Microsoft released the monthly rollup update for Windows Server 2012 on May 10, 2022. The update forms a part of the ‘Patch Tuesday’ updates for the month of May. KB5014017 also contains all the changes that are a part of the KB5014018 security-only update for Windows Server 2012. We look at the key aspects of the KB5014017 monthly rollup update.
Salient points about KB5014017 monthly rollup update for Windows Server 2012
- KB5014017 is a monthly rollup update for May 2022. It supersedes or replaces April month’s rollup update KB5012650 for Windows Server 2012.
- KB5014017 contains all security updates that are part of KB5014018.
- KB5014017 also contains performance improvements for Windows Server 2012.
- The zero-day vulnerability affects Windows Server 2012. It is an LSA spoofing vulnerability that is tracked as CVE-2022-26925.
- The size of the MSU update file for KB5014017 is 406.8 MB. The MSU update file for the security-only update KB5014018 is 67.5 MB in size.
- Servicing Stack Update KB5014027 needs to be deployed on Windows Server 2012 before you can deploy KB5014017.
- Microsoft released an out-of-band emergency update for Windows Server 2012 on May 19 2022. This OOB update for Windows Server 2022 is called KB5014991. More details about the out-of-band update KB5014991 can be found below.
You can read more about April month’s monthly rollup update for Windows Server 2012 on this page for KB5012650.
KB5014991 – Out of Band Update for Windows Server 2012
OOB update KB5014991 for Windows Server 2012 seeks to fix authentication issues on Windows Server 2012. These authentication issues happened post-deployment of the May updates on Windows domain controllers. Do note, that the issue only affects the domain controllers. So, the OOB update ought to be applied to the affected domain controllers only.
Salient points of the out of band update KB5014991 are given below:
- KB5014991 is a standalone update for Windows Server 2012.
- This update, KB5014991, fixes authentication issues caused on Windows domain controllers patched with KB5014017.
- If you have patched Windows Server 2012 with a monthly rollup update or security update released in May, you will need to deploy KB5014991 to resolve the patch-related authentication issues.
- KB5014991 cannot be deployed using Windows Update, Microsoft Update for Business, or WSUS. You will need to deploy it manually. Before deploying it manually, please make sure that your server has KB5014017 or KB5014018.
- You can download KB5014991 from the Microsoft Update Catalog page for KB5014991 here.
- The size of the update file for KB5014991 is 67.9 MB for Windows Server 2012 x64 edition.
KB5014017 – Zero-day vulnerabilities on Windows Server 2012
Microsoft shared a list of 75 vulnerabilities as part of the May security updates. Out of these, there have been 3 zero-day vulnerabilities. Windows Server 2012 is affected by a single zero-day vulnerability. Apart from that, the Active Directory Domain Service vulnerability does not impact Windows Server 2012.
We discuss the zero-day threat below.
CVE-2022-26925 – Windows LSA Spoofing Vulnerability
This zero-day vulnerability is publicly known and exploitation attempts have already been calibrated. It is a CVSS 8.1 vulnerability that involves LSA spoofing. However, it can be combined with the NTLM Relay attacks or the PetitPotam vulnerability to cause damaging attacks on the server. If we were to see PetitPotam and LSA spoofing vulnerability in combination, the combined CVSS rating of the vulnerability would be 9.8. This emphasizes the nature of LSA spoofing vulnerability.
- An unauthenticated attacker could call a method on the LSARPC interface and coerce the domain controller to authenticate to the attacker using NTLM. This security update detects anonymous connection attempts in LSARPC and disallows them.
- NTLM relay attacks on the domain controllers could be used in conjunction with CVE-2022-26925. You must take mitigation steps mentioned in the security update KB5005413 to enable Extended Protection for Authentication on the domain controllers, including the domain controllers based on Windows Server 2012. The NTLM relay attacks are part of the PetiiPotam vulnerability on the Windows servers and domain controllers.
- Since this is a man-in-the-middle (MITM) attack, the attack complexity is complex and it is rated as AC: H.
Thankfully, the fix for CVE-2022-26925 has been applied in KB5014018 and KB5014017. It is strongly suggested that the domain controllers must be patched with KB5014018 or KB5014017 on an immediate basis. If you prefer installing the monthly rollup for Windows Server 2012, you can install KB5014017 in lieu. That would take care of the fix for CVE-2022-26925.
It may be pertinent to mention over here that the critical vulnerability, CVE-2022-26923, affecting Active Directory Domain Services is not applicable to Windows Server 2012. CVE-2022-26923 is applicable to Windows Server 2012 R2 and Windows Server 2012 R2 (Server Core Installation).
Prerequisites for installing KB5014017 on Windows Server 2012
KB5014017 can be deployed on Windows Server 2012 which has already been patched with the latest Servicing Stack Update KB5014027. KB5014027 has been released on 10th May.
If you are applying KB5014017 through Windows Update, the SSU KB5014027 will be installed prior to installing KB5014017. If you intend to patch Windows Server 2012 manual through the Microsoft Update Catalog, please download and install KB5014027 on Windows Server 2012.
You can download KB5014027 from the Microsoft Update Catalog page. The MSU update file has a size of 9.7 MB.
How to install KB5014017 on Windows Server 2012?
KB5014017 is a monthly rollup update that is available through all the regular methods of Windows Update.
- KB5014017 can be automatically applied through Windows Update.
- KB5014017 can be applied through Microsoft Update for Business.
- WSUS or Windows Server Update Service can be utilized to patch Windows Server 2012 with KB5014017 monthly rollup update.
- You can download the MSU update file for KB5014017 from the Microsoft Update Catalog page. The update file has a size of 406.8 MB.
The server may restart as part of the update process. So, please plan for server maintenance windows for performing the monthly rollup update.
Summary
KB5014017 covers all the security and non-security changes for Windows Server 2012. All changes that form a part of KB5014018 are already a part of the KB5014017 update. KB5014017 should be deployed only after the SSU KB5014027 has been installed on Windows Server 2012. You may also want to check the details of the CVE-2022-26925 vulnerability that could lead to a critical impact on the infrastructure.
You may like to read the following content related to Windows Updates for May 2022:
- KB5014001 Security Update for Windows Server 2012 R2 – May 10 Update
- KB5013941 security update for Windows Server 2019 – May 10 Update
- KB5013952 security update for Windows Server 2016
- Zero-day Vulnerabilities – Microsoft May Patch Day
- KB5014018 Security Update for Windows Server 2012
- KB5013944 Cumulative Update for Windows Server 2022 – May 10, 2022
Rajesh Dhawan is a technology professional who loves to write about Cyber-security events and stories, Cloud computing and Microsoft technologies. He loves to break complex problems into manageable chunks of meaningful information.