KB5014011 Monthly Rollup Update for Windows Server 2012 R2 – May 10, 2022

KB5014011 is the monthly rollup for Windows Server 2012 R2. It was released as part of Microsoft’s ‘Patch Tuesday’ program. KB5014011 contains security changes and performance improvements for Windows Server 2012 R2. Since Windows Server 2012 R2 is at the end of mainstream support, it is preferable that we patch it with the monthly rollup update. We look at the key aspects of the KB5014011 monthly rollup for Windows Server 2012 R2.

Salient points about KB5014011 for Windows Server 2012 R2

  • KB5014011 is a monthly rollup update for May 2022.
  • KB5014011 contains all the security changes that are part of KB5014001 for Windows Server 2012 R2.
  • KB5014011 supersedes or replaces KB5012670. KB5012670 is the monthly rollup update for Windows Server 2012 R2 for April 2022.
  • Zero-day vulnerability, CVE-2022-26925 affects Windows Server 2012 R2.
  • CVE-2022-26923 also impacts Windows Server 2012 R2. It affects Active Directory Domain Services and has a CVSS rating of 8.8.
  • SSU KB5014025 needs to be deployed on Windows Server 2012 R2 before deploying KB5014011.
  • The size of the MSU update file of KB5014011 is 560.7 MB.
  • Microsoft released an out-of-band update KB5014986 on 19th May 2022. This OOB update fixes an issue on the domain controllers that are patched with KB5014011. More details of the OOB update KB5014986 can be found below.

Since the server may reboot as part of the Windows update process, it would be suggested to schedule a maintenance window for patching Windows Server 2012 R2 with KB5014011.

KB5014986 – Out of Band Update for Windows Server 2012 R2

Microsoft had acknowledged an issue with the latest updates released in May 2022. Windows Server 2012 R2 Domain controllers that have been patched with the monthly rollup updates or security-only updates for May 2022 may experience authentication issues. To fix these authentication failures, you will need to patch with the emergency out-of-band updates. The important points about the out of band updates are given below:

  • KB5014986 is a standalone update for Windows Server 2012 R2.
  • You need to deploy it after deploying the monthly rollup update, KB5014011 for Windows Server 2012 R2.
  • If you have deployed a security-only update on Windows Server 2012 R2, you will need to install the OOB update KB5014986 to resolve the issues with domain controller authentication with clients.
  • KB5014986 is unavailable for automatic patching.
  • You can only apply it manually. And, it can be downloaded from the Microsoft Update Catalog page for KB5014986.
  • The size of the MSU update file for KB5014986 is 83.3 MB.

The most important point to note is that whether you have patched Windows Server 2012 R2 with security update or a monthly rollup update, you will need to deploy KB5014986 on top of the server to resolve the issues affecting the domain controllers.

KB5012670 is the monthly rollup update for Windows Server 2012 R2 for April. You can read more about the KB5012670 on this page.

KB5014011 – Zero-day vulnerability on Windows Server 2012 R2

There have been 75 vulnerability disclosures by Microsoft as part of the May month security update. Out of these, 3 zero-day vulnerabilities have been shared by Microsoft. CVE-2022-26925 is the zero-day vulnerability that impacts Windows Server 2012 R2. KB5014011 applies a fix for the zero-day vulnerability disclosed by Microsoft. This vulnerability affects Windows Server 2012 R2.

CVE-2022-26925 – Windows LSA Spoofing Vulnerability

This zero-day vulnerability is publicly known and exploitation attempts have already been calibrated. It is a CVSS 8.1 vulnerability that involves LSA spoofing. However, it can be combined with the NTLM Relay attacks or the PetitPotam vulnerability to cause damaging attacks on the server. If we were to see PetitPotam and LSA spoofing vulnerability in combination, the combined CVSS rating of the vulnerability would be 9.8. This emphasizes the nature of LSA spoofing vulnerability.

  • An unauthenticated attacker could call a method on the LSARPC interface and coerce the domain controller to authenticate to the attacker using NTLM. This security update detects anonymous connection attempts in LSARPC and disallows them.
  • NTLM relay attacks on the domain controllers could be used in conjunction with CVE-2022-26925. You must take mitigation steps mentioned in the security update KB5005413 to enable Extended Protection for Authentication on the domain controllers, including the domain controllers based on Windows Server 2012. The NTLM relay attacks are part of the PetiiPotam vulnerability on the Windows servers and domain controllers.
  • Since this is a man-in-the-middle (MITM) attack, the attack complexity is complex and it is rated as AC: H.

