Date of Notice: 01/12/2022
Action Level - High
Microsoft’s latest patch on Tuesday, January 11, 2022, contains 126 CVEs, with a few that could eventually be problematic.
Notably, CVE-2022-21907 is a potential RCE vulnerability that could be turned into a worm. It affects Server 2022, 20H2 core, and other versions of Windows 10 and Windows 11 where the trailer feature in http.sys is enabled by default. Server 2019 and Windows 10 v1809 do not have this feature enabled by default.
Three RCE vulnerabilities affecting Exchange are also patched. While these require an attacker to be on the same network as the exchange server, if your network doesn’t have proper segmentation an internal bad actor could exploit these. Further Microsoft rates the probability of exploit for these as “More Likely”.
10 Privilege Escalation vulnerabilities, rated as “More Likely” for exploitability, are also patched.
Overall 9 of these CVEs are rated Critical and 6 have been disclosed. At this time, none of these have public exploits.
Ensure your devices are running current patches per vendor guidance. If you are unable to patch, review the Critical and Disclosed CVEs and explore their specific mitigation options. SANS has a consolidated list here.