KB5014018 Security Update for Windows Server 2012

Security-only update for Windows Server 2012 has been released on the 10th of May 2022. The security update follows up with the previous month’s security update KB5012666. We look at the key aspects of the KB5014018 security-only update for the month of May.

You can read more about the KB5014741 security update for June 2022 for Windows Server 2022 on this page.

Salient points about KB5014018 for Windows Server 2012

  • KB5014018 is a security-only update. It is not cumulative. All the previous security-only updates need to be installed on the server before deploying KB5014018.
  • Windows Server 2012 is affected by a zero-day vulnerability, CVE-2022-26925. The fix has been provided by Microsoft as part of KB5014018.
  • Before deploying KB5014018 on Windows Server 2012, you need to ensure that the cumulative update for Internet Explorer, KB5011486, is already deployed.
  • Servicing Stack Update -KB5014027 needs to be installed prior to installing KB5014018.
  • Active Directory Certificate Services vulnerability, CVE-2022-26923, is not relevant to Windows Server 2012. It is applicable to Windows Server 2012 R2.
  • MSU update file for x64 systems for Windows Server 2012 has a size of 67.5 MB. This one is a quick fix for the security changes that are applicable to Windows Server 2012.

Domain controllers on Windows Server 2012 may report authentication issues after patching with the KB5014018 security update. This is a known issue, that has been acknowledged by Microsoft. On 19th May 2022, Microsoft released emergency out-of-band updates to fix the authentication issues on domain controllers. Details of the OOB update for Windows Server 2012 are shared below.

KB5014991 – Out of Band Update for Windows Server 2012

KB5014991 is an emergency Out of Band update for Windows Server 2012. This has been released on 19th May to resolve issues arising out of implementing KB5014018 on Windows Server 2012. Microsoft has given a brief issue summary as given below:

“After installing updates released May 10, 2022 on your Windows Server 2012 servers used as domain controllers, you might see authentication failures on the server or client for services such as Network Policy Server (NPS), Routing and Remote access Service (RRAS), Radius, Extensible Authentication Protocol (EAP), and Protected Extensible Authentication Protocol (PEAP). An issue has been found related to how the mapping of certificates to machine accounts is being handled by the domain controller.” Microsoft’s issue summary.

KB5014991 is only available through the Microsoft Update catalog. You can download it from the Microsoft Update Catalog page for KB5014991. The important points about the emergency update KB5014991 are mentioned below:

  • KB5014991 is a standalone update. It is meant for Windows Server 2012.
  • Windows Server 2012 is running in the end of the mainstream support phase. It is currently in the extended support phase.
  • You will need to apply all the prior security updates on Windows Server 2012 before deploying KB5014991. This means that you need to install KB5014018 on Windows Server 2012 before you can deploy KB5014991.
  • The size of the MSU update file for KB5014991 is 67.5 MB only.

Domain Controller Authentication Issues – Out of Band Update

You can find April month’s security only update for Windows Server 2012 on the KB5012666 page.

KB5014018 – Zero-day Vulnerability on Windows Server 2012

Microsoft shared details of 75 vulnerabilities that affect different Windows operating systems. There have been three zero-day vulnerability disclosures as part of May month’s Patch Tuesday updates. Out of these 3 zero-day vulnerabilities, one vulnerability affects Windows Server 2012.

CVE-2022-26925 – Windows LSA Spoofing Vulnerability

This zero-day vulnerability is publicly known and exploitation attempts have already been calibrated. It is a CVSS 8.1 vulnerability that involves LSA spoofing. However, it can be combined with the NTLM Relay attacks or the PetitPotam vulnerability to cause damaging attacks on the server. If we were to see PetitPotam and LSA spoofing vulnerability in combination, the combined CVSS rating of the vulnerability would be 9.8. This emphasizes the nature of LSA spoofing vulnerability.

  • An unauthenticated attacker could call a method on the LSARPC interface and coerce the domain controller to authenticate to the attacker using NTLM. This security update detects anonymous connection attempts in LSARPC and disallows them.
  • NTLM relay attacks on the domain controllers could be used in conjunction with CVE-2022-26925. You must take mitigation steps mentioned in the security update KB5005413 to enable Extended Protection for Authentication on the domain controllers, including the domain controllers based on Windows Server 2012. The NTLM relay attacks are part of the PetiiPotam vulnerability on the Windows servers and domain controllers.
  • Since this is a man-in-the-middle (MITM) attack, the attack complexity is complex and it is rated as AC: H.

Thankfully, the fix for CVE-2022-26925 has been applied in KB5014018. It is strongly suggested that the domain controllers must be patched with KB5014018 on an immediate basis. If you prefer installing the monthly rollup for Windows Server 2012, you can install KB5014017 in lieu. That would take care of the fix for CVE-2022-26925.

It may be pertinent to mention over here that the critical vulnerability, CVE-2022-26923, affecting Active Directory Domain Services is not applicable to Windows Server 2012. CVE-2022-26923 is applicable to Windows Server 2012 R2 and Windows Server 2012 R2 (Server Core Installation).

Prerequisites for installing KB5014018 on Windows Server 2012

There are a few prerequisite conditions for installing KB5014018 on Windows Server 2012.

  • You should have installed all the previous security-only updates on Windows Server 2012.
  • Servicing Stack Update KB5014027 needs to be deployed prior to deploying KB5014018 on Windows Server 2012. You can download it from the catalog page for KB5014027. SSU KB5014027 has been released on 10th May as well. The size of the MSU update file for KB5014027 is 9.7 MB.
  • Cumulative update for Internet Explorer should be installed before installing KB5014018. KB5011486 is the cumulative update for Internet Explorer. KB5011486 can be downloaded from the Microsoft Update Catalog page here. The size of the MSU update file is 46 MB.

How can I install KB5014018 on Windows Server 2012?

Windows Server 2012 is end of life mainstream support. Therefore, the updates are not available through automatic channels of Windows Update of Microsoft Update for Business. That leaves us with updating Windows Server 2012 with WSUS or Microsoft Update catalog.

  • KB5014018 can be applied through WSUS. However, you will need to manually import that security update through the Microsoft servers.
  • You can also download the MSU update file for KB5014018 from the Microsoft Update catalog. KB5014018 update file can be downloaded here. The size of the update file is 67.5 MB.

The server may reboot during the course of updating it with KB5014018. Please plan your maintenance activity accordingly.

Summary

KB5014018 is a security-only update for Windows Server 2012. You need to install the KB5014027 and KB5011486 updates on Windows Server 2012 before KB5014018 can be deployed. The security update assumes significance as it resolves the CVE-2022-26925 vulnerability involving LSA spoofing.

You may like to read additional content related to May updates from Microsoft in the related pages below: