Microsoft fixes wormable RCE in Windows Server and Windows (CVE-2022-21907)

The first Patch Tuesday of 2022 is upon us, and Microsoft has delivered patches for 96 CVE-numbered vulnerabilities, including a wormable RCE flaw in Windows Server (CVE-2022-21907).

Vulnerabilities of note

Among the publicly known flaws are a “critical” RCE in curl (CVE-2021-22947) and “important” RCE in libarchive (CVE-2021-36976) open source libraries, which have now been “fixed” in Windows 10, 11 and Server with the inclusion of the most recent versions of the libraries. But these are less likely to be exploited, Microsoft notes.

On the other hand, several of the other patched vulnerabilities present more of a risk.

Dustin Childs, with Trend Micro’s Zero Day Initiative, has singled out CVE-2022-21907, a RCE in the HTTP Protocol Stack, as a patching priority.

“This bug could allow an attacker to gain code execution on an affected system by sending specially crafted packets to a system utilizing the HTTP Protocol Stack (http.sys) to process packets. No user interaction, no privileges required, and an elevated service add up to a wormable bug. And while this is definitely more server-centric, remember that Windows clients can also run http.sys, so all affected versions are affected by this bug,” he noted.

Danny Kim, Principal Architect at Virsec, pointed out that CVE-2022-21907 is a particularly dangerous CVE because of its ability to allow for an attack to affect an entire intranet once the attack succeeds.

“[This vulnerability] is the latest example of how software capabilities can be warped and weaponized. The CVE targets the HTTP trailer support feature, which allows a sender to include additional fields in a message to supply metadata, by providing a specially crafted message that can lead to remote code execution.”

Microsoft has also patched three remote code execution vulnerabilities in Exchange Server, but only one of these is considered “critical” (CVE-2022-21846).

“Despite the rating, Microsoft notes the attack vector is adjacent, meaning exploitation will require more legwork for an attacker, unlike the ProxyLogon and ProxyShell vulnerabilities which were remotely exploitable,” says Satnam Narang, staff research engineer at Tenable.

CVE-2022-21840, an RCE in Microsoft Office and CVE-2022-21857, an elevation of privilege (EoP) vulnerability in Active Directory Domain Services (AD DS), should also be patched promptly.

CVE-2022-21840 can be exploited via a specially crafted file (either sent via email or provided for download on a compromise website), and the vulnerable application won’t show a warning dialog when the file gets opened. Microsoft has provided several updates for the software installed on their systems, and they should install them all. For the moment, though, security updates for Microsoft Office 2019 for Mac and Microsoft Office LTSC for Mac 2021 are not ready.

Microsoft has not shared many details about CVE-2022-21857, except for saying that prior to the offered update, “An attacker could elevate privileges across the trust boundary under certain conditions.” With Active Directory Domain Services being such a crucial element of many enterprises’ network setup and markedly worthy of protection, patches for this vulnerability should be implemented sooner rather than later.

Finally, while CVE-2022-21893 – an RCE in the Remote Desktop Protocol – is considered only “important” and exploitable if a malicious user has access to a remote machine the targeted user is connecting to, Gabriel Sztejnworcel, the CyberArk software architect who reported it, advises administrators to patch it.

“Also, developers of applications that use custom virtual channels should check whether they are vulnerable and conduct their own security assessment,” he added, after sharing details about the flaw.