KB5014746 Security Update for Windows Server 2012 R2

KB5014746 is the security only update for Windows Server 2012 R2 released on 14th June 2022. The security-only update covers you against the zero-day vulnerability and other significant vulnerabilities shared by Microsoft as part of June updates. We look at the key aspects of the KB5014746 security-only update for Windows Server 2012 R2. It may be pertinent to mention that KB5014001 ought to have been deployed on Windows Server 2012 R2 before you think about deploying KB5014746. Security-only updates are mutually exclusive. Therefore, you need to install each of these security updates for complete coverage on Windows Server 2012 R2 edition.

  1. Salient points about KB5014746 for Windows Server 2012 R2
  2. CVE-2022-30190 – Zero-day vulnerability on Windows Server 2012 R2
  3. KB5014746 – Other vulnerabilities on Windows Server 2012 R2
  4. KB5014746 – Prerequisites for installing KB5014746 on Windows Server 2012 R2
  5. How can I deploy KB5014746 on Windows Server 2012 R2?
  6. Summary

You can read more about July month’s security update for Windows Server 2012 R2, KB5015877, on this page.

Salient points about KB5014746 for Windows Server 2012 R2

  • KB5014746 is a security-only update. Before deploying it on Windows Server 2012 R2, you need to deploy all the previous security updates. The last security update for Windows Server 2012 R2, KB5014001, was released on 10th May.
  • KB5014986 is the out-of-band update that was released on the 19th of May. This OOB update resolves authentication issues on the Windows Server 2012 R2 domain controllers. The authentication issues were reported after the deployment of KB5014001 updates on Windows Server 2012 R2. If you have patched your server with KB5014986, no further action is needed. If you have deployed KB5014001 but you have not deployed KB5014986, you can still go ahead and install the KB5014746 security-only update.
  • Zero-day vulnerability on the Windows MSDT, CVE-2022-30190, affects Windows Server 2012 R2. The threat is resolved in KB5014746.
  • SSU KB5014025 needs to be deployed on Windows Server 2012 R2 before installing KB5014746.
  • You need to be wary of certificate authentication issues if the order of pushing June updates is not correct.
  • June update, KB5014746, is likely to break the Wi-Fi hotspot function post-deployment. Host devices making use of the Wi-Fi hotspot will be unable to make use of the Internet.
  • Windows Server 2012 R2 is in extended support plan. Automatic deployment of KB5014746 is not possible.

You can read more about KB5014001 May security update for Windows Server 2012 R2 on this page.

CVE-2022-30190 – Zero-day vulnerability on Windows Server 2012 R2

CVE-2012-30190 is a zero-day vulnerability on Windows Server 2012 R2. The vulnerability is publicly disclosed and is being exploited as well. The vulnerability resides in Microsoft Windows Support Diagnostic Tool (MSDT). It could lead to a ‘Remote Code Execution’ threat. The threat emerges when the MSDT is called over a URL protocol by any calling application like Word. It could cause the attacker to assume access to the target machine locally. With complete local access, the attacker could deploy any code and cause arbitrary code execution.

This threat is resolved in KB5014746 for Windows Server 2012 R2. Alternatively, you can mitigate the risk by disabling the MSDT as per instructions in this Microsoft blog entry.

KB5014746 – Other vulnerabilities on Windows Server 2012 R2

There are a few other threats on Windows Server 2012 R2. You may want to have a high-level view of these threats below.

CVE-2022-30136 – Windows Network File System

CVE-2022-30136 is a critical vulnerability with a CVSS score of 9.8. It affects Windows Server 2012 R2. This threat is more likely to be exploited by an attacker over the network. An attacker could send malicious calls to the Network File System. The vulnerability resides in Network File System version 4.1. NFS 2 and NFS 3 are not affected by this vulnerability.

As part of mitigation, you could disable NFS version 4.1. This could have a potential fallout on your network and the services running therein. Or, you could deploy KB5014746 on Windows Server 2012 R2 to resolve this issue.

CVE-2022-30163 – Windows Hyper V

CVE-2022-30163 is a critical vulnerability on Windows Hyper V that could lead to ‘Remote Code Execution’. The attacker could access the Hyper V operating system. Since this is a low level access, the attacker could alter the scope and deploy or execute malicious code on the operating system. The attack complexity for CVE-2022-30163 is complex and is rated AC: H.

This threat is patched in KB5014746 for Windows Server 2012 R2.

KB5014746 – Prerequisites for installing KB5014746 on Windows Server 2012 R2

There are a few prerequisites for installing KB5014746 on Windows Server 2012 R2.

  • SSU KB5014025 needs to be deployed on Windows Server 2012 R2 before deploying KB5014746. You can download it from the Microsoft Update Catalog page for KB5014025. The size of the update file is 10.4 MB.
  • Cumulative update KB5011486 for Internet Explorer needs to be deployed on Windows Server 2012 R2 prior to installing KB5014746. You can download KB5011486 from this page on Microsoft Update Catalog for KB5011486. The size of the update file is 55 MB.
  • Deploying the June updates on domain controllers before other servers could cause certificate authentication issues on the network. Therefore, Microsoft has specifically recommended to deploy KB5014746 on application servers that pass certificate authentication details on the network. Once the application servers are patched, you can deploy the security update on domain controllers.
  • An alternative approach to preventing certificate authentication issues on Windows Server 2012 R2 has also been shared by Microsoft. You will need to use the registry editor. Launch the registry editor and create an entry under CertificateMappingMethods to 0x1F. Now, deploy the KB5014746 on Windows Server 2012 R2. Once successfully deployed, you can remove the entry for CertificateMappingMethods through the Microsoft registry editor.

How can I deploy KB5014746 on Windows Server 2012 R2?

Windows Server 2012 R2 runs in extended support plan. Therefore, it cannot be updated using the Windows Update program or the Microsoft Update for Business program.

You could import the KB5014746 into WSUS manually. You will need to ensure that the extended support plan coverage has been updated in your account details.

You can also download the KB5014746 security update through Microsoft Update Catalog page for KB5014746. The size of the update file is 39.8 MB.

Summary

KB5014746 is a security update for Windows Server 2012 R2. It seeks to provide security and non-security improvements for Windows Server 2012 R2. You will need to deploy all the previous security updates before deploying KB5014746 on Windows Server 2012 R2. In terms of dependencies, the KB5014025 and KB5011486 updates ought to be deployed on Windows Server 2012 R2 before installing the KB5014746 security update.

You may also like to read more content related to June ‘Patch Tuesday’ updates from Microsoft below: