VERT Threat Alert: January 2022 Patch Tuesday Analysis

Today’s VERT Alert addresses Microsoft’s January 2022 Security Updates. VERT is actively working on coverage for these vulnerabilities and expects to ship ASPL-981 on Wednesday, January 12th.

In-The-Wild & Disclosed CVEs

CVE-2022-21919

This vulnerability was a bypass to CVE-2021-34484, released by the same researcher, Abdelhamid Naceri. The researcher first tweeted about the bypass on October 22 and shared a blog post with details and links to a proof of concept. According to Naceri, the initial fix only removed CDirectoryRemove based on the original proof of concept that was provided, it did not resolve the underlying issue, which has been fixed with today’s update.

Microsoft has rated this as Exploitation More Likely on the latest software release on the Exploitability Index.

CVE-2021-36976

This vulnerability describes an issue in the libarchive library which is used by Windows. The vulnerability was found by OSS-Fuzz in March 2021 and disclosed in June 2021. The libarchive library was updated in August 2021 and Microsoft is now issuing an update in January 2022. Details around the OSS-Fuzz reported issue can be found here.

Microsoft has rated this as Exploitation Less Likely on the latest software release on the Exploitability Index.

CVE-2022-21836

This vulnerability was first disclosed in a blog post from Eclypsium on September 23, 2021. Expired and revoked certificates could be used to bypass binary verification in the Windows Platform Binary Table (WPBT). According to Microsoft, “The primary purpose of WPBT is to allow critical software to persist even when the operating system has changed or been reinstalled in a “clean” configuration.” This patch and advisory do two things. First, the patch adds compromised certificates to the Windows kernel driver block list (driver.stl) to block the compromised signing certificates. Second, the advisory also advises that people setup Windows Defender Application Control (WDAC) to restrict which binaries can be executed on a system.

Microsoft has rated this as Exploitation Less Likely on the latest software release on the Exploitability Index.

CVE-2022-21839

This vulnerability describes a local denial of service vulnerability with Windows Event Tracing Discretionary Access Control Lists (DACLs). DACLs are Access Control Lists that identify who can access a Windows object. If the object does not have a DACL, the system will provide everyone access to it.

Microsoft has rated this as Exploitation Less Likely on the latest software release on the Exploitability Index.

CVE-2022-21874

A code execution vulnerability exists within the Windows Security Center API. The local vulnerability requires user interaction but could allow for a full compromise of confidentiality, integrity, and availability.

Microsoft has rated this as Exploitation Less Likely on the latest software release on the Exploitability Index.

CVE-2021-22947

CVE-2021-22947 is a vulnerability in curl that was introduced in 2009 and fixed in September 2021. The fix was released in curl 7.79.0 on September 15, 2021 and a security advisory was published. Windows uses the curl library and Microsoft has patched it as part of the January 2022 patch drop. The vulnerability itself is a man-in-the-middle, where traffic not protected by TLS can be injected into communication between the client and server that will be processed by curl as if it came from a TLS-protected connection.

Microsoft has rated this as Exploitation Less Likely on the latest software release on the Exploitability Index.

CVE Breakdown by Tag

While historical Microsoft Security Bulletin groupings are gone, Microsoft vulnerabilities are tagged with an identifier. This list provides a breakdown of the CVEs on a per tag basis. Vulnerabilities are also colour coded to aid with identifying key issues.

