Virtual Administrator’s January 2023 Patch Recommendations

Patch Recommendations

This month Microsoft released patches for 98 vulnerabilities with 11 rated “Critical” in severity.

All patches will be approved in our patch policy including last month’s deferred KB5012170.

This month brings 98 updates with 11 classified as critical. Most concerning are a Windows Advanced Local Procedure Call (ALPC) Elevation of Privilege Vulnerability (CVE-2023-21674) and Windows Workstation Service Elevation of Privilege Vulnerability (CVE-2023-21549). Microsoft SharePoint Server (CVE-2023-21743) has a Critical security bypass flaw patched. Two Microsoft Exchange vulnerabilities are also patched this month.

Approved Secure Boot DBX (KB5012170)

KB5012170 is a security update classified as “Critical (High Priority)” and Microsoft posted the vulnerability in ADV200011. There were reports of issues with this update causing BSOD and interfering with Bitlocker encryption. We deferred it in December hoping Microsoft would correct the issues but they have not. From our experience, if they don’t fix something within the first 30 days, it doesn’t get fixed. Also we’ve only seen a few reports of Bitlocker asking for a recovery key and sparse reports of the BSOD error 0x800f0922. For these reasons we are releasing KB5012170 this month.

KB5012170 was originally released in August of 2022. Last month Microsoft released a new version and included Windows 11. While few admins have experienced issues, before patching critical systems, you should make sure the UEFI bios is on the latest version and have Bitlocker recovery key handy. For additional information see “Microsoft Security Advisories” and “Known Issues” below.

FYI – No more monthly updates for Windows 10 Version 21H1 “May 2021 Update” (OS Build 19043)

End of service statement,that%20contain%20protection%20from%20the%20latest%20security%20threats.

Disclosed: CVE-2023-21549

Exploited: CVE-2023-21674

Security Update Guide

Morphus Labs patch dashboard here:

Microsoft Security Advisories

ADV220005 | Guidance on Microsoft Signed Drivers Being Used Maliciously (Published:12/13/2022 | Last Updated:01/10/2023)

Summary: Microsoft was informed that drivers certified by Microsoft’s Windows Hardware Developer Program were being used maliciously in post-exploitation activity. In these attacks, the attacker had already gained administrative privileges on compromised systems prior to use of the drivers.

Recommended Actions: Microsoft recommends that all customers install the latest Windows updates and ensure their anti-virus and endpoint detection products are up to date with the latest signatures and are enabled to prevent these attacks.

ADV200011 | Microsoft Guidance for Addressing Security Feature Bypass in GRUB (Published:07/29/2020 | Last Updated:01/10/2023)

Summary: Microsoft is aware of a vulnerability in the GRand Unified Boot Loader (GRUB), commonly used by Linux. This vulnerability, known as “There’s a Hole in the Boot”, could allow for Secure Boot bypass.

Recommended Actions: Microsoft recommends that enterprise customers review this advisory in detail and register for the security notifications mailer to be alerted of content changes to this advisory.

ADV200013 | Microsoft Guidance for Addressing Spoofing Vulnerability in DNS Resolver (Published:12/08/2020 | Last Updated:01/10/2023)

Summary: Microsoft is aware of a vulnerability involving DNS cache poisoning caused by IP fragmentation that affects Windows DNS Resolver. An attacker who successfully exploited this vulnerability could spoof the DNS packet which can be cached by the DNS Forwarder or the DNS Resolver.

Recommended Actions: See the Workaround sections of this advisory.

Known Issues

An issue with the Microsoft Exchange Server 2016/2019 update (KB5022143/KB5022193).  Information on Security update for Secure Boot DBX (KB5012170)

Microsoft continues to list unresolved older problems under the Known Issues for new patches. So if you have not yet experienced one of these issues it is unlikely it will occur now.

“Some webpage previews are not rendered correctly”

Affects: Microsoft Exchange Server 2016/2019

Symptom: After this update is installed, webpage previews for URLs that are shared in Outlook on the web (OWA) are not rendered correctly.

Workaround: We will fix this issue in a future update.

“Secure Boot DBX (KB5012170) install fails with error 0x800f0922 or enters BitLocker Recovery”

Affects: Windows Windows 8.1/10/11, Server 2012/2016/2019/2022 (KB5012170)

Symptom: If BitLocker Group Policy Configure TPM platform validation profile for native UEFI firmware configurations is enabled and PCR7 is selected by policy, it may result in the update failing to install.

