Overview
On February 9, NSFOCUS CERT detected that Microsoft released the February security update patch, which fixed 48 security issues involving widely used products such as Windows, Microsoft Office, Microsoft Dynamics, and Azure, including privilege escalation and remote code execution. and other high-risk vulnerability types.
Among the vulnerabilities fixed by Microsoft’s monthly update this month, there are no critical vulnerabilities, and there are 48 important vulnerabilities, including 1 0day vulnerability:
Windows Kernel Privilege Escalation Vulnerability (CVE-2022-21989)
Relevant users are requested to update patches as soon as possible for protection. For a complete list of vulnerabilities, please refer to the appendix.
NSFOCUS Remote Security Assessment System (RSAS) has the ability to detect most of the vulnerabilities in Microsoft’s patch update (including CVE-2022-21984, CVE-2022-22005, CVE-2022-21999, CVE-2022-21995 and other high-risk Vulnerability), please pay attention to the update of the NSFOCUS remote security assessment system system plug-in upgrade package, and upgrade to the latest version in time. Link to the official website: http://update.nsfocus.com/update/listRsasDetail/v/vulsys
Reference link: https://msrc.microsoft.com/update-guide/en-us/releaseNote/2022-Feb
Description of Major Vulnerabilities
Windows Kernel Privilege Escalation Vulnerability (CVE-2022-21989)
A privilege escalation vulnerability exists in the Windows Kernel, which can lead to a buffer overflow due to a boundary error in the Windows Kernel. An attacker with low privileges can exploit this vulnerability to escalate to SYSTEM privileges and execute arbitrary code on the target system under certain circumstances.
Official announcement link: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-21989
Windows DNS Server Remote Code Execution Vulnerability (CVE-2022-21984)
When dynamic updates are enabled on the DNS server, an attacker with low privileges can exploit this vulnerability to take over the DNS server, resulting in arbitrary code execution with user privileges on the target system without user interaction. The CVSS score was 8.8.
Official announcement link: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21984
Microsoft SharePoint Server Remote Code Execution Vulnerability (CVE-2022-22005)
Due to a vulnerability in SharePoint Server that allows an authenticated user to execute arbitrary .NET code and web applications on SharePoint Server. The vulnerability can only be successfully exploited when an attacker has the “manage list” permission. The CVSS score was 8.8.
Official announcement link: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22005
Windows Print Spooler Privilege Escalation Vulnerability (CVE-2022-21999)
A vulnerability exists in the Windows print spooler that could be exploited by an authenticated local attacker to execute arbitrary code with SYSTEM privileges on a target system. The CVSS score was 7.8.
Official announcement link: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21999
Windows Hyper-V Remote Code Execution Vulnerability (CVE-2022-21995)
Windows Hyper-V is Microsoft’s native hypervisor. Under user interaction conditions, attackers can exploit this vulnerability to bypass the user’s trust boundary in a specific environment, eventually leading to arbitrary code execution with user privileges on the Hyper-V host.
Official announcement link: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21995
Azure Data Explorer Spoofing Vulnerability (CVE-2022-23256)
There is a spoofing vulnerability in Azure Data Explorer. By crafting a malicious URL, an attacker can successfully induce a user to open the malicious URL on the affected system and execute arbitrary code on the target system with the user’s rights. The CVSS score was 8.1.
Official announcement link: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23256
Microsoft Dynamics GP Remote Code Execution Vulnerability (CVE-2022-23274)
A remote code execution vulnerability exists in Microsoft Dynamics GP that could allow an authenticated attacker to send a specially crafted SQL request to the Dynamics GP web server and ultimately execute arbitrary code on the target server.
