Threat Response: Patches for multiple critical vulnerabilities in Microsoft products

11-01-2022

On Tuesday January 11th, Microsoft published a number of patches for multiple security flaws as part of “Patch Tuesday”. The patched vulnerabilities include critical security vulnerabilities in Microsoft Windows products.

We recommend installing these patches as soon as possible.

Description

On January 11th, Microsoft published security patches for a large number of vulnerabilities, nine of which are marked as ‘critical’. The three most severe vulnerabilities are tracked under the following CVE-numbers:

  • CVE-2022-21907 – HTTP Protocol Stack Remote Code Execution Vulnerability (CVSS3.1: 9.8)
  • CVE-2022-21849 – Windows IKE Extension Remote Code Execution Vulnerability (CVSS3.1: 9.8)
  • CVE-2022-21840 – Microsoft Office Remote Code Execution Vulnerability (CVSS3.1: 8.8)

In total, Microsoft has patched 97 vulnerabilities with this update. This Threat response will describe the most important vulnerabilities. Microsoft has published a complete overview of the patched vulnerabilities [3].

CVE-2022-21907 – HTTP Protocol Stack Remote Code Execution Vulnerability

This vulnerability is in the HTTP stack of the affected Windows versions. Sending a specially crafted request can lead to allowing the attacker to execute arbitrary code. The HTTP protocol stack is by nature usually exposed to the network and/or internet, leading to a higher risk of exploitation.

Microsoft indicates that this vulnerability is wormable, meaning that exploiting this vulnerability can be automated and self-replicating.

Because of these facts, Northwave, Microsoft as well as the NCSC [4] expect exploitation code for this vulnerability soon.

Affected products for CVE-2022-21907. For specific subversions, see [1].Windows Server 2019Windows 10/11Windows Server Version 20H2Windows Server 2022

CVE-2022-21849 – Windows IKE Extension Remote Code Execution Vulnerability 

This vulnerability concerns the Windows Internet Key Exchange (IKE) extension version 2 and can only be exploited on systems with the IPSec service running. This vulnerability allows a remote attacker to execute arbitrary code.

Affected products for CVE-2022-21849. For specific subversions, see [2].Windows Server 2016Windows Server 2019Windows Server 2022Windows 10/11Windows Server Version 20H2

CVE-2022-21840 – Microsoft Office Remote Code Execution Vulnerability

This vulnerability allows for Remote Code Execution by attackers in many Office versions, including on MacOS [5]. This vulnerability can be exploited by tricking the user into opening specifically crafted documents.

Impact

From the list of vulnerabilities, nine are marked as critical. Microsoft indicates that CVE-2022-21907 is wormable, therefore we assess the impact as high.

Microsoft has provided a detailed list of all the affected products [1,2,5].

Risk

There is currently no public exploit code available for the three mentioned vulnerabilities (and others) but we expect these to be available soon. We asses the risk as high.

Mitigation

For CVE-2022-21907 a mitigation is available if you are running Windows Server 2019 or Windows 10 version 1809 [1]. No further mitigations are available, aside from installing the patches. We recommend installing the security updates as soon as possible.

What should you do?

Install the latest updates for Microsoft Windows.

What will Northwave do?

Northwave will monitor developments around these vulnerabilities. When possible, we will add detection rules around these vulnerabilities to the Northwave Detection Platform. We will reach out to you again if there are important updates, including if the threat posed by this activity increases. If you have any questions or require any additional information please reach out to us by phone or email. 

E-mail: [email protected] Do you have an incident right now? Call our CERT number: +31 (0)85 043 7909 or 0800-1744 (alleen vanuit Nederland)Disclaimer applies, see below.

Sources

[1] https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-21907

[2] https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-21849

[3] https://msrc.microsoft.com/update-guide/releaseNote/2022-Jan 

[4] https://www.ncsc.nl/actueel/advisory?id=NCSC-2022-0014

[5] https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-21840

Disclaimer
Northwave has made every effort to make this information accurate and reliable. However, the information provided is without warranty of any kind and its use is at the sole risk of the user. Northwave does not accept any responsibility or liability for the accuracy, content, completeness, legality or reliability of the information provided. We shall not be liable for any loss or damage of whatever nature, direct or indirect, consequential or other, whether arising in contract, tort or otherwise, which may arise as a result of your use of, or inability to use, this information or any additional information provided by us in direct or indirect relation to the information provided here.