DATABASE RESOURCES PRICING ABOUT US

{"id": "MS:CVE-2022-21846", "bulletinFamily": "microsoft", "title": "Microsoft Exchange Server Remote Code Execution Vulnerability", "description": "Microsoft Exchange Server Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-21855, CVE-2022-21969.", "published": "2022-01-11T08:00:00", "modified": "2022-01-11T08:00:00", "cvss": {"score": 8.3, "vector": "AV:A/AC:L/Au:N/C:C/I:C/A:C"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "ADJACENT_NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 8.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:A/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 6.5, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 6.0}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-21846", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2022-21969", "CVE-2022-21855", "CVE-2022-21846"], "immutableFields": [], "type": "mscve", "lastseen": "2022-10-03T16:24:35", "edition": 1, "viewCount": 24, "enchantments": {"backreferences": {"references": [{"idList": ["CISA:574A6E25827684C587359C37EF1D5132"], "type": "cisa"}, {"idList": ["KREBS:62B4C5DD1022EFBE81E351F756E43F36"], "type": "krebs"}, {"idList": ["QUALYSBLOG:AC6278F5B653A98CD5A97D6001369111"], "type": "qualysblog"}, {"idList": ["SMB_NT_MS22_JAN_EXCHANGE.NASL"], "type": "nessus"}, {"idList": ["KB5008631"], "type": "mskb"}, {"idList": ["KLA12419"], "type": "kaspersky"}, {"idList": ["THREATPOST:05E04E358AB0AB9A5BF524854B34E49D", "THREATPOST:2C2827FBF9D900F4194802CE8C471B4C"], "type": "threatpost"}, {"idList": ["RAPID7BLOG:20364300767E58631FFE0D21622E63A3"], "type": "rapid7blog"}, {"idList": ["THN:00A15BC93C4697B74FA1D56130C0C35E"], "type": "thn"}, {"idList": ["CVE-2022-21969", "CVE-2022-21855", "CVE-2022-21846"], "type": "cve"}, {"idList": ["AVLEONOV:D630CE92574B03FCC2E79DCA5007AAFC"], "type": "avleonov"}, {"idList": ["HIVEPRO:C224B728F67C8D1703A8BF2411600695"], "type": "hivepro"}]}, "dependencies": {"references": [{"idList": ["KREBS:62B4C5DD1022EFBE81E351F756E43F36"], "type": "krebs"}, {"idList": ["QUALYSBLOG:AC6278F5B653A98CD5A97D6001369111"], "type": "qualysblog"}, {"idList": ["SMB_NT_MS22_JAN_EXCHANGE.NASL"], "type": "nessus"}, {"idList": ["KB5008631"], "type": "mskb"}, {"idList": ["KLA12419"], "type": "kaspersky"}, {"idList": ["RAPID7BLOG:20364300767E58631FFE0D21622E63A3"], "type": "rapid7blog"}, {"idList": ["THN:00A15BC93C4697B74FA1D56130C0C35E"], "type": "thn"}, {"idList": ["CVE-2022-21969", "CVE-2022-21855", "CVE-2022-21846"], "type": "cve"}, {"idList": ["MS:CVE-2022-21855", "MS:CVE-2022-21969"], "type": "mscve"}, {"idList": ["AKB:0A7DD7B4-3522-4B79-B4A6-3B2A86B2EADE"], "type": "attackerkb"}, {"idList": ["AVLEONOV:D630CE92574B03FCC2E79DCA5007AAFC"], "type": "avleonov"}, {"idList": ["HIVEPRO:C224B728F67C8D1703A8BF2411600695"], "type": "hivepro"}, {"idList": ["THREATPOST:05E04E358AB0AB9A5BF524854B34E49D"], "type": "threatpost"}]}, "exploitation": null, "score": {"value": 2.9, "vector": "NONE"}, "vulnersScore": 2.9}, "_state": {"dependencies": 1664814947, "score": 1664815070}, "_internal": {"score_hash": "65aae42196f8c7277fdcee26a55a3724"}, "kbList": ["KB5008631", "KB5007409"], "msrc": "", "mscve": "CVE-2022-21846", "msAffectedSoftware": [{"kb": "KB5008631", "kbSupersedence": "KB5007409", "msplatform": "", "name": "microsoft exchange server 2016 cumulative update 21", "operator": "lt", "version": "15.01.2308.021"}, {"kb": "KB5008631", "kbSupersedence": "KB5007409", "msplatform": "", "name": "microsoft exchange server 2019 cumulative update 11", "operator": "lt", "version": "15.02.0986.015"}, {"kb": "KB5008631", "kbSupersedence": "KB5007409", "msplatform": "", "name": "microsoft exchange server 2019 cumulative update 10", "operator": "lt", "version": "15.02.0922.020"}, {"kb": "KB5008631", "kbSupersedence": "KB5007409", "msplatform": "", "name": "microsoft exchange server 2016 cumulative update 22", "operator": "lt", "version": "15.01.2375.018"}, {"kb": "KB5008631", "kbSupersedence": "KB5007409", "msplatform": "", "name": "microsoft exchange server 2013 cumulative update 23", "operator": "lt", "version": "15.00.1497.028"}], "vendorCvss": {"baseScore": "9.0", "temporalScore": "7.8", "vectorString": "CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C"}}

{"mscve": [{"lastseen": "2022-11-01T12:15:11", "description": "Microsoft Exchange Server Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-21846, CVE-2022-21969.", "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 9.0, "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-01-11T08:00:00", "type": "mscve", "title": "Microsoft Exchange Server Remote Code Execution Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 5.1, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.7, "vectorString": "AV:A/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "ADJACENT_NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21846", "CVE-2022-21855", "CVE-2022-21969"], "modified": "2022-01-11T08:00:00", "id": "MS:CVE-2022-21855", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-21855", "cvss": {"score": 7.7, "vector": "AV:A/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-10-03T16:24:27", "description": "Microsoft Exchange