Official announcement link: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23274
Scope of Impact
| Vulnerability No. | Affected Product Version |
| CVE-2022-21989 CVE-2022-21999 | Windows Server 2012 R2 (Server Core installation) Windows Server 2012 R2 Windows Server 2012 (Server Core installation) Windows Server 2012 Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) Windows Server 2008 R2 for x64-based Systems Service Pack 1 Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) Windows Server 2008 for x64-based Systems Service Pack 2 Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) Windows Server 2008 for 32-bit Systems Service Pack 2 Windows RT 8.1 Windows 8.1 for x64-based systems Windows 8.1 for 32-bit systems Windows 7 for x64-based Systems Service Pack 1 Windows 7 for 32-bit Systems Service Pack 1 Windows Server 2016 Windows 10 Version 1607 for x64-based Systems Windows 10 Version 1607 for 32-bit Systems Windows 10 for x64-based Systems Windows 10 for 32-bit Systems Windows 10 Version 21H2 for x64-based Systems Windows 10 Version 21H2 for ARM64-based Systems Windows 10 Version 21H2 for 32-bit Systems Windows 11 for ARM64-based Systems Windows 11 for x64-based Systems Windows Server, version 20H2 (Server Core Installation) Windows 10 Version 20H2 for ARM64-based Systems Windows 10 Version 20H2 for 32-bit Systems Windows 10 Version 20H2 for x64-based Systems Windows Server 2022 Azure Edition Core Hotpatch Windows Server 2022 (Server Core installation) Windows Server 2022 Windows 10 Version 21H1 for 32-bit Systems Windows 10 Version 21H1 for ARM64-based Systems Windows 10 Version 21H1 for x64-based Systems Windows 10 Version 1909 for ARM64-based Systems Windows 10 Version 1909 for x64-based Systems Windows 10 Version 1909 for 32-bit Systems Windows Server 2019 (Server Core installation) Windows Server 2019 Windows 10 Version 1809 for ARM64-based Systems Windows 10 Version 1809 for x64-based Systems Windows 10 Version 1809 for 32-bit Systems |
| CVE-2022-21984 | Windows 10 Version 21H2 for x64-based Systems Windows 10 Version 21H2 for ARM64-based Systems Windows 10 Version 21H2 for 32-bit Systems Windows 11 for ARM64-based Systems Windows 11 for x64-based Systems Windows Server, version 20H2 (Server Core Installation) Windows 10 Version 20H2 for ARM64-based Systems Windows 10 Version 20H2 for 32-bit Systems Windows 10 Version 20H2 for x64-based Systems Windows Server 2022 Azure Edition Core Hotpatch Windows Server 2022 (Server Core installation) Windows Server 2022 Windows 10 Version 21H1 for 32-bit Systems Windows 10 Version 21H1 for ARM64-based Systems Windows 10 Version 21H1 for x64-based Systems Windows 10 Version 1909 for ARM64-based Systems Windows 10 Version 1909 for x64-based Systems Windows 10 Version 1909 for 32-bit Systems |
| CVE-2022-22005 | Microsoft SharePoint Server Subscription Edition Microsoft SharePoint Server 2019 Microsoft SharePoint Enterprise Server 2013 Service Pack 1 Microsoft SharePoint Enterprise Server 2016 |
| CVE-2022-21995 | Windows Server 2016 (Server Core installation) Windows Server 2016 Windows 10 Version 1607 for x64-based Systems Windows 10 for x64-based Systems Windows 10 Version 21H2 for x64-based Systems Windows 11 for x64-based Systems Windows Server, version 20H2 (Server Core Installation) Windows 10 Version 20H2 for x64-based Systems Windows Server 2022 Azure Edition Core Hotpatch Windows Server 2022 (Server Core installation) Windows Server 2022 Windows 10 Version 21H1 for x64-based Systems Windows 10 Version 1909 for x64-based Systems Windows Server 2019 (Server Core installation) Windows Server 2019 Windows 10 Version 1809 for x64-based Systems |
| CVE-2022-23256 | Azure Data Explorer |
| CVE-2022-23274 | Microsoft Dynamics GP |
Mitigation
Patch update
Microsoft has officially released a security patch to fix the above vulnerabilities for supported product versions. It is strongly recommended that affected users install the patch as soon as possible for protection. The official download link:
https://msrc.microsoft.com/update-guide/en-us/releaseNote/2022-Feb
Note: Due to network problems, computer environment problems, etc., the patch update of Windows Update may fail. After installing the patch, the user should promptly check whether the patch is successfully updated.
