The January 2022 Security Update Review
January 11, 2022 | Dustin ChildsThe first patch Tuesday of the year is here, and with it comes the latest security patches from Adobe and Microsoft. Take a break from your regularly scheduled activities and join us as we review the details of their latest security offerings.
Adobe Patches for January 2022
For January, Adobe released 5 patches addressing 41 CVEs in Acrobat and Reader, Illustrator, Adobe Bridge, InCopy, and InDesign. A total of 22 of these bugs came through the ZDI program. The update for Acrobat and Reader fixes a total of 26 bugs, the worst of which could lead to remote code execution (RCE) if a user opened a specially crafted PDF. Several of these bugs were demonstrated at the Tianfu Cup, so it would not be unexpected to see these used in the wild somewhere down the line. The update for InCopy fixes three Critical-rated RCE bugs and one Important-rated privilege escalation. The patch for InDesign corrects two Critical-rated Out-of-bounds (OOB) Write bugs that could lead to code execution plus a Moderate Use-After-Free privilege escalation. The fix for Adobe Bridge covers six bugs, but only one OOB Write is listed as Critical. The others are a mix of privilege escalations and memory leaks. Finally, the patch for Illustrator covers two OOB Read bugs – neither of which can be used for code execution.
None of the bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release.
Microsoft Patches for January 2022
For January, Microsoft released patches today for 96 new CVEs in Microsoft Windows and Windows Components, Microsoft Edge (Chromium-based), Exchange Server, Microsoft Office and Office Components, SharePoint Server, .NET Framework, Microsoft Dynamics, Open-Source Software, Windows Hyper-V, Windows Defender, and Windows Remote Desktop Protocol (RDP). This is in addition to the 24 CVEs patched by Microsoft Edge (Chromium-based) earlier this month and 2 other CVEs previously fixed in open-source projects. This brings the January total to 122 CVEs.
This is an unusually large update for January. Over the last few years, the average number of patches released in January is about half this volume. We’ll see if this volume continues throughout the year. It’s certainly a change from the smaller releases that ended 2021.
Of the CVEs patched today, nine are rated Critical and 89 are rated Important in severity. A total of five of these bugs came through the ZDI program. Six of these bugs are listed as publicly known at the time of release, but none are listed as under active attack. Update: After the initial release, Microsoft updated CVE-2022-21882 to indicate it is currently under active attack. Let’s take a closer look at some of the more interesting updates for this month, starting with a bug in http.sys listed as wormable:
- CVE-2022-21907 - HTTP Protocol Stack Remote Code Execution Vulnerability
This bug could allow an attacker to gain code execution on an affected system by sending specially crafted packets to a system utilizing the HTTP Protocol Stack (http.sys) to process packets. No user interaction, no privileges required, and an elevated service add up to a wormable bug. And while this is definitely more server-centric, remember that Windows clients can also run http.sys, so all affected versions are affected by this bug. Test and deploy this patch quickly.
- CVE-2022-21846 - Microsoft Exchange Server Remote Code Execution Vulnerability
Yet another Exchange RCE bug, and another Exchange bug reported by the National Security Agency. This is one of three Exchange RCEs being fixed this month, but this is the only one marked Critical. All are listed as being network adjacent in the CVSS score, so an attacker would need to be tied to the target network somehow. Still, an insider or attacker with a foothold in the target network could use this bug to take over the Exchange server.
- CVE-2022-21840 - Microsoft Office Remote Code Execution Vulnerability
Most Office-related RCE bugs are Important severity since they require user interaction and often have warning dialogs, too. However, this bug is listed as Critical. That normally means the Preview Pane is an attack vector, but that’s also not the case here. Instead, this bug is likely Critical due to the lack of warning dialogs when opening a specially crafted file. There are also multiple patches to address this bug, so be sure you apply all available patches. Unfortunately, if you’re running Office 2019 for Mac and Microsoft Office LTSC for Mac 2021, you’re out of luck because there are no patches available for these products. Let’s hope Microsoft makes these patches available soon.
