VERT Threat Alert: January 2022 Patch Tuesday Analysis
Today’s VERT Alert addresses Microsoft’s January 2022 Security Updates. VERT is actively working on coverage for these vulnerabilities and expects to ship ASPL-981 on Wednesday, January 12th.
In-The-Wild & Disclosed CVEs
This vulnerability was a bypass to CVE-2021-34484, released by the same researcher, Abdelhamid Naceri. The researcher first tweeted about the bypass on October 22 and shared a blog post with details and links to a proof of concept. According to Naceri, the initial fix only removed CDirectoryRemove based on the original proof of concept that was provided, it did not resolve the underlying issue, which has been fixed with today’s update.
Microsoft has rated this as Exploitation More Likely on the latest software release on the Exploitability Index.
This vulnerability describes an issue in the libarchive library which is used by Windows. The vulnerability was found by OSS-Fuzz in March 2021 and disclosed in June 2021. The libarchive library was updated in August 2021 and Microsoft is now issuing an update in January 2022. Details around the OSS-Fuzz reported issue can be found here.
Microsoft has rated this as Exploitation Less Likely on the latest software release on the Exploitability Index.
This vulnerability was first disclosed in a blog post from Eclypsium on September 23, 2021. Expired and revoked certificates could be used to bypass binary verification in the Windows Platform Binary Table (WPBT). According to Microsoft, “The primary purpose of WPBT is to allow critical software to persist even when the operating system has changed or been reinstalled in a “clean” configuration.” This patch and advisory do two things. First, the patch adds compromised certificates to the Windows kernel driver block list (driver.stl) to block the compromised signing certificates. Second, the advisory also advises that people setup Windows Defender Application Control (WDAC) to restrict which binaries can be executed on a system.
Microsoft has rated this as Exploitation Less Likely on the latest software release on the Exploitability Index.
This vulnerability describes a local denial of service vulnerability with Windows Event Tracing Discretionary Access Control Lists (DACLs). DACLs are Access Control Lists that identify who can access a Windows object. If the object does not have a DACL, the system will provide everyone access to it.
Microsoft has rated this as Exploitation Less Likely on the latest software release on the Exploitability Index.
A code execution vulnerability exists within the Windows Security Center API. The local vulnerability requires user interaction but could allow for a full compromise of confidentiality, integrity, and availability.
Microsoft has rated this as Exploitation Less Likely on the latest software release on the Exploitability Index.
CVE-2021-22947 is a vulnerability in curl that was introduced in 2009 and fixed in September 2021. The fix was released in curl 7.79.0 on September 15, 2021 and a security advisory was published. Windows uses the curl library and Microsoft has patched it as part of the January 2022 patch drop. The vulnerability itself is a man-in-the-middle, where traffic not protected by TLS can be injected into communication between the client and server that will be processed by curl as if it came from a TLS-protected connection.
Microsoft has rated this as Exploitation Less Likely on the latest software release on the Exploitability Index.
CVE Breakdown by Tag
While historical Microsoft Security Bulletin groupings are gone, Microsoft vulnerabilities are tagged with an identifier. This list provides a breakdown of the CVEs on a per tag basis. Vulnerabilities are also colour coded to aid with identifying key issues.
- Traditional Software
- Mobile Software
- Cloud or Cloud Adjacent
- Vulnerabilities that are being exploited or that have been disclosed will be bold
| Tag | CVE Count | CVEs |
| Windows IKE Extension | 6 | CVE-2022-21843, CVE-2022-21883, CVE-2022-21848, CVE-2022-21849, CVE-2022-21889, CVE-2022-21890 |
| Windows HTTP Protocol Stack | 1 | CVE-2022-21907 |
| Windows Storage | 1 | CVE-2022-21875 |
