The January 2022 Security Update Review

The first patch Tuesday of the year is here, and with it comes the latest security patches from Adobe and Microsoft. Take a break from your regularly scheduled activities and join us as we review the details of their latest security offerings.

Adobe Patches for January 2022

For January, Adobe released 5 patches addressing 41 CVEs in Acrobat and Reader, Illustrator, Adobe Bridge, InCopy, and InDesign. A total of 22 of these bugs came through the ZDI program. The update for Acrobat and Reader fixes a total of 26 bugs, the worst of which could lead to remote code execution (RCE) if a user opened a specially crafted PDF. Several of these bugs were demonstrated at the Tianfu Cup, so it would not be unexpected to see these used in the wild somewhere down the line. The update for InCopy fixes three Critical-rated RCE bugs and one Important-rated privilege escalation. The patch for InDesign corrects two Critical-rated Out-of-bounds (OOB) Write bugs that could lead to code execution plus a Moderate Use-After-Free privilege escalation. The fix for Adobe Bridge covers six bugs, but only one OOB Write is listed as Critical. The others are a mix of privilege escalations and memory leaks. Finally, the patch for Illustrator covers two OOB Read bugs – neither of which can be used for code execution.

None of the bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release.

Microsoft Patches for January 2022

For January, Microsoft released patches today for 96 new CVEs in Microsoft Windows and Windows Components, Microsoft Edge (Chromium-based), Exchange Server, Microsoft Office and Office Components, SharePoint Server, .NET Framework, Microsoft Dynamics, Open-Source Software, Windows Hyper-V, Windows Defender, and Windows Remote Desktop Protocol (RDP). This is in addition to the 24 CVEs patched by Microsoft Edge (Chromium-based) earlier this month and 2 other CVEs previous fixed in open-source projects. This brings the January total to 122 CVEs.

This is an unusually large update for January. Over the last few years, the average number of patches released in January is about half this volume. We’ll see if this volume continues throughout the year. It’s certainly a change from the smaller releases that ended 2021.

Of the CVEs patched today, nine are rated Critical and 89 are rated Important in severity. A total of five of these bugs came through the ZDI program. Six of these bugs are listed as publicly known at the time of release, but none are listed as under active attack. Let’s take a closer look at some of the more interesting updates for this month, starting with a bug in http.sys listed as wormable:

-       CVE-2022-21907 - HTTP Protocol Stack Remote Code Execution Vulnerability
This bug could allow an attacker to gain code execution on an affected system by sending specially crafted packets to a system utilizing the HTTP Protocol Stack (http.sys) to process packets. No user interaction, no privileges required, and an elevated service add up to a wormable bug. And while this is definitely more server-centric, remember that Windows clients can also run http.sys, so all affected versions are affected by this bug. Test and deploy this patch quickly.

-       CVE-2022-21846 - Microsoft Exchange Server Remote Code Execution Vulnerability
Yet another Exchange RCE bug, and another Exchange bug reported by the National Security Agency. This is one of three Exchange RCEs being fixed this month, but this is the only one marked Critical. All are listed as being network adjacent in the CVSS score, so an attacker would need to be tied to the target network somehow. Still, an insider or attacker with a foothold in the target network could use this bug to take over the Exchange server.

-       CVE-2022-21840 - Microsoft Office Remote Code Execution Vulnerability
Most Office-related RCE bugs are Important severity since they require user interaction and often have warning dialogs, too. However, this bug is listed as Critical. That normally means the Preview Pane is an attack vector, but that’s also not the case here. Instead, this bug is likely Critical due to the lack of warning dialogs when opening a specially crafted file. There are also multiple patches to address this bug, so be sure you apply all available patches. Unfortunately, if you’re running Office 2019 for Mac and Microsoft Office LTSC for Mac 2021, you’re out of luck because there are no patches available for these products. Let’s hope Microsoft makes these patches available soon.

-       CVE-2022-21857 - Active Directory Domain Services Elevation of Privilege Vulnerability
This patch fixes a bug that allowed attackers to elevate privileges across an Active Directory trust boundary under certain conditions. Although privilege escalations generally rate an Important severity rating, Microsoft deemed the flaw sufficient enough for a Critical rating. This does require some level of privileges, so again, an insider or other attacker with a foothold in a network could use this for lateral movement and maintaining a presence within an enterprise.