- CVE-2022-21857 - Active Directory Domain Services Elevation of Privilege Vulnerability
This patch fixes a bug that allowed attackers to elevate privileges across an Active Directory trust boundary under certain conditions. Although privilege escalations generally rate an Important severity rating, Microsoft deemed the flaw sufficient enough for a Critical rating. This does require some level of privileges, so again, an insider or other attacker with a foothold in a network could use this for lateral movement and maintaining a presence within an enterprise.
Here’s the full list of CVEs released by Microsoft for January 2022:
CVE | Title | Severity | CVSS | Public | Exploited | Type |
CVE-2021-22947 * | Open Source Curl Remote Code Execution Vulnerability | Critical | N/A | Yes | No | RCE |
CVE-2021-36976 * | Libarchive Remote Code Execution Vulnerability | Important | N/A | Yes | No | RCE |
CVE-2022-21836 | Windows Certificate Spoofing Vulnerability | Important | 7.8 | Yes | No | Spoofing |
CVE-2022-21839 | Windows Event Tracing Discretionary Access Control List Denial of Service Vulnerability | Important | 6.1 | Yes | No | DoS |
CVE-2022-21874 | Windows Security Center API Remote Code Execution Vulnerability | Important | 7.8 | Yes | No | RCE |
CVE-2022-21919 | Windows User Profile Service Elevation of Privilege Vulnerability | Important | 7 | Yes | No | EoP |
CVE-2022-21857 | Active Directory Domain Services Elevation of Privilege Vulnerability | Critical | 8.8 | No | No | EoP |
CVE-2022-21912 | DirectX Graphics Kernel Remote Code Execution Vulnerability | Critical | 7.8 | No | No | RCE |
CVE-2022-21898 | DirectX Graphics Kernel Remote Code Execution Vulnerability | Critical | 7.8 | No | No | RCE |
CVE-2022-21917 | HEVC Video Extensions Remote Code Execution Vulnerability | Critical | 7.8 | No | No | RCE |
CVE-2022-21907 | HTTP Protocol Stack Remote Code Execution Vulnerability | Critical | 9.8 | No | No | RCE |
CVE-2022-21846 | Microsoft Exchange Server Remote Code Execution Vulnerability | Critical | 9 | No | No | RCE |
CVE-2022-21840 | Microsoft Office Remote Code Execution Vulnerability | Critical | 8.8 | No | No | RCE |
CVE-2022-21833 | Virtual Machine IDE Drive Elevation of Privilege Vulnerability | Critical | 7.8 | No | No | EoP |
CVE-2022-21911 | .NET Framework Denial of Service Vulnerability | Important | 7.5 | No | No | DoS |
CVE-2022-21869 | Clipboard User Service Elevation of Privilege Vulnerability | Important | 7 | No | No | EoP |
CVE-2022-21865 | Connected Devices Platform Service Elevation of Privilege Vulnerability | Important | 7 | No | No | EoP |
CVE-2022-21918 | DirectX Graphics Kernel File Denial of Service Vulnerability | Important | 6.5 | No | No | DoS |
CVE-2022-21913 | Local Security Authority (Domain Policy) Remote Protocol Security Feature Bypass | Important | 5.3 | No | No | SFB |
CVE-2022-21884 | Local Security Authority Subsystem Service Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
CVE-2022-21910 | Microsoft Cluster Port Driver Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
CVE-2022-21835 | Microsoft Cryptographic Services Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
CVE-2022-21871 | Microsoft Diagnostics Hub Standard Collector Runtime Elevation of Privilege Vulnerability | Important | 7 | No | No | EoP |
CVE-2022-21891 | Microsoft Dynamics 365 (on-premises) Spoofing Vulnerability | Important | 7.6 | No | No | Spoofing |
CVE-2022-21932 | Microsoft Dynamics 365 Customer Engagement Cross-Site Scripting Vulnerability | Important | 7.6 | No | No | XSS |
