KB5020023 Monthly Rollup Update for Windows Server 2012 R2

KB5020023 is the monthly rollup update for Windows Server 2012 R2. It was released on 8th November as part of November month’s ‘Patch Tuesday’ project. KB5020023 supersedes or replaces KB5018474 monthly update. We look at some important aspects of KB5020023 below.

Salient points about KB5020023 for Windows Server 2012 R2

  • KB5020023 is a monthly rollup and cumulative update. It contains all the changes of previous rollup updates and also addresses security issues on Windows Server 2012 R2.
  • KB5020023 also contains all the changes that are part of the security-only update KB5020010. So, you can either deploy KB5020010 or KB5020023 for addressing security threats on Windows Server 2012 R2.
  • KB5020023 can be applied on Windows Server 2012 R2 Server Core installation.
  • Windows Server 2012 R2 is affected by 26 vulnerabilities. Out of this, 6 vulnerabilities have a ‘CRITICAL’ impact on the affected infrastructure comprising of Windows Server 2012 R2 servers.
  • Three zero-day vulnerabilities affect the Windows Server 2012 R2. These vulnerabilities are CVE-2022-41073, CVE-2022-41125, and CVE-2022-41128. Brief details are shared in the vulnerability section below.
  • Servicing Stack Update KB5018922 needs to be deployed prior to installing the monthly rollup update KB5020023 on Windows Server 2012 R2.
  • Kerberos authentication issues resulted after the deployment of KB5020023 on Windows Server 2012 R2. These issues have been resolved in an emergency update or OOB update KB5021653 for Windows Server 2012 R2.
  • The correct sequence of installing November month’s monthly rollup update on Windows Server 2012 R2 has to start with the SSU KB5018922 implementation. Then, you must deploy KB5020023. After installing KB5020023, you can finalize the update process by adding KB5021653.

Vulnerabilities affecting Windows Server 2012 R2 – KB5020023

There are 26 vulnerabilities that affect Windows Server 2012 R2. Out of these, there are 6 vulnerabilities that pose ‘CRITICAL’ threat to the server. And, there are 3 vulnerabilities that qualify as zero-day threats. The table below lists these vulnerabilities in brief.

VulnerabilitySeverityCVSS ScoreImpactSummary
CVE-2022-41039CRITICAL8.1Remote Code ExecutionThe vulnerability affects Windows Point-to-Point Tunneling Protocol.
An unauthenticated attacker could send a specially crafted connection request to a RAS server, which could lead to remote code execution (RCE) on the RAS server machine.
CVE-2022-41088CRITICAL8.1Remote Code ExecutionThe vulnerability affects Windows Point-to-Point Tunneling Protocol.
To exploit this vulnerability, an attacker would need to send a specially crafted malicious PPTP packet to a PPTP server. This could result in remote code execution on the server side.
CVE-2022-41128CRITICAL8.8Remote Code ExecutionThe vulnerability affects Windows Scripting Languages.
This vulnerability impacts the JScript9 scripting language. This vulnerability requires that a user with an affected version of Windows access a malicious server.
CVE-2022-41118CRITICAL 7.5Remote Code ExecutionThis vulnerability affects Windows Scripting Languages.
This vulnerability impacts both the JScript9 and Chakra scripting languages. This vulnerability requires that a user with an affected version of Windows access a malicious server. IE cumulative update resolves the threat. It is part of the monthly rollup update. Security-only update needs to be topped up with the IE Cumulative update for Windows Server 2012 R2.
CVE-2022-37966CRITICAL8.1Elevation of PrivilegesThis vulnerability affects Windows Kerberos RC4-HMAC. An attacker who successfully exploited this vulnerability could gain administrator privileges.
An unauthenticated attacker could conduct an attack that could leverage cryptographic protocol vulnerabilities in RFC 4757 (Kerberos encryption type RC4-HMAC-MD5) and MS-PAC (Privilege Attribute Certificate Data Structure specification) to bypass security features in a Windows AD environment.
CVE-2022-37967CRITICAL7.2Elevation of PrivilegesThis vulnerability affects Windows Kerberos. An authenticated attacker could leverage cryptographic protocol vulnerabilities in Windows Kerberos. If the attacker gains control on the service that is allowed for delegation, they can modify the Kerberos PAC to elevate their privileges. Aside from patching, please follow the instructions in KB5020805 document for full security.