Right-click the Windows icon, select “Settings (N)”, select “Update and Security” – “Windows Update”, and view the prompt information on this page. You can also click “View Update History” to view the historical update status.
For updates that are not successfully installed, you can click the update name to jump to the official Microsoft download page. It is recommended that users click the link on this page and go to the “Microsoft Update Catalog” website to download and install the independent package.
Appendix
| Affected product | CVE No. | Vulnerability name | Severity |
| Azure | CVE-2022-23256 | Azure Data Explorer spoofing vulnerability | Important |
| Microsoft Dynamics | CVE-2022-21957 | Microsoft Dynamics 365 (on-premises) Remote Code Execution Vulnerability | Important |
| Microsoft Dynamics | CVE-2022-23269 | Microsoft Dynamics GP spoofing vulnerability | Important |
| Microsoft Dynamics | CVE-2022-23271 | Microsoft Dynamics GP Elevation Of Privilege Vulnerability | Important |
| Microsoft Dynamics | CVE-2022-23272 | Microsoft Dynamics GP Elevation Of Privilege Vulnerability | Important |
| Microsoft Dynamics | CVE-2022-23273 | Microsoft Dynamics GP Elevation Of Privilege Vulnerability | Important |
| Microsoft Dynamics | CVE-2022-23274 | Microsoft Dynamics GP Remote Code Execution Vulnerability | Important |
| Microsoft Office | CVE-2022-21965 | Microsoft Teams Denial of Service Vulnerability | Important |
| Microsoft Office | CVE-2022-21987 | Microsoft SharePoint Server spoofing vulnerability | Important |
| Microsoft Office | CVE-2022-21988 | Microsoft Office Visio Remote Code Execution Vulnerability | Important |
| Microsoft Office | CVE-2022-21968 | Microsoft SharePoint Server Security Feature BypassVulnerability | Important |
| Microsoft Office | CVE-2022-22716 | Microsoft Excel Information Disclosure Vulnerability | Important |
| Microsoft Office | CVE-2022-22003 | Microsoft Office Graphics Remote Code Execution Vulnerability | Important |
| Microsoft Office | CVE-2022-22004 | Microsoft Office ClickToRun Remote Code Execution Vulnerability | Important |
| Microsoft Office | CVE-2022-22005 | Microsoft SharePoint Server Remote Code Execution Vulnerability | Important |
| Microsoft Office | CVE-2022-23252 | Microsoft Office Information Disclosure Vulnerability | Important |
| Microsoft Office | CVE-2022-23255 | Microsoft OneDrive for Android Security Feature Bypass Vulnerability | Important |
| Microsoft Office | CVE-2022-23280 | Microsoft Outlook for Mac Security Feature Bypass Vulnerability | Important |
| Microsoft Visual Studio,Visual Studio,.NET | CVE-2022-21986 | .NET Denial of Service Vulnerability | Important |
| PowerBI-client JS SDK | CVE-2022-23254 | Microsoft Power BI Information Disclosure Vulnerability | Important |
| SQL Server | CVE-2022-23276 | SQL Server for Linux Containers Privilege Escalation Vulnerability | Important |
| Visual Studio Code | CVE-2022-21991 | Visual Studio Code Remote Development Extension Remote Code Execution Vulnerability | Important |
| Windows | CVE-2022-21971 | Windows Runtime Remote Code Execution Vulnerability | Important |
| Windows | CVE-2022-21981 | Windows Common Log File System Driver Privilege Escalation Vulnerability | Important |
| Windows | CVE-2022-21974 | Roaming Security Rights Management Services Remote Code Execution Vulnerability | Important |
| Windows | CVE-2022-21844 | HEVC Video Extensions Remote Code Execution Vulnerability | Important |
| Windows | CVE-2022-21926 | HEVC Video Extensions Remote Code Execution Vulnerability | Important |
| Windows | CVE-2022-21927 | HEVC Video Extensions Remote Code Execution Vulnerability | Important |