Workaround: See KB link

Symptom: When attempting to install this update, it might fail to install, and you might receive Error 0x800f0922.

Workaround: This issue can be mitigated on some devices by updating the UEFI bios to the latest version before attempting to install this update.

Symptom: Some devices might enter BitLocker Recovery on the first or second restart after attempting to install this update on Windows 11.

Workaround: This issue is addressed in the servicing stack updates (SSU) and the latest cumulative updates (LCU) dated July 12, 2022 and later.

Good resource for known issues with Windows 10/11 patches. Find the version and click on “Known issues”.

Windows release health

Monthly Rollup/Security Only/Windows 10,11/Server 2016,2019,2022 KBs

Links are with the KB number only.

Security and Quality Rollup

  • KB5022338 – Windows 7, Windows Server 2008 R2 (ESU)
  • KB5022352 – Windows 8.1, Windows Server 2012 R2
  • KB5022348 – Windows Server 2012
  • KB5022340 – Windows Server 2008 (ESU)

Security Only Update

  • KB5022339 – Windows 7, Windows Server 2008 R2 (ESU)
  • KB5022346 – Windows 8.1, Windows Server 2012 R2
  • KB5022343 – Windows Server 2012
  • KB5022353 – Windows Server 2008 (ESU)

Cumulative Updates

Windows 10

  • KB5022297 – Original release version 1507 (OS Build 10240)
  • KB5022289 – Version 1607 “Anniversary Update” (OS Build 14393)
  • KB5022286 – Version 1809 “October 2018 Update” (OS Build 17763)
  • KB5022282 – Version 20H2 “October 2020 Update” (OS Build 19042)
  • EOS- Version 21H1 “May 2021 Update” (OS Build 19043)
  • KB5022282 – Version 21H2 “November 2021 Update” (OS Build 19044)
  • KB5022282 – Version 22H2 “November 2022 Update” (OS Build 19045)
  • (Versions 1511,1703,1709,1803,1903,2004, 21H1 are no longer under support)

Windows 11

  • KB5022287 – 21H2 (OS Build 22000) Original release
  • KB5022303 – 22H2 (OS Build 22621)

Windows Server

  • KB5022289 – Server 2016 (same KB as Windows 10 Version 1607)
  • KB5022286 – Server 2019 (same KB as Windows 10 Version 1809)
  • KB5022291 – Server 2022 (OS Build 20348)

January 2023 updates for Microsoft Office

Notable CVEs

CVE-2023-21549 | Windows SMB Witness Service Elevation of Privilege Vulnerability (Cumulative Update/Monthly Rollup)

“An attacker who successfully exploited this vulnerability could execute RPC functions that are restricted to privileged accounts only.”

CVE-2023-21561 | Microsoft Cryptographic Services Elevation of Privilege Vulnerability (Cumulative Update/Monthly Rollup)

“A locally authenticated attacker could send specially crafted data to the local CSRSS service to elevate their privileges from AppContainer to SYSTEM.”

CVE-2023-21674 | Windows Advanced Local Procedure Call (ALPC) Elevation of Privilege Vulnerability (Cumulative Update/Monthly Rollup)

“This vulnerability could lead to a browser sandbox escape. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.”

CVE-2023-21743 | Microsoft SharePoint Server Security Feature Bypass Vulnerability (KB5002329,KB5002331,KB5002338)

“In a network-based attack, an unauthenticated attacker could bypass authentication and make an anonymous connection.”

CVE-2023-21745 | Microsoft Exchange Server Spoofing Vulnerability (KB5022193)

“An authenticated attacker could exploit this vulnerability LAN-side or potentially from the internet. An authenticated attacker could achieve exploitation given a Powershell remoting session to the server.”

CVE-2023-21762 | Microsoft Exchange Server Spoofing Vulnerability (KB5022143,KB5022188,KB5022193)

“Exploiting this vulnerability could allow the disclosure of NTLM hashes. This vulnerability’s attack is limited at the protocol level to a logically adjacent topology. The attacker must be authenticated. If the attack is successful it could lead to a NTLM relay allowing for controls that would be able to block availability of a resource.”