Automox Experts Weigh in on January 2022 Patch Tuesday Release

Hear what Automox Patch Tuesday experts have to say about this month’s Patch Tuesday releases. You can view a full list of the latest patches and updates from Microsoft and other third-party applications in our Patch Tuesday Index.

January 2022 Overview

General Overview - Eric Feldman

Happy New Year, everyone. It’s been said that the new year enables a fresh beginning. People make resolutions, companies close another year on their books and begin a new one, and schools prepare for the Spring. 2022 is also going to bring us a new year of software vulnerabilities to monitor, report, and remediate.

Microsoft is starting this year with a bang with 97 vulnerabilities, more than all but two months in 2021. This month’s total is also 30% higher than the monthly average for last year. The number of reported critical vulnerabilities is also causing ITOps and SecOps teams to start the year off with extra work.

While January’s total of 9 critical vulnerabilities is slightly higher than last year's monthly average of 8.4, it also represents the highest monthly total since July 2021. Fortunately, we do not have any exploited vulnerabilities to report for this month.

We have a relatively light month from Adobe, with 5 security updates impacting a number of their applications. This is in contrast to last month when Adobe issued 11 updates. As most of their updates are at their lowest level of priority, Adobe advises that administrators can update these at their discretion.

Google released an update to remediate 37 vulnerabilities in their Chrome browser. Fortunately only one was rated critical, and updating to the latest version of Google Chrome is the sole remediation step.

We would like to remind everyone that the Log4Shell vulnerability for Apache Log4j is still a concern for many organizations. While we covered this in detail in December’s Patch Tuesday Blog, we have an additional resource to share. Automox just posted a short on-demand webinar/video entitled “Apache Log4j and the Log4Shell Vulnerability.” In 15 minutes, you will learn some background info of Log4j, the timeline of events of Log4Shell, and remediation steps you can take to protect your environment. Be sure to check it out and share it with your colleagues.

Automox recommends that all critical and exploited vulnerabilities are patched within a 72 hour window, in particular those highlighted this month.

-Eric Feldman, Senior Product Marketing Manager


Critical Vulnerability Breakdown

Maarten Buis - CVE-2021-22947 - Open Source cURL Remote Code Execution Vulnerability - Critical and Publicly Disclosed

A publicly disclosed critical vulnerability has been found in cURL, a library and command-line tool for transferring data using various network protocols. An attacker could carry out a Man-In-The-Middle attack by exploiting how curl handles cached or pipelined responses from IMAP, POP3, SMTP, or FTP servers. The attacker would inject the fake response, then pass through the TLS traffic from the legitimate server and trick curl into sending the attackers' data back to the user as valid and authenticated. Automox recommends rolling out this update quickly because of the public disclosure. This disclosure significantly increases the chances of threat actors exploiting this flaw.

Gina Geisel - CVE-2022-21833 - Windows Virtual Machine IDE Drive Elevation of Privilege Vulnerability - Critical

CVE-2022-21833 is an elevation of privileges vulnerability, in which IDE drives, within a Windows Virtual Machine (VM) server, may be vulnerable to an attack. Due to their maximum I/O size, IDE drives are often only deployed for operating system drives and, therefore, you may have a limited set of devices with this potential vulnerability.

With a local attack vector and a high attack complexity, a threat actor would need to gain access to an underprivileged account, such as through an unsecure user password or an account with minimal access controls, etc. to expose this vulnerability. Certain versions of Microsoft Windows 7, 8, 10, and 11 and Windows Server 2008, 2012, 2016, 2019, and 2022, are affected. Automox recommends patching these VMs with IDE drives promptly.

Chad McNaughton - CVE-2022-21840 - Microsoft Office Remote Code Execution Vulnerability - Critical

This month, Microsoft announced CVE-2022-21840, which is an RCE vulnerability for various Office apps (this includes 32- and 64-bit versions). Exploitation isn’t highly likely (and has yet to be seen/proven in the wild) as the CVE hasn’t been publicly disclosed, although it is a low-complexity/no-privileges remote code execution vulnerability. This could allow an attacker to execute their own [possibly malicious] code in the system, as it requires no elevated privileges of any kind. Releases as old as 2013 are reported in the CVE details, which included Office web apps, Office for Mac, various SharePoint products and more. Seeing nearly ten-year-old software in a current CVE is no surprise, as attackers rely heavily on legacy systems that are likely unpatched and therefore, extremely vulnerable. They know all too well how daunting it can be to keep everything updated, but automation can help. As this is a critical vulnerability, it’s recommended to update as soon as possible to minimize any risk of exposure.