CVE-2022-21970 | Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability | Important | 6.1 | No | No | EoP |
CVE-2022-21841 | Microsoft Excel Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE |
CVE-2022-21855 | Microsoft Exchange Server Remote Code Execution Vulnerability | Important | 9 | No | No | RCE |
CVE-2022-21969 | Microsoft Exchange Server Remote Code Execution Vulnerability | Important | 9 | No | No | RCE |
CVE-2022-21837 | Microsoft SharePoint Server Remote Code Execution Vulnerability | Important | 8.3 | No | No | RCE |
CVE-2022-21842 | Microsoft Word Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE |
CVE-2022-21850 | Remote Desktop Client Remote Code Execution Vulnerability | Important | 8.8 | No | No | RCE |
CVE-2022-21851 | Remote Desktop Client Remote Code Execution Vulnerability | Important | 8.8 | No | No | RCE |
CVE-2022-21964 | Remote Desktop Licensing Diagnoser Information Disclosure Vulnerability | Important | 5.5 | No | No | Info |
CVE-2022-21893 | Remote Desktop Protocol Remote Code Execution Vulnerability | Important | 8.8 | No | No | RCE |
CVE-2022-21922 | Remote Procedure Call Runtime Remote Code Execution Vulnerability | Important | 8.8 | No | No | RCE |
CVE-2022-21894 | Secure Boot Security Feature Bypass Vulnerability | Important | 4.4 | No | No | SFB |
CVE-2022-21877 | Storage Spaces Controller Information Disclosure Vulnerability | Important | 5.5 | No | No | Info |
CVE-2022-21870 | Tablet Windows User Interface Application Core Elevation of Privilege Vulnerability | Important | 7 | No | No | EoP |
CVE-2022-21861 | Task Flow Data Engine Elevation of Privilege Vulnerability | Important | 7 | No | No | EoP |
CVE-2022-21873 | Tile Data Repository Elevation of Privilege Vulnerability | Important | 7 | No | No | EoP |
CVE-2022-21882 | Win32k Elevation of Privilege Vulnerability | Important | 7 | No | No | EoP |
CVE-2022-21887 | Win32k Elevation of Privilege Vulnerability | Important | 7 | No | No | EoP |
CVE-2022-21876 | Win32k Information Disclosure Vulnerability | Important | 5.5 | No | No | Info |
CVE-2022-21859 | Windows Accounts Control Elevation of Privilege Vulnerability | Important | 7 | No | No | EoP |
CVE-2022-21860 | Windows AppContracts API Server Elevation of Privilege Vulnerability | Important | 7 | No | No | EoP |
CVE-2022-21862 | Windows Application Model Core API Elevation of Privilege Vulnerability | Important | 7 | No | No | EoP |
CVE-2022-21925 | Windows BackupKey Remote Protocol Security Feature Bypass Vulnerability | Important | 5.3 | No | No | SFB |
CVE-2022-21858 | Windows Bind Filter Driver Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
CVE-2022-21838 | Windows Cleanup Manager Elevation of Privilege Vulnerability | Important | 5.5 | No | No | EoP |
CVE-2022-21916 | Windows Common Log File System Driver Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
CVE-2022-21897 | Windows Common Log File System Driver Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
CVE-2022-21906 | Windows Defender Application Control Security Feature Bypass Vulnerability | Important | 5.5 | No | No | SFB |
CVE-2022-21921 | Windows Defender Credential Guard Security Feature Bypass Vulnerability | Important | 4.4 | No | No | SFB |
CVE-2022-21868 | Windows Devices Human Interface Elevation of Privilege Vulnerability | Important | 7 | No | No | EoP |
CVE-2022-21852 | Windows DWM Core Library Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
CVE-2022-21902 | Windows DWM Core Library Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
CVE-2022-21896 | Windows DWM Core Library Elevation of Privilege Vulnerability | Important | 7 | No | No | EoP |