  • Traditional Software
  • Mobile Software
  • Cloud or Cloud Adjacent
  • Vulnerabilities that are being exploited or that have been disclosed will be bold
Tag CVE Count CVEs
Windows IKE Extension 6 CVE-2022-21843, CVE-2022-21883, CVE-2022-21848, CVE-2022-21849, CVE-2022-21889, CVE-2022-21890
Windows HTTP Protocol Stack 1 CVE-2022-21907
Windows Storage 1 CVE-2022-21875
Open Source Software 1 CVE-2021-22947
Tablet Windows User Interface 1 CVE-2022-21870
Windows Clipboard User Service 1 CVE-2022-21869
Windows Workstation Service Remote Protocol 1 CVE-2022-21924
Windows Application Model 1 CVE-2022-21862
Windows Cryptographic Services 1 CVE-2022-21835
Windows Installer 1 CVE-2022-21908
Microsoft Dynamics 2 CVE-2022-21932, CVE-2022-21891
Windows Storage Spaces Controller 1 CVE-2022-21877
Windows Secure Boot 1 CVE-2022-21894
Windows DirectX 3 CVE-2022-21918, CVE-2022-21912, CVE-2022-21898
Windows Kerberos 1 CVE-2022-21920
Windows Local Security Authority Subsystem Service 1 CVE-2022-21884
Microsoft Office SharePoint 1 CVE-2022-21837
Microsoft Windows Codecs Library 1 CVE-2022-21917
Windows User-mode Driver Framework 1 CVE-2022-21834
Windows Task Flow Data Engine 1 CVE-2022-21861
Microsoft Office Excel 1 CVE-2022-21841
Microsoft Graphics Component 4 CVE-2022-21915, CVE-2022-21880, CVE-2022-21903, CVE-2022-21904
Windows Event Tracing 2 CVE-2022-21839, CVE-2022-21872
Windows Cleanup Manager 1 CVE-2022-21838
Windows Kernel 2 CVE-2022-21879, CVE-2022-21881
Windows DWM Core Library 3 CVE-2022-21852, CVE-2022-21902, CVE-2022-21896
Windows User Profile Service 2 CVE-2022-21919, CVE-2022-21895
Microsoft Office Word 1 CVE-2022-21842
Windows Remote Access Connection Manager 2 CVE-2022-21885, CVE-2022-21914
Windows Push Notifications 1 CVE-2022-21867
Microsoft Office 1 CVE-2022-21840
Windows Remote Procedure Call Runtime 1 CVE-2022-21922
Windows Defender 2 CVE-2022-21906, CVE-2022-21921
Windows Remote Desktop 1 CVE-2022-21964
Windows Bind Filter Driver 1 CVE-2022-21858
Windows Active Directory 1 CVE-2022-21857
Windows Certificates 1 CVE-2022-21836
Microsoft Exchange Server 3 CVE-2022-21846, CVE-2022-21855, CVE-2022-21969
Windows RDP 3 CVE-2022-21893, CVE-2022-21850, CVE-2022-21851
Windows Geolocation Service 1 CVE-2022-21878
.NET Framework 1 CVE-2022-21911
Windows StateRepository API 1 CVE-2022-21863
Windows Common Log File System Driver 2 CVE-2022-21916, CVE-2022-21897
Windows BackupKey Remote Protocol 1 CVE-2022-21925
Windows System Launcher 1 CVE-2022-21866
Windows Libarchive 1 CVE-2021-36976
Windows Win32K 3 CVE-2022-21876, CVE-2022-21882, CVE-2022-21887
Windows Resilient File System (ReFS) 8 CVE-2022-21892, CVE-2022-21958, CVE-2022-21959, CVE-2022-21960, CVE-2022-21961, CVE-2022-21962, CVE-2022-21963, CVE-2022-21928
Windows Connected Devices Platform Service 1 CVE-2022-21865
Windows Modern Execution Server 1 CVE-2022-21888
Windows Local Security Authority 1 CVE-2022-21913
Role: Windows Hyper-V 4 CVE-2022-21900, CVE-2022-21901, CVE-2022-21905, CVE-2022-21847
Windows Diagnostic Hub 1 CVE-2022-21871
Windows Devices Human Interface 1 CVE-2022-21868
Microsoft Edge (Chromium-based) 29 CVE-2022-21929, CVE-2022-21930, CVE-2022-21931, CVE-2022-21954, CVE-2022-21970, CVE-2022-0096, CVE-2022-0097, CVE-2022-0098, CVE-2022-0099, CVE-2022-0100, CVE-2022-0101, CVE-2022-0102, CVE-2022-0103, CVE-2022-0104, CVE-2022-0105, CVE-2022-0106, CVE-2022-0107, CVE-2022-0108, CVE-2022-0109, CVE-2022-0110, CVE-2022-0111, CVE-2022-0112, CVE-2022-0113, CVE-2022-0114, CVE-2022-0115, CVE-2022-0116, CVE-2022-0117, CVE-2022-0118, CVE-2022-0120
Windows UI Immersive Server 1 CVE-2022-21864
Windows AppContracts API Server 1 CVE-2022-21860
Windows UEFI 1 CVE-2022-21899
Windows Tile Data Repository 1 CVE-2022-21873
Windows Cluster Port Driver 1 CVE-2022-21910
Windows Virtual Machine IDE Drive 1 CVE-2022-21833
Windows Account Control 1 CVE-2022-21859
Windows Security Center 1 CVE-2022-21874

Other Information

There were no new advisories included with the January Security Guidance.