| Open Source Software | 1 | CVE-2021-22947 |
| Tablet Windows User Interface | 1 | CVE-2022-21870 |
| Windows Clipboard User Service | 1 | CVE-2022-21869 |
| Windows Workstation Service Remote Protocol | 1 | CVE-2022-21924 |
| Windows Application Model | 1 | CVE-2022-21862 |
| Windows Cryptographic Services | 1 | CVE-2022-21835 |
| Windows Installer | 1 | CVE-2022-21908 |
| Microsoft Dynamics | 2 | CVE-2022-21932, CVE-2022-21891 |
| Windows Storage Spaces Controller | 1 | CVE-2022-21877 |
| Windows Secure Boot | 1 | CVE-2022-21894 |
| Windows DirectX | 3 | CVE-2022-21918, CVE-2022-21912, CVE-2022-21898 |
| Windows Kerberos | 1 | CVE-2022-21920 |
| Windows Local Security Authority Subsystem Service | 1 | CVE-2022-21884 |
| Microsoft Office SharePoint | 1 | CVE-2022-21837 |
| Microsoft Windows Codecs Library | 1 | CVE-2022-21917 |
| Windows User-mode Driver Framework | 1 | CVE-2022-21834 |
| Windows Task Flow Data Engine | 1 | CVE-2022-21861 |
| Microsoft Office Excel | 1 | CVE-2022-21841 |
| Microsoft Graphics Component | 4 | CVE-2022-21915, CVE-2022-21880, CVE-2022-21903, CVE-2022-21904 |
| Windows Event Tracing | 2 | CVE-2022-21839, CVE-2022-21872 |
| Windows Cleanup Manager | 1 | CVE-2022-21838 |
| Windows Kernel | 2 | CVE-2022-21879, CVE-2022-21881 |
| Windows DWM Core Library | 3 | CVE-2022-21852, CVE-2022-21902, CVE-2022-21896 |
| Windows User Profile Service | 2 | CVE-2022-21919, CVE-2022-21895 |
| Microsoft Office Word | 1 | CVE-2022-21842 |
| Windows Remote Access Connection Manager | 2 | CVE-2022-21885, CVE-2022-21914 |
| Windows Push Notifications | 1 | CVE-2022-21867 |
| Microsoft Office | 1 | CVE-2022-21840 |
| Windows Remote Procedure Call Runtime | 1 | CVE-2022-21922 |
| Windows Defender | 2 | CVE-2022-21906, CVE-2022-21921 |
| Windows Remote Desktop | 1 | CVE-2022-21964 |
| Windows Bind Filter Driver | 1 | CVE-2022-21858 |
| Windows Active Directory | 1 | CVE-2022-21857 |
| Windows Certificates | 1 | CVE-2022-21836 |
| Microsoft Exchange Server | 3 | CVE-2022-21846, CVE-2022-21855, CVE-2022-21969 |
| Windows RDP | 3 | CVE-2022-21893, CVE-2022-21850, CVE-2022-21851 |
| Windows Geolocation Service | 1 | CVE-2022-21878 |
| .NET Framework | 1 | CVE-2022-21911 |
| Windows StateRepository API | 1 | CVE-2022-21863 |
| Windows Common Log File System Driver | 2 | CVE-2022-21916, CVE-2022-21897 |
| Windows BackupKey Remote Protocol | 1 | CVE-2022-21925 |
| Windows System Launcher | 1 | CVE-2022-21866 |
| Windows Libarchive | 1 | CVE-2021-36976 |
| Windows Win32K | 3 | CVE-2022-21876, CVE-2022-21882, CVE-2022-21887 |
| Windows Resilient File System (ReFS) | 8 | CVE-2022-21892, CVE-2022-21958, CVE-2022-21959, CVE-2022-21960, CVE-2022-21961, CVE-2022-21962, CVE-2022-21963, CVE-2022-21928 |
| Windows Connected Devices Platform Service | 1 | CVE-2022-21865 |
| Windows Modern Execution Server | 1 | CVE-2022-21888 |
| Windows Local Security Authority | 1 | CVE-2022-21913 |
| Role: Windows Hyper-V | 4 | CVE-2022-21900, CVE-2022-21901, CVE-2022-21905, CVE-2022-21847 |
| Windows Diagnostic Hub | 1 | CVE-2022-21871 |
| Windows Devices Human Interface | 1 | CVE-2022-21868 |
| Microsoft Edge (Chromium-based) | 29 | CVE-2022-21929, CVE-2022-21930, CVE-2022-21931, CVE-2022-21954, CVE-2022-21970, CVE-2022-0096, CVE-2022-0097, CVE-2022-0098, CVE-2022-0099, CVE-2022-0100, CVE-2022-0101, CVE-2022-0102, CVE-2022-0103, CVE-2022-0104, CVE-2022-0105, CVE-2022-0106, CVE-2022-0107, CVE-2022-0108, CVE-2022-0109, CVE-2022-0110, CVE-2022-0111, CVE-2022-0112, CVE-2022-0113, CVE-2022-0114, CVE-2022-0115, CVE-2022-0116, CVE-2022-0117, CVE-2022-0118, CVE-2022-0120 |
| Windows UI Immersive Server | 1 | CVE-2022-21864 |
| Windows AppContracts API Server | 1 | CVE-2022-21860 |
| Windows UEFI | 1 | CVE-2022-21899 |
| Windows Tile Data Repository | 1 | CVE-2022-21873 |
| Windows Cluster Port Driver | 1 | CVE-2022-21910 |
| Windows Virtual Machine IDE Drive | 1 | CVE-2022-21833 |
| Windows Account Control | 1 | CVE-2022-21859 |
| Windows Security Center | 1 | CVE-2022-21874 |
Other Information
There were no new advisories included with the January Security Guidance.
The post ” VERT Threat Alert: January 2022 Patch Tuesday Analysis” appeared first on TripWire
Source:TripWire – Tyler Reguly