KB5020003 Security Update for Windows Server 2012

KB5020003 is the security only update for Windows Server 2012. It seeks to address security vulnerabilities and issues on Windows Server 2012. We look at the KB5020003 in detail below.

Salient points about KB5020003 for Windows Server 2012

  • KB5020003 is applicable for Windows Server 2012 and Windows Server 2012 Server Core Installation.
  • KB5020003 is a standalone update. It implies that you will need to deploy all the previous security updates on Windows Server 2012 for full security coverage against threats and malicious software.
  • The last security-only update for Windows Server 2012 was released in October 2022. KB5018478 is the security-only update that precedes KB5020003. You can read more about KB5018478 on this page.
  • Since changes contained in the security-only update KB5020003 are part of the monthly rollup update KB5020009, we strongly recommend installing the monthly rollup update on Windows Server 2012 and Windows Server 2012 Server Core Installation.
  • SSU or Servicing Stack Update KB5016263 needs to be deployed on Windows Server 2012 before installing KB5020003.
  • Internet Explorer’s latest cumulative update KB5019958 also needs to be installed on Windows Server 2012 if you choose to install the security-only update KB5020003 on the server. If you choose to deploy the monthly rollup update, IE cumulative update is built-in into the KB5020009 monthly rollup update.
  • 3 Zero-day threats affect Windows Server 2012. These are patched in this month’s security update. Details are shared in the zero-day vulnerability section below.
  • A total of 23 vulnerabilities have been shared for Windows Server 2012 in November month’s security bulletin. Out of these, 5 have ‘CRITICAL’ severity levels for the server. Details of the ‘CRITICAL’ severity vulnerabilities are shared below.
  • Standalone security updates are small in size. KB5020003 update file is 34.7 MB in size.

Vulnerabilities on Windows Server 2012 – KB5020003

There are 23 vulnerabilities that affect Windows Server 2012. Out of these, there are 5 vulnerabilities that carry ‘CRITICAL’ severity level ratings. We have listed these below for your ready reference.

VulnerabilitySeverityCVSS ScoreImpactSummary
CVE-2022-41039CRITICAL8.1Remote Code ExecutionThe vulnerability affects Windows Point-to-Point Tunneling Protocol.
An unauthenticated attacker could send a specially crafted connection request to a RAS server, which could lead to remote code execution (RCE) on the RAS server machine.
CVE-2022-41088CRITICAL8.1Remote Code ExecutionThe vulnerability affects Windows Point-to-Point Tunneling Protocol.
To exploit this vulnerability, an attacker would need to send a specially crafted malicious PPTP packet to a PPTP server. This could result in remote code execution on the server side.
CVE-2022-37966CRITICAL8.1Elevation of PrivilegesThis vulnerability affects Windows Kerberos RC4-HMAC. An attacker who successfully exploited this vulnerability could gain administrator privileges.
An unauthenticated attacker could conduct an attack that could leverage cryptographic protocol vulnerabilities in RFC 4757 (Kerberos encryption type RC4-HMAC-MD5) and MS-PAC (Privilege Attribute Certificate Data Structure specification) to bypass security features in a Windows AD environment.
CVE-2022-37967CRITICAL7.2Elevation of PrivilegesThis vulnerability affects Windows Kerberos. An authenticated attacker could leverage cryptographic protocol vulnerabilities in Windows Kerberos. If the attacker gains control on the service that is allowed for delegation, they can modify the Kerberos PAC to elevate their privileges. Aside from patching, please follow the instructions in KB5020805 document for full security.
CVE-2022-41128CRITICAL8.8Remote Code ExecutionThe vulnerability affects Windows Scripting Languages.
This vulnerability impacts the JScript9 scripting language. This vulnerability requires that a user with an affected version of Windows access a malicious server.

Zero-day Vulnerabilities on Windows Server 2012 – KB5020003

There are three zero-day threats on Windows Server 2012. The details of these vulnerabilities are mentioned below:

VulnerabilityCVSSImpactSummary
CVE-2022-410737.8Elevation of PrivilegesThis vulnerability affects Windows Print Spooler. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.
CVE-2022-411257.8Elevation of PrivilegesThis vulnerability affects Windows CNG Key Isolation Service. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.
CVE-2022-411288.8Remote Code ExecutionThe vulnerability affects Windows Scripting Languages.
This vulnerability impacts the JScript9 scripting language. This vulnerability requires that a user with an affected version of Windows access a malicious server.

Install KB5020003 on Windows Server 2012

KB5020003 can be installed on Windows Server 2012 through WSUS or through an offline installer file.

For WSUS or Windows Server Update Service, you will need to configure the product classification as below:

  • Product: Windows Server 2012, Windows Embedded 8 Standard
  • Classification: Security Update

You can also install KB5020003 through an offline installer file. This offline installer file can be downloaded from the Microsoft Catalog page for KB5020003.

It may be pertinent to mention over here that KB5020003 needs KB5016263 Servicing Stack Update and KB5019958 Internet Explorer Cumulative Update for full security protection on the server. The direct download links for these updated patches are shared below for ready reference.

Download UpdateSize of the Update
Download KB5020003 for Windows Server 201234.7 MB
Download KB5016263 for Windows Server 20129.8 MB
Download KB5019958 for Windows Server 201246 MB

Issues fixed and improvements in KB5020003 for Windows Server 2012

The following issues have been fixed or improvements brought in as part of KB5020003 for Windows Server 2012:

  • Updates the daylight-saving time (DST) for Jordan to prevent moving the clock back 1 hour on October 28, 2022. Additionally, changes the display name of Jordan standard time from “(UTC+02:00) Amman” to “(UTC+03:00) Amman”.
  • Addresses an issue where, after installing the January 11, 2022 or later update, the Forest Trust creation process fails to populate the DNS name suffixes into the trust information attributes.
  • Addresses security vulnerabilities in the Kerberos and Netlogon protocols as outlined in CVE-2022-38023, CVE-2022-37966, and CVE-2022-37967. For deployment guidance, see the following articles:
    • KB5020805: How to manage the Kerberos protocol changes related to CVE-2022-37967
    • KB5021130: How to manage the Netlogon protocol changes related to CVE-2022-38023
    • KB5021131: How to manage the Kerberos protocol changes related to CVE-2022-37966

For more details about KB5020003, you may refer to Microsoft release notes for KB5020003.

The domain join issues continue to affect Windows Server 2012. If you install KB5020003 on the server, the netjoin issue will affect the server’s capability to join domains. Here is what Microsoft has shared for the problem description:

After this update or a later Windows update is installed, domain join operations might be unsuccessful and error “0xaac (2732): NERR_AccountReuseBlockedByPolicy” occurs. Additionally, text stating “An account with the same name exists in Active Directory. Re-using the account was blocked by security policy” might be displayed.

While Microsoft works on providing a full solution to the issue in one of the later Windows updates, it has published a workaround under the document KB5020276 for a temporary fix to domain join issues on the server.