Here’s the full list of CVEs released by Microsoft for January 2022:

* Indicates this CVE had previously been released by a 3rd-party and is now being incorporated into Microsoft products.

Looking at the remaining Critical-rated patches released this month, two impact DirectX, and one affects HEVC video extensions. Viewing a specially crafted media file could result in code execution. For the HEVC extensions, you’ll need to be connected to the Microsoft Store to receive the update. Otherwise, you’ll need to manually verify the update has been applied. There’s a fix for the Virtual Machine IDE Drive that could allow a privilege escalation, but the complexity is marked high on this bug. Seeing this bug in the wild would likely take quite a bit of work. There’s a patch for the Windows Security Center API. Microsoft doesn’t say how the code execution could occur, and although the is title as remote code execution, they list the attack vector as local. The final Critical-rated bug for January was actually disclosed by HackerOne back in September 2021. This patch includes the latest Curl libraries into Microsoft products. This is why this CVE is listed as publicly known. Similarly, the patch for the Libarchive library was also disclosed in 2021, and the latest version of this library is now being incorporated into Microsoft products.

Moving on to Important-rated patches, there are over 20 that could lead to remote code execution. Eight of these bugs impact the Windows Resilient File System (ReFS), but these require physical access. Microsoft doesn’t always patch bugs that require physical access but getting code execution by just inserting a USB drive is an exception to that rule. There’s also a patch for the Windows Internet Key Exchange (IKE) protocol extension that rates a CVSS of 9.8. According to Microsoft, this bug could allow a remote attacker to “trigger multiple vulnerabilities without being authenticated,” but they don’t specify what vulnerabilities or provide further details. Only systems the IPSec service running are affected by this bug.

There are some code execution bugs in RDP, but these impact the RDP client. The patch for the RDP protocol requires a user to connect to a malicious RDP server. Fortunately, these aren’t as severe as the previously patched BlueKeep RDP bugs. There are a couple of code execution bugs in Office components and the aforementioned Important-rated Exchange bugs. There is an Edge (Chromium) bug getting fixed, and this is separate from the Chromium fixes integrated earlier this month.

There are a whopping 41 patches to correct Elevation of Privilege (EoP) bugs, however, most of these require an attacker to log on to an affected system a run a specially crafted program. Many different Windows components have these EoP bugs, most notably the kernel and kernel-mode drivers. The EoP fixed on Hyper-V is different. In this case, an attacker on a guest OS could potentially interact with processes of another Hyper-V guest hosted on the same Hyper-V host. While not a full guest-to-host escape, that could still be very useful to an adversary.

Moving on to the nine Security Feature Bypass (SFB) patches, some impacted components stand out. Unfortunately, Microsoft provides no information on what feature is being bypassed or how that impacts the security of an enterprise. We can say some important components, like Local Security Authority, Secure Boot Feature, Windows Defender, and Workstation Service all receive updates. The only exception is the two SFB bugs in Hyper-V. For configurations using router guard, packets that normally would be dropped could get processed. This could allow an attacker to bypass set policy and potentially influence router paths.

There are also nine patches fixing Denial-of-Service (DoS) bugs this month. Most of these bugs are found in the Windows IKE Extension, but only systems with the IPSec service running are affected by these bugs.

This month’s release includes six fixes for information disclosure bugs. Most of these only result in leaks consisting of unspecified memory contents. However, the bug in the Remote Desktop Licensing Diagnoser could allow an attacker to recover cleartext passwords from memory.

The January release is rounded out with two spoofing bugs in the Windows Certificate component and Microsoft Dynamics 365 and a cross-site scripting (XSS) bug in the Dynamics 365 Customer Engagement component. The bug in the Windows Certificate component could allow an attacker to bypass Windows Platform Binary Table (WPBT) binary verification by using a small number of compromised certificates. This is also listed as publicly known, but Microsoft gives no indication where it was publicly posted.

No new advisories were released this month.

Looking Ahead

The next Patch Tuesday falls on February 8, and we’ll return with details and patch analysis then. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!

Article Link: Zero Day Initiative — The January 2022 Security Update Review