Microsoft Updates – Critical Vulnerabilities in February patches

Microsoft has released the cumulative updates last night. These updates seek to resolve existing vulnerabilities on different operating systems for the server or desktop editions. For the purpose of our study, we focus on sharing details on the critical vulnerabilities that have been announced and fixed by Microsoft in this month’s patch Tuesday updates.

There have been two vulnerabilities that are of critical severity with a significant impact on the IT infrastructure. Both these vulnerabilities have been patched as part of the security or cumulative updates. We list the vulnerabilities and share the links of patches that have fixed these vulnerabilities for the affected operating systems. In all 70 vulnerabilities have been resolved in the latest series of cumulative or security updates released by Microsoft.

CVSS-10-CVE-2021-42311 – Microsoft Defender for IoT

Microsoft Defender for IoT version older than 10.5.2 is vulnerable to a ‘Remote Code Execution’ vulnerability. This vulnerability is a CVSS 10 vulnerability. An attacker could use malicious code to execute on the system. The resolution involves updating Microsoft Defender for IoT to version 10.5.2 or higher. The latest version of Microsoft Defender for IoT is available in the downloads section of the Azure portal.

This vulnerability had not been publicly disclosed. There are no recorded instances of any exploitation. You can read more about the Microsoft Defender for IoT on the Microsoft site.

CVSS-9.8-CVE-2022-21907- HTTP Protocol Stack RCE

CVE-2022-21907 is a CVSS 9.8 vulnerability with a critical impact for your IT infrastructure. This vulnerability allows a remote attacker to send malicious packet and utilize the vulnerability in the HTTP protocol stack (http.sys) to launch the malicious code. This vulnerability has yet to be exploited, and its details have not been shared publicly. However, the vulnerability is wormable and Microsoft suggests that the system administrators must patch the servers and workstations on priority.

CVE-2022-21907 can impact the following servers and workstations:

  • Windows Server 2022
  • Windows Server 2022 (Server Core Installation)
  • Windows Server, version 20H2 (Server Core Installation)
  • Windows Server 2019
  • Windows Server 2019 (Server Core installation)
  • Windows 11 for x64 and ARM64 processors.
  • Windows 10 Version 20H2 for ARM64, x64 and 32 bit systems.
  • Windows 10 Version 21H2 for ARM64, x64 and 32 bit systems.
  • Windows 10 Version 21H1 for ARM64, x64 and 32 bit systems.
  • Windows 10 Version 1809 for ARM64, x64 and 32 bit systems.

Windows Server 2019 and Windows 10 Version 1809 are not vulnerable to this vulnerability by default. However, these tw would be vulnerable if you have enabled HTTP Trailer Support thrrough the registry DWORD – EnableTrailerSupport under the following registry hive:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters

Deleting the DWORD from the registry hive mentioned above should take of the issue for you.

How do I resolve the critical vulnerabilities for Microsoft’s February update?

The Defender for IoT vulnerability can be resolved by downloading the latest version from the Azure portal. For the HTTP Protocol stack, we suggest that you can download the cumulative updates for the affected server or workstation operating systems. For your ready reference, the download links for these cumulative updates are mentioned below for your ready reference:

High Impact Vulnerabilities in Febuary

The following vulnerabilities have been listed in Microsoft’s February update document. These vulnerability have a high impact for the associated IT infrastructure.

The HIGH impact vilnerabilities for Feburary month are:

  • CVE-2022-21844 – HEVC Video Extensions Remote Code Execution – CVSS score is 7.8.
  • CVE-2022-21926 – HEVC Video Extensions Remote Code Execution – CVSS score is 7.8
  • CVE-2022-21927 – HEVC Video Extensions Remote Code Execution – CVSS score is 7.8
  • CVE-2022-21971 – Windows Runtime Remote Code Execution – CVSS score is 7.8.
  • CVE-2022-21974 – Roaming Security Rights Management Services Remote Code Execution Vulnerability – CVSS score is 7.8.
  • CVE-2022-21981 – Windows Common Log File System Driver Elevation of Privilege Vulnerability – CVSS score is 7.8.
  • CVE-2022-21984 – Windows DNS Server Remote Code Execution Vulnerability – CVSS score is 8.8.
  • CVE-2022-21989 – Windows Kernel Elevation of Privilege Vulnerability – CVSS score is 7.8.
  • CVE-2022-21992 – Windows Mobile Device Management Remote Code Execution Vulnerability – CVSS score is 7.8.
  • CVE-2022-21994 – Windows DWM Core Library Elevation of Privilege Vulnerability – CVSS score is 7.8.
  • CVE-2022-21995 – Windows Hyper-V Remote Code Execution Vulnerability – CVSS score is 7.9.
  • CVE-2022-21996 – Win32k Elevation of Privilege Vulnerability – CVSS score is 7.8.
  • CVE-2021-40469 – Windows DNS Server Remote Code Execution Vulnerability – CVSS score is 7.2.
  • CVE-2022-22717 – Windows Print Spooler Elevation of Privilege Vulnerability – CVSS score is 7.
  • CVE-2022-22718 – Windows Print Spooler Elevation of Privilege Vulnerability – CVSS score is 7.8.
  • CVE-2022-21997 – Windows Print Spooler Elevation of Privilege Vulnerability – CVSS score is 7.1.
  • CVE-2022-21999 – Windows Print Spooler Elevation of Privilege Vulnerability – CVSS score is 7.8.
  • CVE-2022-22000 – Windows Common Log File System Driver Elevation of Privilege Vulnerability – CVSS score is 7.8.

These vulnerabilities are patched in the latest cumulative updates, wherever possible.

Out of all these high impact vulnerabilities, there is a zero-day vulnerability that involves the DNS services. CVE-2022-21984 is a CVSS 8.8 vulnerability that ought to be given attention. This vulnerability affects:

  • Windows Server 2022
  • Windows Server 2022 (Server Core Installation)
  • Windows 10 Version 1909, 20H2, 21H1 and 21H2
  • Windows 11

If you are running instances of Windows Server 2022 or Windows 10 or Windows 11, please do accord priority to mitigation of the CVE-2022-21984 vulnerability.

Summary

The Feburuary Tuesday patches from Microsoft are out. There are 2 critical vulnerabilities on the update list. And, there are quite a few vulnerabilities that have a HIGH impact for your infrastructure. You could deploy the cumulative updates on priority, especially because of the inherent risks on the CVSS 9.8 critical vulnerability on the HTTP Protocol stack.