CVE-2022-21872 | Windows Event Tracing Elevation of Privilege Vulnerability | Important | 7 | No | No | EoP |
CVE-2022-21899 | Windows Extensible Firmware Interface Security Feature Bypass Vulnerability | Important | 5.5 | No | No | SFB |
CVE-2022-21903 | Windows GDI Elevation of Privilege Vulnerability | Important | 7 | No | No | EoP |
CVE-2022-21904 | Windows GDI Information Disclosure Vulnerability | Important | 7.5 | No | No | Info |
CVE-2022-21915 | Windows GDI+ Information Disclosure Vulnerability | Important | 6.5 | No | No | Info |
CVE-2022-21880 | Windows GDI+ Information Disclosure Vulnerability | Important | 7.5 | No | No | Info |
CVE-2022-21878 | Windows Geolocation Service Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE |
CVE-2022-21847 | Windows Hyper-V Denial of Service Vulnerability | Important | 6.5 | No | No | DoS |
CVE-2022-21901 | Windows Hyper-V Elevation of Privilege Vulnerability | Important | 9 | No | No | EoP |
CVE-2022-21900 | Windows Hyper-V Security Feature Bypass Vulnerability | Important | 4.6 | No | No | SFB |
CVE-2022-21905 | Windows Hyper-V Security Feature Bypass Vulnerability | Important | 4.6 | No | No | SFB |
CVE-2022-21843 | Windows IKE Extension Denial of Service Vulnerability | Important | 7.5 | No | No | DoS |
CVE-2022-21883 | Windows IKE Extension Denial of Service Vulnerability | Important | 7.5 | No | No | DoS |
CVE-2022-21848 | Windows IKE Extension Denial of Service Vulnerability | Important | 7.5 | No | No | DoS |
CVE-2022-21889 | Windows IKE Extension Denial of Service Vulnerability | Important | 7.5 | No | No | DoS |
CVE-2022-21890 | Windows IKE Extension Denial of Service Vulnerability | Important | 7.5 | No | No | DoS |
CVE-2022-21849 | Windows IKE Extension Remote Code Execution Vulnerability | Important | 9.8 | No | No | RCE |
CVE-2022-21908 | Windows Installer Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
CVE-2022-21920 | Windows Kerberos Elevation of Privilege Vulnerability | Important | 8.8 | No | No | EoP |
CVE-2022-21879 | Windows Kernel Elevation of Privilege Vulnerability | Important | 5.5 | No | No | EoP |
CVE-2022-21881 | Windows Kernel Elevation of Privilege Vulnerability | Important | 7 | No | No | EoP |
CVE-2022-21888 | Windows Modern Execution Server Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE |
CVE-2022-21867 | Windows Push Notifications Apps Elevation Of Privilege Vulnerability | Important | 7 | No | No | EoP |
CVE-2022-21885 | Windows Remote Access Connection Manager Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
CVE-2022-21914 | Windows Remote Access Connection Manager Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
CVE-2022-21892 | Windows Resilient File System (ReFS) Remote Code Execution Vulnerability | Important | 6.8 | No | No | RCE |
CVE-2022-21958 | Windows Resilient File System (ReFS) Remote Code Execution Vulnerability | Important | 6.8 | No | No | RCE |
CVE-2022-21959 | Windows Resilient File System (ReFS) Remote Code Execution Vulnerability | Important | 6.8 | No | No | RCE |
CVE-2022-21960 | Windows Resilient File System (ReFS) Remote Code Execution Vulnerability | Important | 6.8 | No | No | RCE |
CVE-2022-21961 | Windows Resilient File System (ReFS) Remote Code Execution Vulnerability | Important | 6.8 | No | No | RCE |
CVE-2022-21962 | Windows Resilient File System (ReFS) Remote Code Execution Vulnerability | Important | 6.8 | No | No | RCE |
CVE-2022-21963 | Windows Resilient File System (ReFS) Remote Code Execution Vulnerability | Important | 6.4 | No | No | RCE |