Thankfully, the fix for CVE-2022-26925 has been applied in KB5014001 and KB5014011. It is strongly suggested that the domain controllers must be patched with KB5014001 or KB5014011 on an immediate basis. If you prefer installing the monthly rollup for Windows Server 2012 R2, you can install KB5014011 in lieu. That would take care of the fix for CVE-2022-26925.

Microsoft has, however, acknowledged an issue that may arise on domain controllers that have been patched with KB5014011. The issue, actually, can arise on any domain controller that is patched with May month updates for resolving CVE-2022-26925.

After installing May 10, 2022 rollup update on domain controllers, organizations might experience authentication failures on the server or client for services, such as Network Policy Server (NPS), Routing and Remote access Service (RRAS), Radius, Extensible Authentication Protocol (EAP), and Protected Extensible Authentication Protocol (PEAP). Microsoft notified CISA of this issue, which is related to how the mapping of certificates to machine accounts is being handled by the domain controller.

CISA has issued a clarification in regard of the issues arising out of patching domain controllers with a fix for CVE-2022-26925. You can read more about it on the CISA site. This leaves administrators in a fix. Whether the domain controllers should be patches with May updates or not. We suggest adding the patch on the server. If you run into authentication issues that affect the business side of things, you may uninstall the patch. CVE-2022-26925 is a critical vulnerability. It may not be a good idea to leave it unattended.

CVE-2022-26923 – Active Directory Domain Services

CVE-2022-26923 is a CVSS 8.8 vulnerability that does not have any solution as of now. As an administrator, you can only take mitigating efforts.

An authenticated user could manipulate attributes on computer accounts they own or manage, and acquire a certificate from Active Directory Certificate Services that would allow elevation of privilege. The only mitigating recommendation, for now, is to turn off the Active Directory Certificate Services on the domain.

We expect CVE-2022-26923 to be exploited in the next few days and weeks. We also expect a patch to resolve this vulnerability. For now, we suggest applying the mitigation suggested.

Prerequisites for installing KB5014011 on Windows Server 2012 R2

KB5014011 is a monthly rollup update that supersedes KB5012670 update for Windows Server 2012 R2. It contains all the changes that are a part of security-only update KB5014001 for Windows Server 2012 R2. Before you can deploy KB5014011 on Windows Server 2012 R2, you will need to install KB5014025 Servicing Stack Update on Windows Server 2012 R2. KB5014025 is the latest SSU for Windows Server 2012 R2. It was released on the 10th of May 2022.

If you use Windows Update for installing KB5014011 on Windows Server 2012 R2, SSU KB5014025 will be offered as part of the update process. If you prefer to deploy KB5014011 manually, you will need to download and deploy KB5014025 from the Microsoft Update Catalog.

You can download KB5014025 for Windows Server 2012 R2 from this catalog page. The size of the MSU update file is 10.4 MB.

How can I install KB5014011 on Windows Server 2012 R2?

KB5014011 monthly rollup update for Windows Server 2012 R2 can be patched through all the regular methods of Windows Update process.

  • KB5014011 can be applied automatically using the Windows Update program.
  • WSUS or the Windows Server Update Service can be used to automatically import and deploy KB5014011 on Windows Server 2012 R2.
  • KB5014011 can be deployed manually using Microsoft Update Catalog. You can download KB5014011 from the Microsoft Update Catalog page here. The size of the MSU update file for KB5014011 is 560.7 MB.

The server may restart as part of the update process. If you run into any issues, you can uninstall KB5014011 from the Windows Server 2012 R2.

Summary

KB5014011 is the monthly rollup update for Windows Server 2012 R2. It supersedes KB5012670 monthly rollup update for the month of April. CVE-2022-26925 and CVE-2022-26923 are the two vulnerabilities that need to be paid attention to. SSU KB5014025 will need to be deployed prior to installing KB5014011 on Windows Server 2012 R2.

You may like to read more about the May month security and cumulative updates for Windows: