Microsoft security alert.
January 11, 2022
Advisory overview
Qualys Vulnerability R&D Lab has released new vulnerability checks in the Enterprise TruRisk Platform to protect organizations against 95 vulnerabilities that were fixed in 8 bulletins announced today by Microsoft. Customers can immediately audit their networks for these and other new vulnerabilities by accessing their Qualys subscription. Visit Qualys Security Blog to prioritize remediation.
Non-Qualys customers can audit their network for these and other vulnerabilities by signing up for a Qualys Free Trial, or by trying Qualys Community Edition.
Vulnerability details
Microsoft has released 8 security bulletins to fix newly discovered flaws in their software. Qualys has released the following checks for these new vulnerabilities:
-
Microsoft Office Security Update for January 2022
- Severity
- Urgent 5
- Qualys ID
- 110398
- Vendor Reference
- KB4462205, KB5002052, KB5002057, KB5002060, KB5002064, KB5002107, KB5002114, KB5002115, KB5002116, KB5002119, KB5002122, KB5002124, KB5002128
- CVE Reference
- CVE-2022-21840, CVE-2022-21841, CVE-2022-21842
- CVSS Scores
- Base 9.3 / Temporal 6.9
- Description
-
Microsoft has released January 2022 security updates to fix multiple security vulnerabilities.
This security update contains the following:
MacOS Release Notes
Office Click-2-Run and Office 365 Release Notes
KB5002057
KB5002119
KB5002116
KB5002122
KB5002064
KB5002124
KB4462205
KB5002128
KB5002060
KB5002115
KB5002052
KB5002114
KB5002107QID Detection Logic (Authenticated): MacOs
This QID looks for the vulnerable version of Apps- Microsoft Excel, Microsoft Word, Microsoft PowerPoint, and Microsoft Outlook installed on MacOS.
QID Detection Logic (Authenticated): Windows
This QID looks for registry keys HKLM\SOFTWARE\Microsoft\Office\16.0\Common\InstallRoot,HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\16.0\Common\InstallRoot, HKLM\SOFTWARE\Microsoft\Office\15.0\Common\InstallRoot, HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\15.0\Common\InstallRoot while checking for files "stslist.dll" and "Graph.exe". For MS Excel, it checks for registry keys HKLM\SOFTWARE\Microsoft\Office\16.0\Common\InstallRoot, HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\16.0\Common\InstallRoot and looks for file "winword.exe", "excel.exe". Apart from these registry keys and files, the QID scans files named acecore.dll and mso.dll to check for vulnerable versions.
Note: Office click-2-run and Office 365 installations need to be updated manually or need to be set to automatic update. There is no direct download for the patch. - Consequence
-
Successful exploitation allows an attacker to execute code remotely.
- Solution
-
Refer to Microsoft Security Guidance for more details pertaining to this vulnerability.
MacOS Release Notes
Office Click-2-Run and Office 365 Release Notes
KB5002057
KB5002119
KB5002116
KB5002122
KB5002064
KB5002124
KB4462205
KB5002128
KB5002060
KB5002115
KB5002052
KB5002114
KB5002107Patches:
The following are links for downloading patches to fix these vulnerabilities:
Microsoft office January 2022
-
Microsoft SharePoint Enterprise Server and Foundation Multiple Vulnerabilities for January 2022
- Severity
- Urgent 5
- Qualys ID
- 110399
- Vendor Reference
- KB5001995, KB5002102, KB5002108, KB5002109, KB5002110, KB5002111, KB5002113, KB5002118, KB5002127, KB5002129
- CVE Reference
- CVE-2022-21837, CVE-2022-21840, CVE-2022-21842
- CVSS Scores
- Base 9 / Temporal 6.7
- Description
-
Microsoft has released January 2022 security updates to fix multiple security vulnerabilities.
This security update contains the following KBs:
KB5002113
KB5002118
KB5002127
KB5002111
KB5002109
KB5002129
KB5002110
KB5002108
KB5001995
KB5002102QID Detection Logic:
This authenticated QID checks the file versions from the above Microsoft KB article with the versions on the affected SharePoint system. - Consequence
-
Successful exploitation allows remote code execution.
- Solution
-
Refer to Microsoft Security Guidance for more details pertaining to this vulnerability.
