KB5020009 Monthly Rollup Update for Windows Server 2012

KB5020009 is the latest monthly rollup update for Windows Server 2012. It was released on November 8, 2022 as part of the ‘Patch Tuesday’ project of Microsoft. KB5020009 replaces or supersedes KB5018457 monthly rollup update for Windows Server 2012. We look at the key aspects of KB5020009 below.

Salient points about KB5020009 for Windows Server 2012

  • KB5020009 is the latest monthly rollup update for Windows Server 2012 and it is cumulative in nature. It contains all the changes from previous monthly rollup updates for Windows Server 2012 and Windows Server 2012 Server Core Installation.
  • KB5020009 contains all changes that are part of the security-only update KB5020003 released in November 2022.
  • KB5020009 can be applied to Windows Server 2012 and Windows Server 2012 Server Core Installation.
  • Servicing Stack Update KB5016263 needs to be deployed prior to installing KB5020009 on Windows Server 2012.
  • There are three zero-day threats that affect Windows Server 2012. These vulnerabilities are tracked under CVE-2022-41073, CVE-2022-41125, and CVE-2022-41128. Details are shared in the vulnerability section below.
  • Windows Server 2012 is affected by 23 vulnerabilities that have ‘CRITICAL’ or ‘IMPORTANT’ severity levels. Out of these, 5 vulnerabilities have ‘CRITICAL’ severity.
  • Language packs, if needed, should be deployed on the server prior to deploying KB5020009. If you install a language pack after installing KB5020009, you will have to re-install the KB5020009 monthly rollup update on Windows Server 2012.
  • KB5020009 replaces or supersedes October month’s monthly rollup update KB5018457. You can read more about KB5018457 on this page.

Vulnerabilities affecting Windows Server 2012 – KB5020009

There are 23 vulnerabilities that affect Windows Server 2012. Out of these, there are 5 vulnerabilities that carry ‘CRITICAL’ severity level ratings. We have listed these below for your ready reference.

VulnerabilitySeverityCVSS ScoreImpactSummary
CVE-2022-41039CRITICAL8.1Remote Code ExecutionThe vulnerability affects Windows Point-to-Point Tunneling Protocol.
An unauthenticated attacker could send a specially crafted connection request to a RAS server, which could lead to remote code execution (RCE) on the RAS server machine.
CVE-2022-41088CRITICAL8.1Remote Code ExecutionThe vulnerability affects Windows Point-to-Point Tunneling Protocol.
To exploit this vulnerability, an attacker would need to send a specially crafted malicious PPTP packet to a PPTP server. This could result in remote code execution on the server side.
CVE-2022-37966CRITICAL8.1Elevation of PrivilegesThis vulnerability affects Windows Kerberos RC4-HMAC. An attacker who successfully exploited this vulnerability could gain administrator privileges.
An unauthenticated attacker could conduct an attack that could leverage cryptographic protocol vulnerabilities in RFC 4757 (Kerberos encryption type RC4-HMAC-MD5) and MS-PAC (Privilege Attribute Certificate Data Structure specification) to bypass security features in a Windows AD environment.
CVE-2022-37967CRITICAL7.2Elevation of PrivilegesThis vulnerability affects Windows Kerberos. An authenticated attacker could leverage cryptographic protocol vulnerabilities in Windows Kerberos. If the attacker gains control on the service that is allowed for delegation, they can modify the Kerberos PAC to elevate their privileges. Aside from patching, please follow the instructions in KB5020805 document for full security.
CVE-2022-41128CRITICAL8.8Remote Code ExecutionThe vulnerability affects Windows Scripting Languages.
This vulnerability impacts the JScript9 scripting language. This vulnerability requires that a user with an affected version of Windows access a malicious server.

Zero-day vulnerabilities on Windows Server 2012 – KB5020009

The following zero-day threats have been exploited in the recent past or are being actively exploited.

VulnerabilityCVSSImpactSummary
CVE-2022-410737.8Elevation of PrivilegesThis vulnerability affects Windows Print Spooler. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.
CVE-2022-411257.8Elevation of PrivilegesThis vulnerability affects Windows CNG Key Isolation Service. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.
CVE-2022-411288.8Remote Code ExecutionThe vulnerability affects Windows Scripting Languages.
This vulnerability impacts the JScript9 scripting language. This vulnerability requires that a user with an affected version of Windows access a malicious server.

Deployment of KB5020009 on Windows Server 2012

KB5020009 is a cumulative update. It can be deployed in an automated way or through manual deployment.

For automated patching of KB5020009, you may use either of the following methods:

  • Windows Update
  • WSUS or Windows Server Update Service

In both cases, you will get the Servicing Stack Update KB5016263 before KB5020009 is offered for automated deployment.

For manual deployment of KB5020009, you can download the MSU update file or offline installer file from the Microsoft Update Catalog page for KB5020009. For ready reference, the direct download links for the MSU update files are shared below.

However, before installing the MSU update file for KB5020009, you must install KB5016263 Servicing Stack Update on Windows Server 2012.

Update NameSize of the update
Download the Servicing Stack Update KB5016263 for Windows Server 20129.8 MB
Download the Monthly rollup update KB5020009 for Windows Server 2012413.2 MB

Issues and improvements in KB5020009 for Windows Server 2012

The following issues and improvements are part of the KB5020009 for Windows Server 2012:

  • Addresses a Distributed Component Object Model (DCOM) authentication hardening issue to automatically raise authentication level for all non-anonymous activation requests from DCOM clients. This will occur if the authentication level is less than RPC_C_AUTHN_LEVEL_PKT_INTEGRITY.
  • Updates the daylight-saving time (DST) for Jordan to prevent moving the clock back 1 hour on October 28, 2022. Additionally, changes the display name of Jordan standard time from “(UTC+02:00) Amman” to “(UTC+03:00) Amman”.
  • Addresses an issue where Microsoft Azure Active Directory (AAD) Application Proxy Connector cannot retrieve a Kerberos ticket on behalf of the user because of the following general API error: “The handle specified is invalid (0x80090301).”
  • Addresses an issue where, after installing the January 11, 2022 or later update, the Forest Trust creation process fails to populate the DNS name suffixes into the trust information attributes.
  • Addresses security vulnerabilities in the Kerberos and Netlogon protocols as outlined in CVE-2022-38023, CVE-2022-37966, and CVE-2022-37967. For deployment guidance, see the following articles:
    • KB5020805: How to manage the Kerberos protocol changes related to CVE-2022-37967
    • KB5021130: How to manage the Netlogon protocol changes related to CVE-2022-38023
    • KB5021131: How to manage the Kerberos protocol changes related to CVE-2022-37966

You can read more about these issues in the release notes for KB5020009 published by Microsoft.

There is also the domain join issue with Active Directory. Here is what Microsoft has shared about the issue:

After this update or a later Windows update is installed, domain join operations might be unsuccessful and error “0xaac (2732): NERR_AccountReuseBlockedByPolicy” occurs. Additionally, text stating “An account with the same name exists in Active Directory. Re-using the account was blocked by security policy” might be displayed.

For a fix, you can see the release notes for KB5020276. Microsoft is working on providing a permanent fix in one of the future releases of Windows updates.