Overview
On March 9, NSFOCUS CERT detected that Microsoft released the March security update patch, which fixed 71 security issues, involving Windows, Exchange Server, Remote Desktop Client, Azure, etc., including privilege escalation, remote code execution and other high-risk vulnerability types.
Among the vulnerabilities fixed by Microsoft’s update this month, there are 3 critical vulnerabilities and 68 important vulnerabilities, including 3 0-day vulnerabilities:
Remote Desktop Client Remote Code Execution Vulnerability (CVE-2022-21990)
Windows Fax and Scan Service Privilege Escalation Vulnerability (CVE-2022-24459)
.NET and Visual Studio Remote Code Execution Vulnerability (CVE-2022-24512)
Relevant users are requested to update patches as soon as possible for protection. For a complete list of vulnerabilities, please refer to the appendix.
NSFOCUS Remote Security Assessment System (RSAS) has the ability to detect most of the vulnerabilities in Microsoft’s patch update (including CVE-2022-21990, CVE-2022-23285, CVE-2022-23278, CVE-2022-24508 and other high-risk vulnerabilities), please pay attention to the update of the NSFOCUS Remote Security Assessment System plug-in upgrade package, and upgrade to V6.0R02F01.2608 in time. Official website link: http://update.nsfocus.com/update/listRsasDetail/v/vulsys
Reference link: https://msrc.microsoft.com/update-guide/en-us/releaseNote/2022-Mar
Description of Major Vulnerabilities
According to the popularity of the product and the importance of the vulnerability, the most influential vulnerabilities contained in this update are screened out. Please pay attention to the relevant users:
Remote Desktop Client Remote Code Execution Vulnerability (CVE-2022-21990/CVE-2022-23285):
In the case of a remote desktop connection, when the victim’s remote desktop client is connected to the attacking server, an attacker controlling the remote desktop server could trigger the vulnerability on the RDP client computer to execute arbitrary arbitrary execution with user rights on the target system. code. The CVSS score was 8.8.
Reference link:
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-21990
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-23285
Windows Fax and Scan Service Privilege Escalation Vulnerability (CVE-2022-24459):
A privilege escalation vulnerability exists in Windows Fax and Scan Service, which can be exploited by a local attacker with ordinary user privileges to escalate to SYSTEM privileges without user interaction. The CVSS score was 7.8.
Windows Fax and Scan Service (Fax and Scan Service) is a component developed by Microsoft and built into Microsoft Windows for faxing and scanning documents. It only appears in some Windows Vista versions of the operating system.
Reference link:
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-24459
NET and Visual Studio Remote Code Execution Vulnerability (CVE-2022-24512):
A remote code execution vulnerability exists in .NET and Visual Studio, which can be exploited by a remote attacker without authentication to execute code arbitrarily with user privileges on the target system.
Reference link:
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-24512
HEVC Video Extensions Remote Code Execution Vulnerability (CVE-2022-22006):
By crafting a malicious file, an attacker who successfully induces a user to download and open the malicious file on the affected system can exploit this vulnerability to execute arbitrary code with user privileges on the target system. The CVSS score was 7.8.
HEVC Video Extensions is a video extension application developed by Microsoft Corporation that allows computers and utility devices to read High Efficiency Video Coding or HEVC videos.
Reference link:
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-22006
VP9 Video Extensions Remote Code Execution Vulnerability (CVE-2022-24501):
By crafting a malicious file, an attacker who successfully induces a user to download and open the malicious file on the affected system can exploit this vulnerability to execute arbitrary code with user privileges on the target system. The CVSS score was 7.8.
Reference link:
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-24501
Microsoft Exchange Server Remote Code Execution Vulnerability (CVE-2022-23277):
A remote code execution vulnerability in Exchange Server could allow an authenticated remote attacker to trigger malicious code in the server account via a network call to execute arbitrary code on the target system.
Reference link:
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-23277
Azure Site Recovery Privilege Escalation Vulnerability (CVE-2022-24469):
A privilege escalation vulnerability exists in Azure Site Recovery. An attacker with low privileges needs to establish a network connection to the replication device, which can ultimately be exploited to escalate to SYSTEM privileges on the target system without user interaction.