KB5002113
KB5002118
KB5002127
KB5002111
KB5002109
KB5002129
KB5002110
KB5002108
KB5001995
KB5002102Patches:
The following are links for downloading patches to fix these vulnerabilities:
Microsoft Office and Microsoft Office Services and Web Apps Security Update
-
Microsoft Windows Internet Key Exchange (IKE) Extension Multiple Vulnerabilities for January 2022
- Severity
- Critical 4
- Qualys ID
- 376232
- Vendor Reference
- CVE-2022-21843, CVE-2022-21848, CVE-2022-21849, CVE-2022-21883, CVE-2022-21889, CVE-2022-21890
- CVE Reference
- CVE-2022-21843, CVE-2022-21848, CVE-2022-21849, CVE-2022-21883, CVE-2022-21889, CVE-2022-21890
- CVSS Scores
- Base 9.3 / Temporal 6.9
- Description
-
CVE-2022-21889,CVE-2022-21843,CVE-2022-21883,CVE-2022-21848,CVE-2022-21890: Windows IKE Extension Denial of Service Vulnerability
CVE-2022-21849: Windows IKE Extension Remote Code Execution VulnerabilityAffected Versions
Windows IKE affected with the IPSec service runningQID Detection Logic(Authenticated):
This authenticated QID flags vulnerable systems by detecting the file version of %windir%\system32\ikeext.dll - Consequence
- Successful exploitation of this vulnerability can lead to denial of service and execution of remote code, which may aid further attacks.
- Solution
-
Microsoft has released patch for updates pertaining these vulnerabilities. For more information, please check advisory.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
CVE-2022-21843
CVE-2022-21848
CVE-2022-21849
CVE-2022-21883
CVE-2022-21889
CVE-2022-21890
-
Microsoft Exchange Server Remote Code Execution (RCE) Vulnerability for January 2022
- Severity
- Critical 4
- Qualys ID
- 50118
- Vendor Reference
- CVE-2022-21846, CVE-2022-21855, CVE-2022-21969
- CVE Reference
- CVE-2022-21846, CVE-2022-21855, CVE-2022-21969
- CVSS Scores
- Base 8.3 / Temporal 6.5
- Description
-
Microsoft Exchange Server Remote Code Execution Vulnerability
KB Articles associated with this update are: KB5008631
Affected Versions:
Microsoft Exchange Server 2019 Cumulative Update 11
Microsoft Exchange Server 2016 Cumulative Update 22
Microsoft Exchange Server 2019 Cumulative Update 10
Microsoft Exchange Server 2016 Cumulative Update 21
Microsoft Exchange Server 2013 Cumulative Update 23QID Detection Logic (authenticated):
The QID checks for the version of file Exsetup.exe.
- Consequence
-
Successful exploitation allows attackers to execute remote code.
- Solution
-
Customers are advised to refer to KB5008631 for information pertaining to this vulnerability.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
CVE-2022-21846
CVE-2022-21855
CVE-2022-21969
-
Microsoft Windows Security Update for January 2022
- Severity
- Critical 4
- Qualys ID
- 91851
- Vendor Reference
- KB5009543, KB5009545, KB5009546, KB5009555, KB5009557, KB5009566, KB5009585, KB5009586, KB5009595, KB5009601, KB5009610, KB5009619, KB5009621, KB5009624, KB5009627
- CVE Reference
- CVE-2021-22947, CVE-2021-36976, CVE-2022-21833, CVE-2022-21834, CVE-2022-21835, CVE-2022-21836, CVE-2022-21838, CVE-2022-21839, CVE-2022-21847, CVE-2022-21850, CVE-2022-21851, CVE-2022-21852, CVE-2022-21857, CVE-2022-21858, CVE-2022-21859, CVE-2022-21860, CVE-2022-21861, CVE-2022-21862, CVE-2022-21863, CVE-2022-21864, CVE-2022-21865, CVE-2022-21866, CVE-2022-21867, CVE-2022-21868, CVE-2022-21869, CVE-2022-21870, CVE-2022-21871, CVE-2022-21872, CVE-2022-21873, CVE-2022-21874, CVE-2022-21875, CVE-2022-21876, CVE-2022-21877, CVE-2022-21878, CVE-2022-21879, CVE-2022-21880, CVE-2022-21881, CVE-2022-21882, CVE-2022-21884, CVE-2022-21885, CVE-2022-21887, CVE-2022-21888, CVE-2022-21892, CVE-2022-21893, CVE-2022-21894, CVE-2022-21895, CVE-2022-21896, CVE-2022-21897, CVE-2022-21898, CVE-2022-21899, CVE-2022-21900, CVE-2022-21901, CVE-2022-21902, CVE-2022-21903, CVE-2022-21904, CVE-2022-21905, CVE-2022-21906, CVE-2022-21907, CVE-2022-21908, CVE-2022-21910, CVE-2022-21912, CVE-2022-21913, CVE-2022-21914, CVE-2022-21915, CVE-2022-21916, CVE-2022-21918, CVE-2022-21919, CVE-2022-21920, CVE-2022-21921, CVE-2022-21922, CVE-2022-21924, CVE-2022-21925, CVE-2022-21928, CVE-2022-21958, CVE-2022-21959, CVE-2022-21960, CVE-2022-21961, CVE-2022-21962, CVE-2022-21963, CVE-2022-21964
- CVSS Scores
- Base 10 / Temporal 8.3
- Description
-
Microsoft Windows Security Update - January 2022
The KB Articles associated with the update:
KB5009543
KB5009555
KB5009557
KB5009545
KB5009624
KB5009595
KB5009586
KB5009619
KB5009610
KB5009621
KB5009546
KB5009585
KB5009566
KB5009627
KB5009601
This QID checks for the file version of ntoskrnl.exe
The following versions of ntoskrnl.exe with their corresponding KBs are verified:
KB5009543 - 10.0.19041.1466
KB5009555 - 10.0.20348.469
KB5009557 - 10.0.17763.2452
KB5009545 - 10.0.18362.2037
KB5009624 - 6.3.9600.20237
KB5009595 - 6.3.9600.20237
KB5009586 - 6.2.9200.23581
KB5009619 - 6.2.9200.23581
KB5009610 - 6.1.7601.25827
KB5009621 - 6.1.7601.25827
KB5009546 - 10.0.14393.4886
KB5009585 - 10.0.10240.19177
KB5009566 - 10.0.22000.434
KB5009627 - 6.0.6003.21348
KB5009601 - 6.0.6003.21348 - Consequence
-
Successful exploit could compromise Confidentiality, Integrity and Availability
- Solution
-
Please refer to the KB5009543
KB5009555
KB5009557
KB5009545
KB5009624
KB5009595
KB5009586
KB5009619
KB5009610
KB5009621
KB5009546
KB5009585
KB5009566
KB5009627
KB5009601
Patches:
The following are links for downloading patches to fix these vulnerabilities:
KB5009543
KB5009545
KB5009546
KB5009555
KB5009557
KB5009566
KB5009585
KB5009586
KB5009595
KB5009601
KB5009610
KB5009619
KB5009621
KB5009624
KB5009627
-
Microsoft Hypertext Transfer Protocol (HTTP) Protocol Stack Remote Code Execution (RCE) Vulnerability for January 2022
- Severity
- Critical 4
- Qualys ID
- 91852
- Vendor Reference
- KB5009543, KB5009555, KB5009557, KB5009566
- CVE Reference
- CVE-2022-21907
- CVSS Scores
- Base 10 / Temporal 7.8
- Description
-
Microsoft Windows Security Update - January 2022
The KB Articles associated with the update:
KB5009557
KB5009566
KB5009543
KB5009555
This QID checks for the file version of http.sys
The following versions of http.sys with their corresponding KBs are verified:
KB5009557 - 10.0.17763.2452
KB5009543 - 10.0.19041.1466
KB5009566 - 10.0.22000.434
KB5009555 - 10.0.20348.469
Detection also checks for registry key "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters" value "EnableTrailerSupport"=dword:00000001 on Windows 10 Version 1809 and Windows Server 2019 Operating Systems.
- Consequence
-
Successful exploit could compromise Confidentiality, Integrity and Availability
- Solution
-
Please refer to the KB5009557
KB5009566
KB5009543
KB5009555
Patches:
The following are links for downloading patches to fix these vulnerabilities:
KB5009543
KB5009555
KB5009557
KB5009566
-
Microsoft Dynamics 365 Security Update for January 2022
- Severity
- Critical 4
- Qualys ID
- 91853
- Vendor Reference
- CVE-2022-21932
- CVE Reference
- CVE-2022-21932
- CVSS Scores
- Base 3.5 / Temporal 2.6
- Description
-
Microsoft Dynamics 365 is a product line of enterprise resource planning and customer relationship management intelligent business applications.
