By security practitioners, for security practitioners novacoast federal | Apex Program | novacoast | about innovate
By security practitioners, for security practitioners

Microsoft Critical Wormable RCE and Six Zero-Days Highlight January Patch Tuesday

JANUARY 12, 2021 15:30 CST

97 vulnerabilities were patched in Microsoft’s January 2022 Patch Tuesday update. Nine were rated critical and six are published zero-days. Administrators should perform updates per the Microsoft Update Guide ASAP.

The vulnerabilities cover multiple product lines, including: Microsoft Windows and Windows Components, Microsoft Edge, Exchange Server, Microsoft Office and Office Components, SharePoint Server, .NET Framework, Microsoft Dynamics, Open-Source Software, Windows Hyper-V, Windows Defender, and Windows Remote Desktop Protocol (RDP).

Critical Wormable RCE

The big one, the driver for this advisory, is the update for CVE-2022-21907, which is a critical remote code execution (RCE) bug which happens to be self-propagating, AKA “wormable.” It can traverse the network laterally to other hosts with no user interaction required. This feature ranks it very high on the CVSS scale at 9.8 out of 10.

The exploit targets the HTTP protocol stack (http.sys) with specially crafted packets containing a metadata rider that can deliver code for RCE. While it mainly targets server endpoints, it can also affect client versions of Windows as they also utilize http.sys. Once infected, a single endpoint will infect other lateral hosts on the network.

It is recommended to apply this update immediately.

Patched Zero-Days

The January Patch Tuesday addresses several other CVEs ranked critical as well. While none of the zero-days patched are reported to be exploited in the wild at present, exploit code is available publicly. The notable six zero-days patched are:

  • CVE-2021-22947: HackerOne-assigned CVE in open-source Curl library (RCE)
  • CVE-2021-36976: MITRE-assigned CVE in open-source Libarchive (RCE)
  • CVE-2022-21874: Local Windows Security Center API (RCE, CVSS score of 7.8)
  • CVE-2022-21919: Windows User Profile Service (privilege escalation, CVSS 7.0)
  • CVE-2022-21839: Windows Event Tracing Discretionary Access Control List (denial-of-service, CVSS 6.1).
  • CVE-2022-21836: Windows Certificate (spoofing, CVSS 7.8).

It’s been a monster of a season for vulnerabilities, and while many organizations are still grappling with Log4j updates, the latest Microsoft deluge of patches definitely adds to the workload.

Resources

Previous Post

University Researchers Pit Top 18 EDR Products Against Real-World Attacks

Next Post

Open Source Developers Sabotage Projects Downloaded By Millions

Innovate uses cookies to give you the best online experience. If you continue to use this site, you agree to the use of cookies. Please see our privacy policy for details.