January 12, 2022

Patch Tuesday Update - January 2022

We Hope Everyone Is Finished Patching Log4j…

Welcome to 2022! Hopefully everyone had a nice, restful holiday break…not frantically patching 90% of your servers because of Log4j-related vulnerabilities. Well, this week Microsoft dumped a whopping 97 new vulnerabilities for Windows and associated software. (Insert tone-deaf “job-security” joke here).

To make matters worse, nine of these newly reported CVEs have been dubbed “critical” by Microsoft. Also, six of these nine critical flaws were disclosed prior to the release today, potentially giving bad actors a head-start on developing exploits (though none are being actively exploited at the time of writing).

One of these six (CVE-2022-21907) affects the HTTP Protocol Stack in Windows 10, 11, Server 2019, and Server 2022. This vulnerability is considered “wormable”, meaning adversaries could potentially exploit it to gain remote access to vulnerable systems without any user interaction. Back in May 2021, a similar vulnerability was patched for the HTTP Protocol Stack (CVE-2021-31166) and less than a week later, exploit code was posted online. Moral of the story: this vulnerability should be patched ASAP.

Interestingly, of all the CVEs released today, roughly 25% affect the Microsoft Edge browser via Chromium, including the six previously disclosed vulnerabilities mentioned above. As stated before, none of these vulnerabilities have been seen exploited in the wild yet. However, there are two remote code execution (RCE) flaws included in the 6 (CVE-2021-22947 and CVE-2021-36976).

Microsoft Exchange server is back on the board as well, with three more RCE flaws being patched, including CVE-2022-21846 which was disclosed to Microsoft by the National Security Agency. Thankfully, all of these vulnerabilities require the would-be attacker to be on the target network to run the exploit. However, just to be safe, Microsoft has tagged them as “exploitation more likely.”

As always, Balbix can identify all affected assets within 1 hour of release. There are no scans to run. Balbix customers simply search for the CVE name in their Balbix dashboard to view the list of affected assets. Users can also use the filtered search functionality to search for the CVE by site, subnet, location, or other distinguishing factors.