Eric Feldman - CVE-2022-21846 - Microsoft Exchange Server Remote Code Execution Vulnerability - Critical

CVE-2022-28146 is a Remote Code Execution Vulnerability that impacts Microsoft Exchange Server versions 2013, 2016, and 2019. This is one of three Microsoft Exchange Vulnerabilities for this month, the other two having a severity rating of “important.” The attack vector for this vulnerability is listed as “adjacent.” It is limited at the protocol level to a logically adjacent topology. This means it cannot simply be done across the internet, but instead needs something specific tied to the target. For example, a shared physical network (such as Bluetooth or WiFi), logical network in a local IP subnet, or from within a secure or otherwise limited administrative domain such as a secure VPN. This is common to many attacks that require man-in-the-middle type setups or that rely on initially gaining a foothold in another environment. Automox recommends prioritizing the installation of this update.

Eric Feldman - CVE-2022-21857 - Active Directory Domain Services Elevation of Privilege Vulnerability - Critical

This is a critical vulnerability impacting Microsoft Active Directory Domain Services. Active Directory Domain Services provides the methods for storing information about objects on a network and making this data available to network users and administrators. Active Directory also integrates security with login authentication and access control to objects such as servers in the network. By exploiting an elevation of privilege vulnerability, and attacker could elevate privileges - for example changing an account to administrator access - across the trust boundary under certain conditions. Due to the crucial role Microsoft Active Directory has in enterprise networks and security, Automox recommends this update be applied immediately.

Jay Goodman - CVE-2022-21898 - DirectX Graphics Kernel Remote Code Execution Vulnerability - Critical CVE-2022-21912 - DirectX Graphics Kernel Remote Code Execution Vulnerability - Critical

Two critical remote code execution vulnerabilities in the Windows DirectX graphics kernel were disclosed this month. The DirectX graphics kernel is a subsystem that enables internal components like graphics cards and drives or external devices like printers and input devices. The vulnerabilities, CVE-2022-21898 and CVE-2022-21912, both score a CVSS 7.8 and are prevalent in Windows 10, Server 2019 and newer operating systems. Attackers could use these remote code execution vulnerabilities to deploy and execute code on a target system. This can allow attackers to easily take full control of the system as well as create a base of operations within the network to spread to other systems. This is a critical pair of vulnerabilities to address as soon as possible to minimize risk, especially given the fact that nearly every corporate Windows device will have this vulnerability present. Common and widespread vulnerabilities like these are critical for attackers trying to steal corporate data or infiltrating sensitive systems, it is important for organizations to patch and remediate within the 72 hour window to minimize exposure.

Eric Feldman - CVE-2022-21907 - Windows HTTP Protocol Stack Remote Code Execution Vulnerability - Critical

This is a remote code execution vulnerability that impacts some versions of Windows 10 32-bit and 64-bit, Windows 11 64-bit, and Windows Server 2019, 2022. The HTTP Protocol Stack enables Windows and applications to communicate with other devices. If exploited, this vulnerability could enable an unauthenticated attacker to send a specially crafted packet to a targeted server utilizing the HTTP Protocol Stack (http.sys) to process packets and ultimately, execute arbitrary code, and take control of the affected system. There is no workaround and Automox recommends prioritizing the patching of affected servers.

Justin Knapp - CVE-2022-21917 - HEVC Video Extensions Remote Code Execution Vulnerability - Critical

CVE-2022-21917 is a critical vulnerability identified in HEVC Video Extensions. HEVC is an advanced video compression standard used for video storage and playback on Windows 10 systems. This vulnerability can lead to remote code execution (RCE), which can be highly impactful and dangerous given that it can provide attackers the opportunity to directly run malicious code on the exploited systems. Successful exploitation would require an attacker to bait an authenticated user into opening a maliciously crafted media file which would result in remote code execution on the victim’s machine. Microsoft does not provide mitigation recommendations aside from patching. However, most affected customers will automatically be updated via the Microsoft Store and guidance is provided to check the package version to ensure it has the current update.

Peter Pflaster - CVE-2021-36976 - Windows Libarchive Remote Code Execution Vulnerability - High and Publicly Disclosed

Libarchive is an open-source library that is used to create and read streaming archive formats. Windows systems utilize the library in Windows 10 (1809, 1909, 20H2, 21H1, 21H2) 32-bit, x64, and ARM64-based systems, as well as Windows 11 (x64 and ARM64) and Windows Server 2019, 2019 core, 2022, 2022 core, and version 20H2.