Reference link:
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-24469
Windows SMBv3 Client/Server Remote Code Execution Vulnerability (CVE-2022-24508):
A remote code execution vulnerability exists in Windows SMBv3 Client/Server, which can be exploited by a remote attacker with low privileges to execute arbitrary code with user privileges on the target system without user interaction. The CVSS score was 8.8.
Reference link:
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-24508
Scope of Impact
The following are the affected product versions that focus on the vulnerability. For other products affected by the vulnerability, please refer to the official announcement link.
| Vulnerability No. | Affected Product Version |
| CVE-2022-21990 | Windows 10 Version 21H2 for ARM64 Windows 10 Version 21H2 for 32 Windows 11 for ARM64 Windows Server 2016 (Server Core installation) Windows Server 2016 Windows 10 Version 1607 for x64 Windows 10 Version 1607 for 32 Windows 10 for x64 Windows 10 for 32 Windows 10 Version 21H2 for x64 Windows 11 for x64 Windows Server, version 20H2 (Server Core Installation) Windows 10 Version 20H2 for ARM64 Windows 10 Version 20H2 for 32 Windows 10 Version 20H2 for x64 Windows Server 2022 (Server Core installation) Windows Server 2022 Windows 10 Version 21H1 for 32 Windows 10 Version 21H1 for ARM64 Windows 10 Version 21H1 for x64 Remote Desktop client for Windows Desktop Windows 10 Version 1909 for ARM64 Windows 10 Version 1909 for x64 Windows 10 Version 1909 for 32 Windows Server 2019 (Server Core installation) Windows Server 2019 Windows 10 Version 1809 for ARM64 Windows 10 Version 1809 for x64 Windows Server 2012 R2 (Server Core installation) Windows Server 2012 R2 Windows Server 2012 (Server Core installation) Windows Server 2012 Windows Server 2008 R2 for x64 Windows Server 2008 R2 for x64 Windows Server 2008 for x64 Windows Server 2008 for x64 Windows Server 2008 for 32 Windows Server 2008 for 32 Windows RT 8.1 Windows 8.1 for x64 Windows 8.1 for 32 Windows 7 for x64 Windows 7 for 32 Windows 10 Version 1809 for 32 |
| CVE-2022-23285 | Windows RT 8.1 Windows Server 2019 (Server Core installation) Windows Server 2019 Windows 10 Version 1809 for ARM64 Windows 10 Version 1809 for x64 Windows 10 Version 1809 for 32 Windows Server 2012 Windows Server 2008 R2 for x64 Windows Server 2008 R2 for x64 Windows 10 Version 20H2 for x64 Windows Server 2022 (Server Core installation) Windows Server 2022 Windows 10 Version 21H1 for 32 Windows 10 Version 21H1 for ARM64 Windows 10 Version 21H1 for x64 Windows 10 Version 1909 for ARM64 Windows 10 Version 1909 for x64 Windows 10 Version 1909 for 32 Windows Server 2012 R2 (Server Core installation) Windows Server 2012 R2 Windows Server 2012 (Server Core installation) Windows 8.1 for x64 Windows 8.1 for 32 Windows 7 for x64 Windows 7 for 32 Windows Server 2016 (Server Core installation) Windows Server 2016 Windows 10 Version 1607 for x64 Windows 10 Version 1607 for 32 Windows 10 for x64 Windows 10 for 32 Windows 10 Version 21H2 for x64 Windows 10 Version 21H2 for ARM64 Windows 10 Version 21H2 for 32 Windows Server, version 20H2 (Server Core Installation) Windows 10 Version 20H2 for ARM64 Windows 10 Version 20H2 for 32 |