Server Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-21846, CVE-2022-21855.", "edition": 1, "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 9.0, "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-01-11T08:00:00", "type": "mscve", "title": "Microsoft Exchange Server Remote Code Execution Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 5.1, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.7, "vectorString": "AV:A/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "ADJACENT_NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21969", "CVE-2022-21855", "CVE-2022-21846"], "modified": "2022-01-11T08:00:00", "id": "MS:CVE-2022-21969", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-21969", "cvss": {"score": 7.7, "vector": "AV:A/AC:L/Au:S/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2022-03-23T09:54:18", "description": "Microsoft Exchange Server Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-21846, CVE-2022-21855.", "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 9.0, "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-01-11T21:15:00", "type": "cve", "title": "CVE-2022-21969", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 5.1, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.7, "vectorString": "AV:A/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "ADJACENT_NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21846", "CVE-2022-21855", "CVE-2022-21969"], "modified": "2022-01-21T14:09:00", "cpe": ["cpe:/a:microsoft:exchange_server:2016", "cpe:/a:microsoft:exchange_server:2019", "cpe:/a:microsoft:exchange_server:2013"], "id": "CVE-2022-21969", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-21969", "cvss": {"score": 7.7, "vector": "AV:A/AC:L/Au:S/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_22:*:*:*:*:*:*", "cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_11:*:*:*:*:*:*", "cpe:2.3:a:microsoft:exchange_server:2013:cumulative_update_23:*:*:*:*:*:*", "cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_21:*:*:*:*:*:*", "cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_10:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T09:52:22", "description": "Microsoft Exchange Server Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-21846, CVE-2022-21969.", "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 9.0, "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-01-11T21:15:00", "type": "cve", "title": "CVE-2022-21855", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 5.1, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.7, "vectorString": "AV:A/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "ADJACENT_NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21846", "CVE-2022-21855", "CVE-2022-21969"], "modified": "2022-01-14T16:14:00", "cpe": ["cpe:/a:microsoft:exchange_server:2016", "cpe:/a:microsoft:exchange_server:2019", "cpe:/a:microsoft:exchange_server:2013"], "id": "CVE-2022-21855", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-21855", "cvss": {"score": 7.7, "vector": "AV:A/AC:L/Au:S/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_22:*:*:*:*:*:*", "cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_11:*:*:*:*:*:*", "cpe:2.3:a:microsoft:exchange_server:2013:cumulative_update_23:*:*:*:*:*:*", "cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_21:*:*:*:*:*:*", "cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_10:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T09:52:11", "description": "Microsoft Exchange Server Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-21855, CVE-2022-21969.", "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 9.0, "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-01-11T21:15:00", "type": "cve", "title": "CVE-2022-21846", "cwe": ["CWE-94"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 6.5, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 8.3, "vectorString": "AV:A/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "ADJACENT_NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21846", "CVE-2022-21855", "CVE-2022-21969"], "modified": "2022-01-14T17:33:00", "cpe": ["cpe:/a:microsoft:exchange_server:2016", "cpe:/a:microsoft:exchange_server:2019", "cpe:/a:microsoft:exchange_server:2013"], "id": "CVE-2022-21846", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-21846", "cvss": {"score": 8.3, "vector": "AV:A/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_22:*:*:*:*:*:*", "cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_11:*:*:*:*:*:*", "cpe:2.3:a:microsoft:exchange_server:2013:cumulative_update_23:*:*:*:*:*:*", "cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_21:*:*:*:*:*:*", "cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_10:*:*:*:*:*:*"]}], "mskb": [{"lastseen": "2023-01-11T11:07:39", "description": "None\nThis security update rollup resolves vulnerabilities in Microsoft Exchange Server. To learn more about these vulnerabilities, see the following Common Vulnerabilities and Exposures (CVE):[CVE-2022-21846 | Microsoft Exchange Server Remote Code Execution Vulnerability](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21846>) [CVE-2022-21855 | Microsoft Exchange Server Remote Code Execution