| Windows | CVE-2022-22709 | VP9 Video Extensions Remote Code Execution Vulnerability | Important |
| Windows | CVE-2022-22710 | Windows Common Log File System Driver Denial of Service Vulnerability | Important |
| Windows | CVE-2022-22712 | Windows Hyper-V Denial of Service Vulnerability | Important |
| Windows | CVE-2022-22715 | Named Pipe File System Privilege Escalation Vulnerability | Important |
| Windows | CVE-2022-22717 | Windows Print Spooler Privilege Escalation Vulnerability | Important |
| Windows | CVE-2022-22718 | Windows Print Spooler Privilege Escalation Vulnerability | Important |
| Windows | CVE-2022-21984 | Windows DNS Server Remote Code Execution Vulnerability | Important |
| Windows | CVE-2022-21985 | Windows Remote Access Connection Manager Information Disclosure Vulnerability | Important |
| Windows | CVE-2022-21989 | Windows Kernel Privilege Escalation Vulnerability | Important |
| Windows | CVE-2022-21992 | Windows Mobile Device Management Remote Code Execution Vulnerability | Important |
| Windows | CVE-2022-21993 | Windows Services for NFS ONCRPC XDR Driver Information Disclosure Vulnerability | Important |
| Windows | CVE-2022-21994 | Windows DWM Core Library Privilege Escalation Vulnerability | Important |
| Windows | CVE-2022-21995 | Windows Hyper-V Remote Code Execution Vulnerability | Important |
| Windows | CVE-2022-21996 | Win32k Privilege Escalation Vulnerability | Important |
| Windows | CVE-2022-21997 | Windows Print Spooler Privilege Escalation Vulnerability | Important |
| Windows | CVE-2022-21998 | Windows Common Log File System Driver Information Disclosure Vulnerability | Important |
| Windows | CVE-2022-21999 | Windows Print Spooler Privilege Escalation Vulnerability | Important |
| Windows | CVE-2022-22000 | Windows Common Log File System Driver Privilege Escalation Vulnerability | Important |
| Windows | CVE-2022-22001 | Windows Remote Access Connection Manager Privilege Escalation Vulnerability | Important |
| Windows | CVE-2022-22002 | Windows User Account Profile Picture Denial of Service Vulnerability | Important |
Statement
This advisory is only used to describe a potential risk. NSFOCUS does not provide any commitment or promise on this advisory. NSFOCUS and the author will not bear any liability for any direct and/or indirect consequences and losses caused by transmitting and/or using this advisory. NSFOCUS reserves all the rights to modify and interpret this advisory. Please include this statement paragraph when reproducing or transferring this advisory. Do not modify this advisory, add/delete any information to/from it, or use this advisory for commercial purposes without permission from NSFOCUS.
About NSFOCUS
NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks. The company’s Intelligent Hybrid Security strategy utilizes both cloud and on-premises security platforms, built on a foundation of real-time global threat intelligence, to provide multi-layered, unified and dynamic protection against advanced cyber attacks.
NSFOCUS works with Fortune Global 500 companies, including four of the world’s five largest financial institutions, organizations in insurance, retail, healthcare, critical infrastructure industries as well as government agencies. NSFOCUS has technology and channel partners in more than 60 countries, is a member of both the Microsoft Active Protections Program (MAPP), and the Cloud Security Alliance (CSA).
A wholly owned subsidiary of NSFOCUS Technologies Group Co., Ltd., the company has operations in the Americas, Europe, the Middle East and Asia Pacific.
