On 11 January 2022, Microsoft released updates to address 122 vulnerabilities; nine classified as critical and six publicly disclosed. We recommend applying the latest updates in a timely manner.
Microsoft’s January 2022 Patch Tuesday fixed nine flaws classified as critical. None of the CVEs were reported to be actively abused at the time of reporting.
The most severe of the vulnerabilities that were labelled as critical include:
- CVE-2022-21907 fixes a boundary error within the HTTP Trailer Support feature of Hypertext Transfer Protocol (HTTP) Protocol Stack, HTTP.sys. Remote unauthenticated actors could trigger a buffer overflow and execute arbitrary code by sending maliciously crafted packets to a vulnerable system.
- Http.sys is the kernel mode driver that handles HTTP requests and is used by various services that may be accessible to the Internet or Intranet. This includes the Windows Internet Information Services (IIS) web server, Web Services for Devices (WSDAPI), and Windows Remote Management (WinRM) service (where it is enabled by default on Enterprise versions of Windows).
- The HTTP Trailer Support feature is enabled by default on Desktop versions in Windows 10 and later, as well as most recent versions of Windows Server 2019. The exceptions to that are Windows Server 2019 and Windows 10 version 1809, where the feature is available but not enabled by default. The vulnerability was assigned a CVSS:3.1 score of 9.8.
- Microsoft Windows Internet Key Exchange (IKE) Extension had six vulnerabilities fixed, including CVE-2022-21849, which is due to improper input validation in the Microsoft IKE Key Exchange. Only version 2 of the product is affected when it is running Internet Protocol Security (IPsec) service. This vulnerability could allow a remote threat actor to execute arbitrary code via a specially crafted request. CVSS:3.1 9.8
- Microsoft Exchange Server received three fixes, which Microsoft labelled as critical and marked that exploitation for these is likely. Although these flaws received a CVSS:3.0 rating of 9.0, a threat actor would need prior access to the target network in order to exploit them. A user on a local network could send specially crafted data to the Exchange server and execute arbitrary code on the system. All three, CVE-2022-21846, CVE-2022-21855, and CVE-2022-21969, exist due to an improper validation of user-supplied input.
Publicly Disclosed Vulnerabilities
Six of the vulnerabilities fixed this month have public details available, which increases the likelihood of them being leveraged by threat actors.
- CVE-2021-22947 – Open Source Curl Remote Code Execution Vulnerability
- CVE-2021-36976 – Libarchive Remote Code Execution Vulnerability
- CVE-2022-21919 – Windows User Profile Service Elevation of Privilege Vulnerability
- CVE-2022-21836 – Windows Certificate Spoofing Vulnerability
- CVE-2022-21839 – Windows Event Tracing Discretionary Access Control List Denial of Service Vulnerability
- CVE-2022-21874 – Windows Security Center API Remote Code Execution Vulnerability
We recommend timely patching of the Microsoft vulnerabilities noted as critical and publicly disclosed in order to decrease the likelihood of exploitation.
Microsoft has reported a number of known issues with this round of updates; testing should be conducted prior to patching. We recommend consulting the Known Issues section on the Microsoft Update Guide referenced below prior to applying the updates.
In order to expedite the updates, users should go to Settings > Windows Update > Check for Updates.