB5014001 Security Update for Windows Server 2012 R2 – May 10 Update

KB5014001 is the security-only update for Windows Server 2012 R2 that has been released on the 10th of May 2022. The update resolves two zero-day vulnerabilities on Windows Server 2012 R2. It also follows up on security changes that were implemented as part of the April month’s security-only update. We review the key aspects of the KB5014001 security-only update below.

Salient points about KB5014001 update for Windows Server 2012 R2

  • Security update KB5014001 is not cumulative.
  • Before deploying KB5014001 on Windows Server 2012 R2, all the previous security updates for Windows Server 2012 R2 should have been implemented on the server.
  • Two zero-day vulnerabilities impact the Windows Server 2012 R2. One of these vulnerabilities, CVE-2022-26923 affects the Active Directory Domain Services. It requires emergency mitigation efforts to protect the server environment.
  • Servicing Stack Update KB5014025 needs to be deployed prior to installing KB5014001 on Windows Server 2012 R2.
  • Cumulative update for Internet Explorer, KB5011486 also needs to be on the Windows Server 2012 R2 before KB5014001 is implemented.
  • The MSU update file for KB5014001 has a size of 83.3 MB. It is a quick fix for the security vulnerabilities for the month of May.

KB5012639 is the security only update for Windows Server 2012 R2 for April 2022. You can read more about it on this page for KB5012639.

KB5014001 – Zero-day Vulnerabilities on Windows Server 2012 R2

There have been 75 vulnerability disclosures in the monthly security reports provided by Microsoft. Out of these, 3 vulnerabilities are Zero-day threats. One of these Zero-day threats affects Windows Server 2012 R2. We list these vulnerabilities below for your ready reference:

CVE-2022-26925 – LSA Spoofing – This is a CVSS 8.1 score vulnerability. It can be used together with the NTLM Relay attacks to access Windows Server 2012 R2 and launch attacks on the server. The PetitPotam vulnerability can be used alongside CVE-2022-26925 to cause attacks on Windows Server 2012 R2. The combined vulnerability of CVE-2022-26925 and PetitPotam is a combined CVSS score of 9.8. This assumes critical significance for the affected or exploited Windows Server 2012 R2. The details of CVE-2022-26925 are mentioned below:

  • An unauthenticated attacker could call a method on the LSARPC interface and coerce the domain controller to authenticate to the attacker using NTLM. This security update detects anonymous connection attempts in LSARPC and disallows them.
  • NTLM relay attacks on the domain controllers could be used in conjunction with CVE-2022-26925. You must take mitigation steps mentioned in the security update KB5005413 to enable Extended Protection for Authentication on the domain controllers, including the domain controllers based on Windows Server 2022. The NTLM relay attacks are part of the PetiiPotam vulnerability on the Windows servers and domain controllers.
  • Since this is a man-in-the-middle (MITM) attack, the attack complexity is complex and it is rated as AC: H.

This threat is patched as part of the KB5014001 security-only update. Apply the update on domain controllers as a matter of immediate and critical significance.

There is another threat that affects Windows Server 2012 R2 that ought to be given adequate attention.

CVE-2022-26923 – Active Directory Domain Services

CVE-2022-26923 is a CVSS 8.8 vulnerability that does not have any solution as of now. As an administrator, you can only take mitigating efforts.

An authenticated user could manipulate attributes on computer accounts they own or manage, and acquire a certificate from Active Directory Certificate Services that would allow elevation of privilege. The only mitigating recommendation, for now, is to turn off the Active Directory Certificate Services on the domain.

We expect CVE-2022-26923 to be exploited in the next few days and weeks. We also expect a patch to resolve this vulnerability. For now, we suggest applying the mitigation suggested.

Prerequisites for installing KB5014001 on Windows Server 2012 R2

The following prerequisites are to be followed before deploying KB5014001 on Windows Server 2012 R2:

  • All the previous security updates need to be deployed on Windows Server 2012 R2 before deploying the KB5014001 update.
  • Servicing Stack Update KB5014025 needs to be deployed prior to installing KB5014001 on Windows Server 2012 R2. KB5014025 can be downloaded from the Microsoft Update Catalog page here. The update file has a size of 10.4 MB.
  • The cumulative update for Internet Explorer KB5011486 also needs to be deployed prior to installing KB5014001 on Windows Server 2012 R2. You can download KB5011486 from this Microsoft Update catalog page. The size of the update file is 55 MB.

Once you have deployed the latest SSU and Internet Explorer patch, KB5014001 can be deployed on Windows Server 2012 R2.

How can I get the KB5014001 security update for Windows Server 2012 R2?

Windows Server 2012 R2 is end of mainstream support. It cannot be patched automatically. Therefore, you can only apply the patch manually.

  • You can import the KB5014001 security update for Windows Server 2012 R2 through WSUS or the Windows Server Update Service.
  • KB5014001 can also be installed manually through the Microsoft Update Catalog. The security patch of 83.3 MB size can be downloaded from the KB5014001 page of the Microsoft Update Catalog here.

Patching the Windows Server 2012 R2 may result in a server reboot. Please plan your patch deployment accordingly.

Summary

KB5014001 is a security-only update for Windows Server 2012 R2. There is a zero-day threat that can cause significant risks to the Windows Server 2012 R2. And, the vulnerability that affects Active Directory Domain Services requires immediate mitigation efforts. KB5014001 can be deployed after you have deployed the SSU KB5014025 and the Internet Explorer cumulative update KB5011486. Keep a watch on CVE-2022-26923 for Windows Server 2012 R2 for any potential resolution.

You may like to read the following content related to Windows Updates for the month of May 2022: