Virtual Administrator’s May 2022 Patch Recommendations
This month Microsoft released patches for 74 vulnerabilities with 8 rated “Critical” in severity.
All patches will be approved in our patch policy.
An average number of patches this month but there are many known issues to consider. The most concerning bug this month is CVE-2022-26925. This is a spoofing vulnerability affecting Windows LSA (the “Local Security Authority” process within Windows). CVE-2022-26925 is being actively exploited. Microsoft also recommends taking additional steps outlined in KB5005413 (See “FYI” below). CVE-2022-26937 affects services using the Windows Network File System (NFS). CVE-2022-22713 is an important-rated bug that could allow denial-of-service (DoS) on Hyper-V servers running more recent versions of Windows (20H2 and later). Exchange Server 2013/2016/2019 has a security update and hotfix (KB5011363). There are some new SSUs.
There is a known issue with all of this month’s updates affecting domain controllers which may cause authentication failures on the server or client for some services. The issue has been found related to how the domain controller manages the mapping of certificates to machine accounts. See “Known Issues” below.
Disclosed: CVE-2022-22713, CVE-2022-26925, CVE-2022-29972
Exploited: CVE-2022-26925
FYI – Further actions needed to protect systems after applying security update CVE-2022-26925
CVE-2022-26925 | Windows LSA Spoofing Vulnerability
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-26925
An unauthenticated attacker could call a method on the LSARPC interface and coerce the domain controller to authenticate to the attacker using NTLM. This security update detects anonymous connection attempts in LSARPC and disallows it.
KB5005413: Mitigating NTLM Relay Attacks on Active Directory Certificate Services (AD CS)
Security Update Guide
https://portal.msrc.microsoft.com/en-us/security-guidance
Morphus Labs patch dashboard here: https://patchtuesdaydashboard.com
Microsoft Security Advisories
ADV990001 | Latest Servicing Stack Updates (Published:11/13/2018 | Last Updated:05/10/2022)
https://msrc.microsoft.com/update-guide/en-us/vulnerability/ADV990001
Reason for Revision: A Servicing Stack Update has been released for some versions of Windows.
NOTE: Some Windows 10 Security Stack Updates were released as standalone this month.
ADV220001 | Upcoming improvements to Azure Data Factory and Azure Synapse Pipeline infrastructure in response to CVE-2022-29972 (Released: 05/09/2022)
https://msrc.microsoft.com/update-guide/vulnerability/ADV220001
Microsoft recently mitigated and remediated a vulnerability affecting Azure Data Factory and Azure Synapse Pipelines.
Known Issues
A number of known issues are listed below. Problems with the way domain controllers manage the mapping of certificates to machine accounts affects all Windows versions.
Microsoft continues to list unresolved older problems under the Known Issues for new patches. So if you have not yet experienced one of these issues it is unlikely it will occur now.
KB5011363 New Exchange Server Security Update and Hotfix Packaging
Symptom: When you run the EXE package, you may receive an error message that resembles the following:
ERROR: Exchange Setup couldn’t extract the contents of the patch file. More information: Could not find a part of the path ‘C:\Users\<USER>\AppData\Application\Temp\Exchangeserver.msp’
This issue may occur if the %temp% folder does not exist on the system. The %temp% folder exists by default but may have been removed.
Workaround: To work around this issue, create a folder named “Temp” in the following location (where <USER> is the user name in the %USERPROFILE% path: C:\Users\<USER>\AppData\Application\
————–
KB5013942 Windows 10, version 20H2, Windows Server, version 20H2, Windows 10, version 21H1, Windows 10, version 21H2
KB5013943 Windows 11
Symptom: After installing this update, Windows devices that use certain GPUs might cause apps to close unexpectedly or cause intermittent issues that affect some apps that use Direct3D 9. You might also receive an error in Event Log in Windows Logs/Applications, and the faulting module is d3d9on12.dll and the exception code is 0xc0000094.
Workaround: This issue is resolved using Known Issue Rollback (KIR). Please note that it might take up to 24 hours for the resolution to propagate automatically to consumer devices and non-managed business devices. Restarting your Windows device might help the resolution apply to your device faster. For enterprise-managed, devices that have installed an affected update and encountered this issue can resolve it by installing and configuring the special Group Policy listed below. For information on deploying and configuring these special Group Policies, see How to use Group Policy to deploy a Known Issue Rollback.
Group Policy download with Group Policy name:
Download for Windows 10, version 2004, Windows 10, version 20H2, Windows 10, version 21H1, and Windows 10, version 21H2 – Group Policy name: KB5011831 220509_20051 Known Issue Rollback
Important You must install and configure the Group Policy to resolve this issue. Please see, How to use Group Policy to deploy a Known Issue Rollback.
————–
KB5013943 Windows 11
Symptom: After installing this update, some .NET Framework 3.5 apps might have issues or might fail to open. Affected apps are using certain optional components in .NET Framework 3.5, such as Windows Communication Foundation (WCF) and Windows Workflow (WWF) components.
Workaround: You can mitigate this issue by re-enabling .NET Framework 3.5 and the Windows Communication Foundation in Windows Features. For instructions, please see Enable the .NET Framework 3.5 in Control Panel. Advanced users or IT admins can do this programmatically using an elevated Command Prompt (run as administrator) and running the following commands:
dism /online /enable-feature /featurename:netfx3 /all
dism /online /enable-feature /featurename:WCF-HTTP-Activation
dism /online /enable-feature /featurename:WCF-NonHTTP-Activation
————–
Impacts all Windows versions, including the latest available releases (Windows 11 and Windows Server 2022).
Reference link from Windows Server 2022
Symptom: After installing updates released May 10, 2022 on domain controllers, you might see authentication failures on the server or client for some services. These services include Network Policy Server (NPS), Routing and Remote access Service (RRAS), Radius, Extensible Authentication Protocol (EAP), and Protected Extensible Authentication Protocol (PEAP). An issue has been found related to how the domain controller manages the mapping of certificates to machine accounts.
Note Installation of the May 10, 2022 updates on client Windows devices and non-domain controller Windows Servers will not cause this issue. This issue only affects servers that are used as domain controllers.
Workaround: The preferred mitigation for this issue is to manually map certificates to a machine account in Active Directory. For instructions, see Certificate mapping.
Note The instructions are the same for mapping certificates to user or machine accounts in Active Directory. If the preferred mitigation will not work in your environment, see KB5014754—Certificate-based authentication changes on Windows domain controllers for other possible mitigations in the “SChannel registry key” section.
Note Any other mitigation except the preferred mitigations might lower or disable security hardening.
Additional Information
KB5014754—Certificate-based authentication changes on Windows domain controllers
Microsoft: May Windows updates cause AD authentication failures
Good resource for known issues with Windows 10 patches. Find the version and click on “Known issues”.
Windows release health
https://docs.microsoft.com/en-us/windows/release-health/
Monthly Rollup/Security Only/Windows 10,11/Server 2016,2019,2022 KBs
Links are https://support.microsoft.com/en-us/help/####### with the KB number only.
Security and Quality Rollup
- KB5014012 – Windows 7, Windows Server 2008 R2 (ESU)
- KB5014011 – Windows 8.1, Windows Server 2012 R2
- KB5014017 – Windows Server 2012
- KB5014010 – Windows Server 2008 (ESU)
Security Only Update
- KB5013999 – Windows 7, Windows Server 2008 R2 (ESU)
- KB5014001 – Windows 8.1, Windows Server 2012 R2
- KB5014018 – Windows Server 2012
- KB5014006 – Windows Server 2008 (ESU)
Cumulative Updates
Windows 10
- KB5013963 – Original release version 1507 (OS Build 10240)
- KB5013952 – Version 1607 “Anniversary Update” (OS Build 14393)
- KB5013941 – Version 1809 “October 2018 Update” (OS Build 17763)
- KB5013945 – Version 1909 “November 2019 Update” (OS Build 18363)
- KB5013942 – Version 20H2 “October 2020 Update” (OS Build 19042)
- KB5013942 – Version 21H1 “May 2021 Update” (OS Build 19043)
- KB5013942 – Version 21H2 “November 2021 Update” (OS Build 19044)
(Versions 1511,1703,1709,1803,1903,2004 are no longer under support)
Windows 11
- KB5013943 – Original release (OS Build 22000)
Windows Server
- KB5013952 – Server 2016 (same KB as Windows 10 Version 1607)
- KB5013941 – Server 2019 (same KB as Windows 10 Version 1809)
- KB5013944 – Server 2022 (OS Build 20348)
May 2022 updates for Microsoft Office
Notable CVEs
CVE-2022-22012 | Windows LDAP Remote Code Execution Vulnerability (Cumulative Update/Monthly Rollup)
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-22012
CVE-2022-22017 | Remote Desktop Client Remote Code Execution Vulnerability (Cumulative Update)
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22017
CVE-2022-22713 | Windows Hyper-V Denial of Service Vulnerability (Cumulative Update/Monthly Rollup)
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22713
CVE-2022-26923 | Active Directory Domain Services Elevation of Privilege Vulnerability (Cumulative Update/Monthly Rollup)
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26923
CVE-2022-26925 | Windows LSA Spoofing Vulnerability (Cumulative Update/Monthly Rollup)
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26925
CVE-2022-26937 | Windows Network File System Remote Code Execution Vulnerability (Cumulative Update/Monthly Rollup)
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26937
CVE-2022-29972 | Insight Software: Magnitude Simba Amazon Redshift ODBC Driver
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29972