| CVE-2022-24459 | Windows Server 2008 for x64 Windows Server 2008 for x64 Windows Server 2008 for 32 Windows Server 2008 for 32 Windows RT 8.1 Windows 10 for 32 Windows Server 2008 R2 for x64 Windows Server 2008 R2 for x64 Windows 10 Version 21H2 for x64 Windows 10 Version 21H2 for ARM64 Windows 10 Version 21H2 for 32 Windows 11 for ARM64 Windows Server 2012 R2 (Server Core installation) Windows Server 2012 R2 Windows Server 2012 (Server Core installation) Windows Server 2012 Windows 8.1 for x64 Windows 8.1 for 32 Windows 7 for x64 Windows 7 for 32 Windows Server 2016 (Server Core installation) Windows Server 2016 Windows 10 Version 1607 for x64 Windows 10 Version 1607 for 32 Windows 10 for x64 Windows 10 Version 1809 for 32 Windows 11 for x64 Windows Server, version 20H2 (Server Core Installation) Windows 10 Version 20H2 for ARM64 Windows 10 Version 20H2 for 32 Windows 10 Version 20H2 for x64 Windows Server 2022 (Server Core installation) Windows Server 2022 Windows 10 Version 21H1 for 32 Windows 10 Version 21H1 for ARM64 Windows 10 Version 21H1 for x64 Windows 10 Version 1909 for ARM64 Windows 10 Version 1909 for x64 Windows 10 Version 1909 for 32 Windows Server 2019 (Server Core installation) Windows Server 2019 Windows 10 Version 1809 for ARM64 Windows 10 Version 1809 for x64 |
| CVE-2022-24512 | Microsoft Visual Studio 2019 version 16.9 (includes 16.0) Microsoft Visual Studio 2019 version 16.7 (includes 16.0 – 16.6) .NET Core 3.1 .NET 6.0 .NET 5.0 Microsoft Visual Studio 2022 version 17.0 Microsoft Visual Studio 2019 version 16.11 (includes 16.0 – 16.10) |
| CVE-2022-22006 | HEVC Video Extensions |
| CVE-2022-24501 | VP9 Video Extensions |
| CVE-2022-23277 | Microsoft Exchange Server 2019 Cumulative Update 11 Microsoft Exchange Server 2016 Cumulative Update 22 Microsoft Exchange Server 2019 Cumulative Update 10 Microsoft Exchange Server 2016 Cumulative Update 21 Microsoft Exchange Server 2013 Cumulative Update 23 |
| CVE-2022-24469 | Azure Site Recovery VMWare to Azure |
| CVE-2022-24508 | Windows 10 Version 21H1 for 32 Windows 10 Version 21H1 for ARM64 Windows 10 Version 21H1 for x64 Windows 10 Version 20H2 for 32 Windows 10 Version 20H2 for x64 Windows Server 2022 Azure Edition Core Hotpatch Windows Server 2022 (Server Core installation) Windows Server 2022 Windows 10 Version 21H2 for x64 Windows 10 Version 21H2 for ARM64 Windows 10 Version 21H2 for 32 Windows 11 for ARM64 Windows 11 for x64 Windows Server, version 20H2 (Server Core Installation) Windows 10 Version 20H2 for ARM64 |
Mitigation
At present, Microsoft has officially released a security patch to fix the above vulnerabilities for supported product versions. It is strongly recommended that affected users install the patch as soon as possible for protection. The official download link:
https://msrc.microsoft.com/update-guide/en-us/releaseNote/2022-Mar
Note: Due to network problems, computer environment problems, etc., the patch update of Windows Update may fail. After installing the patch, the user should promptly check whether the patch is successfully updated.
Right-click the Windows icon, select “Settings (N)”, select “Update and Security” – “Windows Update”, and view the prompt information on this page. You can also click “View Update History” to view the historical update status.
For updates that are not successfully installed, you can click the update name to jump to the official Microsoft download page. It is recommended that users click the link on this page and go to the “Microsoft Update Catalog” website to download and install the independent package.