This specific vulnerability is of medium (6.5/10 CVSS) severity and publicly disclosed, though not yet exploited in the wild (as far as we know). A threat actor can exploit the use after free vulnerability to remotely execute code in memory on vulnerable systems. We recommend applying the patch to affected systems due to the prevalence of Windows 10 and 11 usage on corporate devices.

Adam Whitman - CVE-2022-21836 - Windows Certificate Spoofing Vulnerability - High and Publicly Disclosed

This vulnerability impacts certain versions of Windows 7, 8, 10, 11 and Windows Server 2008, 2012, 2016, 2019, and 2022. Certificate Service is a service running on a Windows server operating system that receives requests for new digital certificates, a common credential that provides a means to verify identity. A successful attacker could bypass the WPBT binary (Windows Platform Binary Table) verification by using a small number of compromised certificates. Even though this vulnerability has not been exploited, due to its nature Automox recommends the prioritizing of this patch.

Maarten Buis - CVE-2022-21874 - Windows Defender Windows Security Center API Remote Code Execution Vulnerability - High and Publicly Disclosed

An official fix has been released for a high severity vulnerability for Windows Defender. An attacker can trigger this vulnerability and execute remote code by making an authenticated HTTP request. If Microsoft Defender is disabled, devices are not exploitable, and no action is required. But keep in mind that the specific binaries are still on disk even when disabled, so vulnerability scanners might still show this issue. Vulnerabilities in Microsoft Defender are always important to patch quickly, especially when they have been publicly disclosed like this one. To remediate this vulnerability, organizations should verify that the latest version of the Microsoft Malware Protection Engine and definition updates are being actively downloaded and installed for their Microsoft Antimalware products.

Chad McNaughton - CVE-2022-21919 - Windows User Profile Service Elevation of Privilege Vulnerability - High and Publicly Disclosed

This month, Microsoft disclosed CVE-2022-21919, which could give a local (non-network) vector to an attacker, who could then elevate their user privileges. This is a high-complexity vulnerability that requires no user interaction, but it’s still just a POC and has yet to be exploited in the wild. The user profile service affected is part of Windows and Windows Server, going as far back as versions 7 and 2008, respectively. If an attacker were able to elevate the privileges on a user profile, this could obviously give them all kinds of unwanted access to a Windows computer. Now imagine that happening on the Windows Server that hosts your Active Directory and Sharepoint. That’s a definite nightmare scenario for any Admin (or user), but it’s easily preventable. Because CVE-2022-21919 has been given a vulnerability score of “high”, it’s recommended that Windows and WinServer users update with the official Microsoft fix as soon as possible.

Google

Google released an update to Chrome for Windows, macOS, and Linux to remediate 37 vulnerabilities including one rated critical. CVE-2022-0096 is a critical use after free vulnerability impacting some unknown processing of the storage component. The manipulation with an unknown input leads to a memory corruption vulnerability. The exploitability is said to be easy and it is possible to initiate the attack remotely. No form of authentication is needed for this exploitation, as it demands that the victim is doing some kind of user interaction. Neither technical details nor an exploit are publicly available. Automox recommended upgrading to Chrome version 97.0.4692.71 that remediates these vulnerabilities. NOTE: news site 9to5Google wrote that there have been some users on specific versions of iOS who reported that Chrome is freezing after applying the update.

Adobe - Peter Pflaster

Adobe released five security updates for Windows and MacOS that affect Acrobat and Reader, Illustrator, Bridge, InCopy, and InDesign. Four out of five application updates are assigned a priority of 3 by Adobe (the lowest) as they resolve issues in Illustrator, Bridge, InCopy, and InDesign, all products that have historically not been targeted by attackers. Adobe recommends administrators install Priority 3 updates at their discretion.

The update this month for Adobe Acrobat and Reader,  fixed a number of CVEs including vulnerabilities that allow arbitrary code execution. We recommend administrators prioritize patching the vulnerabilities mentioned in APSB22-01 since Acrobat and Reader are widely adopted in corporate environments.



Automox for Easy IT Operations

Automox is cloud-native IT operations for the modern distributed workforce. It makes it easy to keep every endpoint up to date automatically across Windows, macOS and Linux – anywhere in the world. With the push of a button, IT admins can fix critical vulnerabilities, power workforce productivity, and win back hours in their day.

Demo Automox and join thousands of companies transforming IT operations into a strategic business driver.