CVE-2022-21928 | Windows Resilient File System (ReFS) Remote Code Execution Vulnerability | Important | 6.3 | No | No | RCE |
CVE-2022-21863 | Windows StateRepository API Server file Elevation of Privilege Vulnerability | Important | 7 | No | No | RCE |
CVE-2022-21875 | Windows Storage Elevation of Privilege Vulnerability | Important | 7 | No | No | EoP |
CVE-2022-21866 | Windows System Launcher Elevation of Privilege Vulnerability | Important | 7 | No | No | EoP |
CVE-2022-21864 | Windows UI Immersive Server API Elevation of Privilege Vulnerability | Important | 7 | No | No | EoP |
CVE-2022-21895 | Windows User Profile Service Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
CVE-2022-21834 | Windows User-mode Driver Framework Reflector Driver Elevation of Privilege Vulnerability | Important | 7 | No | No | EoP |
CVE-2022-21924 | Workstation Service Remote Protocol Security Feature Bypass Vulnerability | Important | 5.3 | No | No | SFB |
CVE-2022-0096 * | Chromium: CVE-2022-0096 Use after free in Storage | Critical | N/A | No | No | |
CVE-2022-0097 * | Chromium: CVE-2022-0097 Inappropriate implementation in DevTools | High | N/A | No | No | |
CVE-2022-0098 * | Chromium: CVE-2022-0098 Use after free in Screen Capture | High | N/A | No | No | |
CVE-2022-0099 * | Chromium: CVE-2022-0099 Use after free in Sign-in | High | N/A | No | No | |
CVE-2022-0100 * | Chromium: CVE-2022-0100 Heap buffer overflow in Media streams API | High | N/A | No | No | |
CVE-2022-0101 * | Chromium: CVE-2022-0101 Heap buffer overflow in Bookmarks | High | N/A | No | No | |
CVE-2022-0102 * | Chromium: CVE-2022-0102 Type Confusion in V8 | High | N/A | No | No | |
CVE-2022-0103 * | Chromium: CVE-2022-0103 Use after free in SwiftShader | High | N/A | No | No | |
CVE-2022-0104 * | Chromium: CVE-2022-0104 Heap buffer overflow in ANGLE | High | N/A | No | No | |
CVE-2022-0105 * | Chromium: CVE-2022-0105 Use after free in PDF | High | N/A | No | No | |
CVE-2022-0106 * | Chromium: CVE-2022-0106 Use after free in Autofill | High | N/A | No | No | |
CVE-2022-0107 * | Chromium: CVE-2022-0107 Use after free in File Manager API | Medium | N/A | No | No | |
CVE-2022-0108 * | Chromium: CVE-2022-0108 Inappropriate implementation in Navigation | Medium | N/A | No | No | |
CVE-2022-0109 * | Chromium: CVE-2022-0109 Inappropriate implementation in Autofill | Medium | N/A | No | No | |
CVE-2022-0110 * | Chromium: CVE-2022-0110 Incorrect security UI in Autofill | Medium | N/A | No | No | |
CVE-2022-0111 * | Chromium: CVE-2022-0111 Inappropriate implementation in Navigation | Medium | N/A | No | No | |
CVE-2022-0112 * | Chromium: CVE-2022-0112 Incorrect security UI in Browser UI | Medium | N/A | No | No | |
CVE-2022-0113 * | Chromium: CVE-2022-0113 Inappropriate implementation in Blink | Medium | N/A | No | No | |
CVE-2022-0114 * | Chromium: CVE-2022-0114 Out of bounds memory access in Web Serial | Medium | N/A | No | No | |
CVE-2022-0115 * | Chromium: CVE-2022-0115 Uninitialized Use in File API | Medium | N/A | No | No | |
CVE-2022-0116 * | Chromium: CVE-2022-0116 Inappropriate implementation in Compositing | Medium | N/A | No | No | |
CVE-2022-0117 * | Chromium: CVE-2022-0117 Policy bypass in Service Workers | Low | N/A | No | No | |
CVE-2022-0118 * | Chromium: CVE-2022-0118 Inappropriate implementation in WebShare | Low | N/A | No | No | |
CVE-2022-0120 * | Chromium: CVE-2022-0120 Inappropriate implementation in Passwords | Low | N/A | No | No |
* Indicates this CVE had previously been released by a 3rd-party and is now being incorporated into Microsoft products.