Appendix
| CVE ID | Vulnerability Name | Severity |
| CVE-2022-23277 | Microsoft Exchange Server Remote Code Execution Vulnerability | Critical |
| CVE-2022-22006 | HEVC Video Extensions Remote Code Execution Vulnerability | Critical |
| CVE-2022-24501 | VP9 Video Extensions Remote Code Execution Vulnerability | Critical |
| CVE-2022-24512 | .NET and Visual Studio Remote Code Execution Vulnerability | Important |
| CVE-2022-24464 | .NET and Visual Studio Denial of Service Vulnerability | Important |
| CVE-2020-8927 | Brotli Library Buffer Overflow Vulnerability | Important |
| CVE-2022-24506 | Azure Site Recovery Elevation of Privilege Vulnerability | Important |
| CVE-2022-24517 | Azure Site Recovery Remote Code Execution Vulnerability | Important |
| CVE-2022-24470 | Azure Site Recovery Remote Code Execution Vulnerability | Important |
| CVE-2022-24471 | Azure Site Recovery Remote Code Execution Vulnerability | Important |
| CVE-2022-24520 | Azure Site Recovery Remote Code Execution Vulnerability | Important |
| CVE-2022-24518 | Azure Site Recovery Elevation of Privilege Vulnerability | Important |
| CVE-2022-24519 | Azure Site Recovery Elevation of Privilege Vulnerability | Important |
| CVE-2022-24515 | Azure Site Recovery Elevation of Privilege Vulnerability | Important |
| CVE-2022-24467 | Azure Site Recovery Remote Code Execution Vulnerability | Important |
| CVE-2022-24468 | Azure Site Recovery Remote Code Execution Vulnerability | Important |
| CVE-2022-24469 | Azure Site Recovery Elevation of Privilege Vulnerability | Important |
| CVE-2022-23278 | Microsoft Defender Endpoint Spoofing Vulnerability | Important |
| CVE-2022-23265 | Microsoft Defender for IoT Remote Code Execution Vulnerability | Important |
| CVE-2022-23266 | Microsoft Defender for IoT Elevation of Privilege Vulnerability | Important |
| CVE-2022-24463 | Microsoft Exchange Server Spoofing Vulnerability | Important |
| CVE-2022-24465 | Microsoft Intune Portal for iOS Security Feature Bypass Vulnerability | Important |
| CVE-2022-24510 | Microsoft Office Visio Remote Code Execution Vulnerability | Important |
| CVE-2022-24509 | Microsoft Office Visio Remote Code Execution Vulnerability | Important |
| CVE-2022-24461 | Microsoft Office Visio Remote Code Execution Vulnerability | Important |
| CVE-2022-24462 | Microsoft Word Security Feature Bypass Vulnerability | Important |
| CVE-2022-24511 | Microsoft Office Word Tampering Vulnerability | Important |
| CVE-2022-23287 | Windows ALPC Elevation of Privilege Vulnerability | Important |
| CVE-2022-24505 | Windows ALPC Elevation of Privilege Vulnerability | Important |
| CVE-2022-23283 | Windows ALPC Elevation of Privilege Vulnerability | Important |
| CVE-2022-24451 | VP9 Video Extensions Remote Code Execution Vulnerability | Important |
| CVE-2022-22007 | HEVC Video Extensions Remote Code Execution Vulnerability | Important |
| CVE-2022-24452 | HEVC Video Extensions Remote Code Execution Vulnerability | Important |
| CVE-2022-24453 | HEVC Video Extensions Remote Code Execution Vulnerability | Important |
| CVE-2022-24457 | HEIF Image Extensions Remote Code Execution Vulnerability | Important |
| CVE-2022-24456 | HEVC Video Extension Remote Code Execution Vulnerability | Important |
| CVE-2022-22010 | Media Foundation Information Disclosure Vulnerability | Important |
| CVE-2022-21977 | Media Foundation Information Disclosure Vulnerability | Important |
| CVE-2022-23295 | Raw Image Extension Remote Code Execution Vulnerability | Important |
| CVE-2022-23300 | Raw Image Extension Remote Code Execution Vulnerability | Important |
| CVE-2022-23301 | HEVC Video Extension Remote Code Execution Vulnerability | Important |
| CVE-2022-23282 | Paint 3D Remote Code Execution Vulnerability | Important |
| CVE-2022-21975 | Windows Hyper-V Denial of Service Vulnerability | Important |
| CVE-2022-24522 | Skype Extension for Chrome Information Disclosure Vulnerability | Important |
| CVE-2022-24460 | Tablet Windows User Interface Application Elevation of Privilege Vulnerability | Important |