Zero-day vulnerabilities on Windows Server 2012 R2

There are three zero-day threats that have been disclosed for Windows Server 2012 R2. The details of these vulnerabilities are shared below.

VulnerabilityCVSSImpactSummary
CVE-2022-410737.8Elevation of PrivilegesThis vulnerability affects Windows Print Spooler. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.
CVE-2022-411257.8Elevation of PrivilegesThis vulnerability affects Windows CNG Key Isolation Service. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.
CVE-2022-411288.8Remote Code ExecutionThe vulnerability affects Windows Scripting Languages.
This vulnerability impacts the JScript9 scripting language. This vulnerability requires that a user with an affected version of Windows access a malicious server.

Install KB5020023 on Windows Server 2012 R2

Since KB5020023 is a cumulative update, it is offered for automated deployment. Alternatively, you can use a manual or offline installer file for manual patching of the Windows Server 2012 R2.

For automated deployment of KB5020023, you can use either of the following methods:

  • Windows Update
  • WSUS or Windows Server Update Service

KB5018922 is the SSU or Servicing Stack Update that corresponds to KB5020023. This is offered to you as part of automated deployment process before you patch KB5020023.

For manual patching or deployment of KB5020023 on the Windows Server 2012 R2, you will need to download the MSU update file from the Microsoft Update Catalog website. The direct download links for KB5018922 SSU and KB5020023 monthly rollup update for Windows Server 2012 R2 are shared below for ready reference.

MSU Update fileSize of the file
KB5018922 Servicing Stack Update for Windows Server 2012 R2- Direct Download10.5 MB
KB5020023 Monthly Rollup Update for Windows Server 2012 R2 – Direct Download567.6 MB
KB5021653 OOB update for Windows Server 2012 R2 – Direct Download36.2 MB

It may be pertinent to mention over here that the SSU or the Servicing Stack Update will not lead to a server reboot. However, the monthly rollup update may cause the server to reboot.

If you wish to check more details of the Servicing Stack Update KB5018922, please do visit the Microsoft Catalog page for KB5018922.

For more details about the files and deployment of KB5020023 monthly rollup update for Windows Server 2012 R2, you may visit the Microsoft Catalog page for KB5020023.

For more details about the OOB update KB5021653, you can check the file information on the Microsoft Update Catalog page for KB5021653.

For release notes of KB5020023, you may visit the page for KB5020023.

Issues and Improvements in KB5020023 for Windows Server 2012 R2

The following issues and improvements are part of the KB5020023 monthly rollup update for Windows Server 2012 R2.

  • Addresses a Distributed Component Object Model (DCOM) authentication hardening issue to automatically raise authentication level for all non-anonymous activation requests from DCOM clients. This will occur if the authentication level is less than RPC_C_AUTHN_LEVEL_PKT_INTEGRITY.
  • Updates the daylight-saving time (DST) for Jordan to prevent moving the clock back 1 hour on October 28, 2022. Additionally, changes the display name of Jordan standard time from “(UTC+02:00) Amman” to “(UTC+03:00) Amman”.
  • Addresses an issue where Microsoft Azure Active Directory (AAD) Application Proxy Connector cannot retrieve a Kerberos ticket on behalf of the user because of the following general API error: “The handle specified is invalid (0x80090301).”
  • Addresses an issue where, after installing the January 11, 2022 or later update, the Forest Trust creation process fails to populate the DNS name suffixes into the trust information attributes.
  • Addresses an issue where the Microsoft Visual C++ Redistributable Runtime does not load into the Local Security Authority Server Service (LSASS) when Protected Process Light (PPL) is enabled.
  • Addresses security vulnerabilities in the Kerberos and Netlogon protocols as outlined in CVE-2022-38023CVE-2022-37966, and CVE-2022-37967. For deployment guidance, see the following articles:

Post-deployment issues after KB5020023

After deployment of KB5020023, you may run into domain join issues on the Active Directory. Here is what Microsoft has mentioned about the issue:

After this update or a later Windows update is installed, domain join operations might be unsuccessful and error “0xaac (2732): NERR_AccountReuseBlockedByPolicy” occurs. Additionally, text stating “An account with the same name exists in Active Directory. Re-using the account was blocked by security policy” might be displayed.

More details and fix for the issue have been published on KB5020276 document by Microsoft.

For the monthly rollup KB5020023 for Windows 8.1, please visit this page for details and download information.