Looking at the remaining Critical-rated patches released this month, two impact DirectX, and one affects HEVC video extensions. Viewing a specially crafted media file could result in code execution. For the HEVC extensions, you’ll need to be connected to the Microsoft Store to receive the update. Otherwise, you’ll need to manually verify the update has been applied. There’s a fix for the Virtual Machine IDE Drive that could allow a privilege escalation, but the complexity is marked high on this bug. Seeing this bug in the wild would likely take quite a bit of work. There’s a patch for the Windows Security Center API. Microsoft doesn’t say how the code execution could occur, and although the is title as remote code execution, they list the attack vector as local. The final Critical-rated bug for January was actually disclosed by HackerOne back in September 2021. This patch includes the latest Curl libraries into Microsoft products. This is why this CVE is listed as publicly known. Similarly, the patch for the Libarchive library was also disclosed in 2021, and the latest version of this library is now being incorporated into Microsoft products.
Moving on to Important-rated patches, there are over 20 that could lead to remote code execution. Eight of these bugs impact the Windows Resilient File System (ReFS), but these require physical access. Microsoft doesn’t always patch bugs that require physical access but getting code execution by just inserting a USB drive is an exception to that rule. There’s also a patch for the Windows Internet Key Exchange (IKE) protocol extension that rates a CVSS of 9.8. According to Microsoft, this bug could allow a remote attacker to “trigger multiple vulnerabilities without being authenticated,” but they don’t specify what vulnerabilities or provide further details. Only systems the IPSec service running are affected by this bug.
There are some code execution bugs in RDP, but these impact the RDP client. The patch for the RDP protocol requires a user to connect to a malicious RDP server. Fortunately, these aren’t as severe as the previously patched BlueKeep RDP bugs. There are a couple of code execution bugs in Office components and the aforementioned Important-rated Exchange bugs. There is an Edge (Chromium) bug getting fixed, and this is separate from the Chromium fixes integrated earlier this month.
There are a whopping 41 patches to correct Elevation of Privilege (EoP) bugs, however, most of these require an attacker to log on to an affected system a run a specially crafted program. Many different Windows components have these EoP bugs, most notably the kernel and kernel-mode drivers. The EoP fixed on Hyper-V is different. In this case, an attacker on a guest OS could potentially interact with processes of another Hyper-V guest hosted on the same Hyper-V host. While not a full guest-to-host escape, that could still be very useful to an adversary.
Moving on to the nine Security Feature Bypass (SFB) patches, some impacted components stand out. Unfortunately, Microsoft provides no information on what feature is being bypassed or how that impacts the security of an enterprise. We can say some important components, like Local Security Authority, Secure Boot Feature, Windows Defender, and Workstation Service all receive updates. The only exception is the two SFB bugs in Hyper-V. For configurations using router guard, packets that normally would be dropped could get processed. This could allow an attacker to bypass set policy and potentially influence router paths.
There are also nine patches fixing Denial-of-Service (DoS) bugs this month. Most of these bugs are found in the Windows IKE Extension, but only systems with the IPSec service running are affected by these bugs.
This month’s release includes six fixes for information disclosure bugs. Most of these only result in leaks consisting of unspecified memory contents. However, the bug in the Remote Desktop Licensing Diagnoser could allow an attacker to recover cleartext passwords from memory.
The January release is rounded out with two spoofing bugs in the Windows Certificate component and Microsoft Dynamics 365 and a cross-site scripting (XSS) bug in the Dynamics 365 Customer Engagement component. The bug in the Windows Certificate component could allow an attacker to bypass Windows Platform Binary Table (WPBT) binary verification by using a small number of compromised certificates. This is also listed as publicly known, but Microsoft gives no indication where it was publicly posted.
No new advisories were released this month.
Looking Ahead
The next Patch Tuesday falls on February 8, and we’ll return with details and patch analysis then. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!