| CVE-2022-24526 | Visual Studio Code Spoofing Vulnerability | Important |
| CVE-2022-24507 | Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability | Important |
| CVE-2022-24455 | Windows CD-ROM Driver Elevation of Privilege Vulnerability | Important |
| CVE-2022-23286 | Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability | Important |
| CVE-2022-23290 | Windows Inking COM Elevation of Privilege Vulnerability | Important |
| CVE-2022-23281 | Windows Common Log File System Driver Information Disclosure Vulnerability | Important |
| CVE-2022-23291 | Windows DWM Core Library Elevation of Privilege Vulnerability | Important |
| CVE-2022-23288 | Windows DWM Core Library Elevation of Privilege Vulnerability | Important |
| CVE-2022-23294 | Windows Event Tracing Remote Code Execution Vulnerability | Important |
| CVE-2022-23293 | Windows Fast FAT File System Driver Elevation of Privilege Vulnerability | Important |
| CVE-2022-24459 | Windows Fax and Scan Service Elevation of Privilege Vulnerability | Important |
| CVE-2022-24502 | Windows HTML Platforms Security Feature Bypass Vulnerability | Important |
| CVE-2022-23296 | Windows Installer Elevation of Privilege Vulnerability | Important |
| CVE-2022-23297 | Windows NT Lan Manager Datagram Receiver Driver Information Disclosure Vulnerability | Important |
| CVE-2022-23298 | Windows NT OS Kernel Elevation of Privilege Vulnerability | Important |
| CVE-2022-21973 | Windows Media Center Update Denial of Service Vulnerability | Important |
| CVE-2022-23299 | Windows PDEV Elevation of Privilege Vulnerability | Important |
| CVE-2022-23253 | Point-to-Point Tunneling Protocol Denial of Service Vulnerability | Important |
| CVE-2022-23284 | Windows Print Spooler Elevation of Privilege Vulnerability | Important |
| CVE-2022-21990 | Remote Desktop Client Remote Code Execution Vulnerability | Important |
| CVE-2022-23285 | Remote Desktop Client Remote Code Execution Vulnerability | Important |
| CVE-2022-24503 | Remote Desktop Client Remote Code Execution Vulnerability | Important |
| CVE-2022-24454 | Windows Security Support Provider Interface Elevation of Privilege Vulnerability | Important |
| CVE-2022-24508 | Windows SMBv3 Client/Server Remote Code Execution Vulnerability | Important |
| CVE-2022-24525 | Windows Update Stack Elevation of Privilege Vulnerability | Important |
| CVE-2022-21967 | Xbox Live Auth Manager for Windows Elevation of Privilege Vulnerability | Important |
Statement
This advisory is only used to describe a potential risk. NSFOCUS does not provide any commitment or promise on this advisory. NSFOCUS and the author will not bear any liability for any direct and/or indirect consequences and losses caused by transmitting and/or using this advisory. NSFOCUS reserves all the rights to modify and interpret this advisory. Please include this statement paragraph when reproducing or transferring this advisory. Do not modify this advisory, add/delete any information to/from it, or use this advisory for commercial purposes without permission from NSFOCUS.
About NSFOCUS
NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks. The company’s Intelligent Hybrid Security strategy utilizes both cloud and on-premises security platforms, built on a foundation of real-time global threat intelligence, to provide multi-layered, unified and dynamic protection against advanced cyber attacks.
NSFOCUS works with Fortune Global 500 companies, including four of the world’s five largest financial institutions, organizations in insurance, retail, healthcare, critical infrastructure industries as well as government agencies. NSFOCUS has technology and channel partners in more than 60 countries, is a member of both the Microsoft Active Protections Program (MAPP), and the Cloud Security Alliance (CSA).
A wholly owned subsidiary of NSFOCUS Technologies Group Co., Ltd., the company has operations in the Americas, Europe, the Middle East and Asia Pacific.
