JANUARY 12, 2021 15:30 CST
97 vulnerabilities were patched in Microsoft’s January 2022 Patch Tuesday update. Nine were rated critical and six are published zero-days. Administrators should perform updates per the Microsoft Update Guide ASAP.
The vulnerabilities cover multiple product lines, including: Microsoft Windows and Windows Components, Microsoft Edge, Exchange Server, Microsoft Office and Office Components, SharePoint Server, .NET Framework, Microsoft Dynamics, Open-Source Software, Windows Hyper-V, Windows Defender, and Windows Remote Desktop Protocol (RDP).
Critical Wormable RCE
The big one, the driver for this advisory, is the update for CVE-2022-21907, which is a critical remote code execution (RCE) bug which happens to be self-propagating, AKA “wormable.” It can traverse the network laterally to other hosts with no user interaction required. This feature ranks it very high on the CVSS scale at 9.8 out of 10.
The exploit targets the HTTP protocol stack (http.sys) with specially crafted packets containing a metadata rider that can deliver code for RCE. While it mainly targets server endpoints, it can also affect client versions of Windows as they also utilize http.sys. Once infected, a single endpoint will infect other lateral hosts on the network.
It is recommended to apply this update immediately.
The January Patch Tuesday addresses several other CVEs ranked critical as well. While none of the zero-days patched are reported to be exploited in the wild at present, exploit code is available publicly. The notable six zero-days patched are:
- CVE-2021-22947: HackerOne-assigned CVE in open-source Curl library (RCE)
- CVE-2021-36976: MITRE-assigned CVE in open-source Libarchive (RCE)
- CVE-2022-21874: Local Windows Security Center API (RCE, CVSS score of 7.8)
- CVE-2022-21919: Windows User Profile Service (privilege escalation, CVSS 7.0)
- CVE-2022-21839: Windows Event Tracing Discretionary Access Control List (denial-of-service, CVSS 6.1).
- CVE-2022-21836: Windows Certificate (spoofing, CVSS 7.8).
It’s been a monster of a season for vulnerabilities, and while many organizations are still grappling with Log4j updates, the latest Microsoft deluge of patches definitely adds to the workload.
- Microsoft Update Guide – January Patch Tuesday
- Threatpost article