January 2022 Patch Tuesday: Wormable HTTP.SYS vulnerability rings in the new year

Welcome to the first Patch Tuesday of 2022! Microsoft may have been a little stingy with our December presents, but they’ve made up for it this month with a substantial increase in the number of flaws addressed, including a potentially devastating wormable flaw in the HTTP Protocol Stack (HTTP.sys) used by the Windows Internet Information Services (IIS) that has the potential to be quickly weaponized and deployed by threat actors. We’ll dive deeper into that in a moment.

In this edition, Microsoft has released fixes for 97 vulnerabilities that include nine Critical and 88 Important classifications. There are also six zero-day vulnerabilities that were publicly disclosed and will need patching. Luckily, none of them is under active exploitation, which gives defenders an opportunity to patch systems before any exploits begin. However, most have proof-of-concept exploits already available, so there is only a narrow window of opportunity to get ahead of attackers.

Microsoft vulnerabilities

It’s going to be another busy month for teams dedicated to patching. Not only is there an increase in vulnerabilities being addressed, but there should also be a sense of urgency behind getting two of the potentially more damaging vulnerabilities addressed quickly, with a total of 14 being marked as Exploitation More Likely that should not be escaping your attention.

The two most notable vulnerabilities for the month are CVE-2022-21907, the previously mentioned HTTP.sys vulnerability, and CVE-2022-21840, which is a Microsoft Office remote code execution vulnerability that only requires a user to open an office file or view the file in Windows Explorer’s preview pane.

CVE-2022-21907 HTTP.sys vulnerability is marked as Exploitation More Likely and has the potential to be wormable based on how it works. An attacker who successfully sends a specially crafted packet to a target Windows server and executes an attack can use the affected system to replicate the attack on other targets. The vulnerability affects Windows 10, Windows 11, Server 2019, and Server 2022, so even though IIS is typically only in use on Windows servers, there is still the chance that workstations may be leveraging IIS, meaning an audit of both server and workstation Windows OS is warranted.

Microsoft also issued fixes for three remote code execution vulnerabilities (CVE-2022-21846, CVE-2022-21855, CVE-2022-21969) in Exchange Server. While these are marked as Exploitation More Likely, they all appear to require an attacker to already have a substantial foothold in or access to an environment prior to exploitation. This is in stark contrast to ProxyShell from last year, which was an RCE, so these don’t have the same level of urgency. Nonetheless, it should still be a priority item for the month.

Related Product

N‑central

Manage large networks or scale IT operations with RMM made for growing service providers.

Find out more

Vulnerability prioritization

As always, it is important to not just prioritize vulnerabilities based on their severity but also their exploitation likelihood. Vulnerabilities marked Exploitation More Likely are as important, and some may say even more important, to address quickly due to their increased likelihood to cause actual impacts to an environment. These CVEs from Microsoft should be top of the list as they are all marked as Exploitation More Likely, Exploitation Detected, or Critical.

Cumulative updates

KB5009566 for Windows 11 includes a servicing stack update to resolve problems with Windows Updates. There is a known issue with some image editing software not rendering colors correctly on HDR displays, so any media/content creation workstations may need to defer this cumulative update until resolved in late January. KB5009543 and KB500945 for Windows 10 also include a servicing stack update for Windows Update.

Related Product

N‑sight RMM

Inizia a utilizzare rapidamente la soluzione RMM progettata per MSP e reparti IT di piccole dimensioni.

Find out more

End of service for Windows 10 2004

Here is a final reminder that Windows 10 Version 2004 received its last security update in December 2021 because it has now hit EOS. Looking for this and other end-of-service builds of Windows 10 should be a part of regular audits of environments.

Log4j still lingers

The fallout from CVE-2021-44228 carries on as threat actors continue to leverage it to deliver both old and new payloads. Because of how easy the Log4j vulnerability is to exploit, this isn’t something attackers will stop using anytime soon. Unfortunately, there are still a large number of vulnerable systems out there with enterprise, SMB, and even federal agencies still struggling to identify at-risk systems. The FTC is even warning those who fail to take due care when addressing Log4j vulnerabilities may be falling foul of the Gramm Leach Bliley Act and face legal action.

Summary

As always, make sure you have established patching processes for evaluation, testing, and pushing into production. If you have traditionally only dealt with patches by applying them based on their severity, consider including prioritization of patches for Zero-Days, Exploitation Detected and Exploitation More Likely vulnerabilities in your Patch Management routines.

Lewis Pope is the head security nerd at N‑able. You can follow him on:

Twitter: @cybersec_nerd

LinkedIn: thesecuritypope

Twitch: cybersec_nerd