CVE-2022-21932: Microsoft Dynamics 365 Customer Engagement Cross-Site Scripting Vulnerability
Affected Software:
Microsoft Dynamics 365 Customer Engagement V9.0QID Detection Logic(Authenticated):
This authenticated QID flags vulnerable systems by detecting Vulnerable versions for file Microsoft.Crm.Setup.Server.exe:
- Consequence
- Successful exploitation of this vulnerability can result into remote code execution.
- Solution
-
Customers are advised to refer to CVE-2022-21932 for more details pertaining to this vulnerability.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
CVE-2022-21891
CVE-2022-21932
-
Microsoft .NET Framework Denial of Service (DoS) Vulnerability for January 2022
- Severity
- Serious 3
- Qualys ID
- 91854
- Vendor Reference
- KB5008876, KB5008877, KB5008879, KB5008880, KB5008882, KB5009546, KB5009585, KB5009711, KB5009712, KB5009713, KB5009714, KB5009718, KB5009719, KB5009720, KB5009721, KB5009722
- CVE Reference
- CVE-2022-21911
- CVSS Scores
- Base 5 / Temporal 3.7
- Description
-
A denial of service vulnerability exist in Microsoft .Net Framework.
Following KBs are covered in this detection:
KB5008876 for Windows 10, version 1903 and later, Windows 10 LTSB, Windows 10 version 1903 and later,
KB5008877 for Windows 10, Windows 10 LTSB, Windows Server 2016
KB5008879 for Windows 10, version 1903 and later
KB5008880 for Windows 11
KB5008882 for Microsoft Server operating system-21H2
KB5009546 for Windows Server 2016, Windows 10 LTSB
KB5009585 for Windows 10 LTSB
KB5009711 for Windows 7, Windows Server 2008 R2, Windows Embedded Standard 7
KB5009712 for Windows 8 Embedded, Windows Server 2012
KB5009713 for Windows 8.1, Windows Server 2012 R2
KB5009714 for Windows Server 2008
KB5009718 for Windows Server 2019, Windows 10, Windows 10 LTSB, Windows Server 2019
KB5009719 for Windows Server 2008 R2 and Windows 7
KB5009720 for Windows 8 Embedded and Windows Server 2012
KB5009721 for Windows RT 8.1 ,Windows Server 2012 R2, Windows 8.1
KB5009722 for Windows Server 2008
This security update is rated Important for supported versions of Microsoft .NET Framework..NET Framework 3.5, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2 and 4.8
QID Detection Logic (Authenticated):
- Checks for vulnerable version of System.web.dll for .Net Framework
- Consequence
-
Successful exploitation allows attacker to cause denial of service vulnerability.
- Solution
-
Customers are advised to refer to CVE-2022-21911 for more details pertaining to this vulnerability.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
CVE-2022-21911
These new vulnerability checks are included in Qualys vulnerability signature 2.5.374-4. Each Qualys account is automatically updated with the latest vulnerability signatures as they become available. To view the vulnerability signature version in your account, from the Qualys Help menu, select the About tab.
Selective Scan Instructions Using Qualys
To perform a selective vulnerability scan, configure a scan profile to use the following options:
- Ensure access to TCP ports 135 and 139 are available.
- Enable Windows Authentication (specify Authentication Records).
-
Enable the following Qualys IDs:
- 110398
- 110399
- 376232
- 50118
- 91851
- 91852
- 91853
- 91854
- If you would like the scan to return the Windows Hostname, also include QID 82044 and ensure access to UDP port 137 is available.
- If you would like to be notified if Qualys is unable to log on to a host (if Authentication fails), also include QID 105015.
In addition, prior to running a scan for these new vulnerabilities, you can estimate your exposure to these new threats by running the Risk Analysis Report, available from the Qualys Vulnerability Management Reports tab.
Access for Qualys Customers
Platforms and Platform Identification
Technical Support
For more information, customers may contact Qualys Technical Support.
About Qualys
The Enterprise TruRisk Platform and its integrated suite of security and compliance applications provides organizations of all sizes with a global view of their security and compliance solutions, while drastically reducing their total cost of ownership. Qualys solutions include: continuous monitoring, vulnerability management, policy compliance, PCI compliance, security assessment questionnaire, web application scanning, web application firewall, malware detection and SECURE Seal for security testing of web sites.