Hello everyone! This episode will be about Microsoft Patch Tuesday for January 2022. Traditionally, I will use my open source Vulristics tool for analysis. This time I didn’t make any changes to how connectors work. The report generation worked correctly on the first try.

python3.8 vulristics.py --report-type "ms_patch_tuesday" --mspt-year 2022 --mspt-month "January" --rewrite-flag "True"

The only thing I have improved is the detection of types of vulnerabilities and vulnerable products. “Unknown Vulnerability Type” was for two vulnerabilities, so I added the “Elevation Of Privilege” и “Cross-Site Scripting” spelling options. I added detections for 13 products and 19 Windows components. I also corrected the method for sorting vulnerabilities with the same Vulristics score. Previously, such vulnerabilities were sorted by CVE id, now they are sorted by vulnerability type and product. This allows you to see the clusters of similar vulnerabilities.

Each time I rebuilt the report with the same command, but without recollecting the data:

python3.8 vulristics.py --report-type "ms_patch_tuesday" --mspt-year 2022 --mspt-month "January" --rewrite-flag "False"

The full report is available here:

ms_patch_tuesday_january2022_report_with_comments_ext_img.html

let’s now look at the report. There are 97 vulnerabilities in total.

If we only look at CVSS:

• Critical: 6
• High: 63
• Medium: 28
• Low: 0

But according to my Vulrisitcs Vulnerability Score, everything is not so critical:

• Urgent: 0
• Critical: 1
• High: 34
• Medium: 62
• Low: 0

The only critical vulnerability became so much after the publication of Patch Tuesday. Elevation of Privilege – Windows Win32k (CVE-2022-21882). A local, authenticated attacker could gain elevated local system or administrator privileges through a vulnerability in the Win32k.sys driver. Exploitation in the wild is mentioned at Microsoft. None of the Vulnerability Management vendors mentioned this vulnerability in their reviews.

Now let’s see the High vulnerabilities.

Remote Code Execution – HTTP Protocol Stack (CVE-2022-21907). This vulnerability is highlighted by all VM vendors, except for some reason Rapid7. To exploit this vulnerability an unauthenticated attacker could send a specially crafted packet to a vulnerable server utilizing the HTTP Protocol Stack (http.sys) to process packets. No user interaction, no privileges required. Microsoft warns that this flaw is considered wormable and has a flag “Exploitation More Likely”. According to the advisory, Windows Server 2019 and Windows 10 version 1809 do not have the HTTP Trailer Support feature enabled by default, however this mitigation does not apply to other affected versions of Windows. While this is definitely more server-centric vulnerability, remember that Windows clients can also run http.sys, so all affected versions are affected by this bug.

Remote Code Execution – Remote Procedure Call Runtime (CVE-2022-21922). Microsoft Remote Procedure Call (RPC) defines a powerful technology for creating distributed client/server programs. The RPC run-time stubs and libraries manage most of the processes relating to network protocols and communication. The authenticated attacker with non-admin credentials could take advantage of this vulnerability to execute malicious code through the RPC runtime. It looks like an interesting vulnerability for lateral movement in infrastructure. But for some reason, VM vendors ignored this vulnerability.

Remote Code Execution – Microsoft Exchange (CVE-2022-21969, CVE-2022-21846 and CVE-2022-21855). 3 vulnerabilities with the same severity level. Exchange vulnerabilities are always interesting because Exchange servers are usually accessible from the Internet. But this time, these vulnerabilities are less critical. They cannot be exploited directly over the public internet (attackers need to be “adjacent” to the target system in terms of network topology).

Remote Code Execution – Windows Remote Desktop Client (CVE-2022-21850, CVE-2022-21851) and Remote Code Execution – Windows Remote Desktop Protocol (CVE-2022-21893). For all CVEs, an attacker would need to convince a user on an affected version of the Remote Desktop Client to connect to a malicious RDP server.

Remote Code Execution – Windows IKE Extension (CVE-2022-21849). Internet Key Exchange is the protocol used to set up a security association (SA) in the IPsec protocol suite. While at this time the details of this vulnerability are limited, a remote attacker could trigger multiple vulnerabilities when the IPSec service is running on the Windows system without being authenticated. 

I would also like to draw attention to these vulnerabilities:

Remote Code Execution – Microsoft SharePoint (CVE-2022-21837).  An attacker can use this vulnerability to gain access to the domain and could perform remote code execution on the SharePoint server to elevate themselves to SharePoint admin.

Remote Code Execution – Microsoft Office (CVE-2022-21840) and Remote Code Execution – Microsoft Word (CVE-2022-21842).  Exploitation would require social engineering to entice a victim to open an attachment or visit a malicious website – thankfully the Windows preview pane is not a vector for this attack.