Vulnerability](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21855>) [CVE-2022-21969 | Microsoft Exchange Server Remote Code Execution Vulnerability](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21969>)\n\n## Known issues in this update\n\n * **Issue 1** \n \nWhen you try to manually install this security update by double-clicking the update file (.msp) to run it in Normal mode (that is, not as an administrator), some files are not correctly updated.When this issue occurs, you don\u2019t receive an error message or any indication that the security update was not correctly installed. However, Outlook Web Access (OWA) and the Exchange Control Panel (ECP) might stop working. \n \nThis issue occurs on servers that are using User Account Control (UAC). The issue occurs because the security update doesn\u2019t correctly stop certain Exchange-related services.\n\n**Note: **This issue does not occur if you install the update through Microsoft Update.\n\nTo avoid this issue, follow these steps to manually install this security update:\n 1. Select **Start**, and type **cmd**.\n 2. In the results, right-click **Command Prompt**, and then select **Run as administrator**.\n 3. If the **User Account Control** dialog box appears, verify that the default action is the action that you want, and then select **Continue**.\n 4. Type the full path of the .msp file, and then press Enter.\n * **Issue 2** \n \nExchange services might remain in a disabled state after you install this security update. This condition does not indicate that the update is not installed correctly. This condition might occur if the service control scripts experience a problem when they try to return Exchange services to their usual state. \n \nTo fix this issue, use Services Manager to restore the startup type to **Automatic**, and then start the affected Exchange services manually. To avoid this issue, run the security update at an elevated command prompt. For more information about how to open an elevated Command Prompt window, see [Start a Command Prompt as an Administrator](<https://technet.microsoft.com/en-us/library/cc947813\\(v=ws.10\\).aspx>).\n * **Issue 3** \n \nWhen you block third-party cookies in a web browser, you might be continually prompted to trust a particular add-in even though you keep selecting the option to trust it. This issue occurs also in privacy window modes (such as InPrivate mode in Microsoft Edge). This issue occurs because browser restrictions prevent the response from being recorded. To record the response and enable the add-in, you must enable third-party cookies for the domain that's hosting OWA or Office Online Server in the browser settings. To enable this setting, refer to the specific support documentation for the browser.\n * **Issue 4** \n \nWhen you try to request free/busy information for a user in a different forest in a trusted cross-forest topology, the request fails and generates a \"(400) Bad Request\" error message. For more information and workarounds to this issue, see [\"(400) Bad Request\" error during Autodiscover for per-user free/busy in a trusted cross-forest topology](<https://support.microsoft.com/help/5003623>).\n\n## How to get and install the update\n\n### Method 1: Microsoft Update\n\nThis update is available through Windows Update. When you turn on automatic updating, this update will be downloaded and installed automatically. For more information about how to turn on automatic updating, see [Windows Update: FAQ](<https://support.microsoft.com/help/12373/windows-update-faq>).\n\n### Method 2: Microsoft Update Catalog\n\nTo get the standalone package for this update, go to the [Microsoft Update Catalog](<https://www.catalog.update.microsoft.com/Search.aspx?q=KB5008631>) website.\n\n### Method 3: Microsoft Download Center\n\nYou can get the standalone update package through the Microsoft Download Center.\n\n * [Download Exchange Server 2019 Cumulative Update 11 Security Update 3 (KB5008631)](<https://www.microsoft.com/download/details.aspx?familyid=02f280f1-e574-4ef6-a265-8d33f6e5823b>)\n * [Download Exchange Server 2019 Cumulative Update 10 Security Update 4 (KB5008631)](<https://www.microsoft.com/download/details.aspx?familyid=c03bef2b-342f-40ef-a35b-e3f56bc909ad>)\n * [Download Exchange Server 2016 Cumulative Update 22 Security Update 3 (KB5008631)](<https://www.microsoft.com/download/details.aspx?familyid=ec50d425-44a9-4f15-bda0-bc1d62f36310>)\n * [Download Exchange Server 2016 Cumulative Update 21 Security Update 4 (KB5008631)](<https://www.microsoft.com/download/details.aspx?familyid=be6d511a-2523-4817-b5cd-11d1316ac398>)\n * [Download Exchange Server 2013 Cumulative Update 23 Security Update 13 (KB5008631)](<https://www.microsoft.com/download/details.aspx?familyid=9bcec622-bd02-4557-ad77-4c560abb3da3>)\n\n## More information\n\n### Security update deployment information\n\nFor deployment information about this update, see [January 11, 2022](<https://support.microsoft.com/help/5010029>).\n\n### Security update replacement information\n\nThis security update replaces the following previously released updates:\n\n * [Description of the security update for Microsoft Exchange Server 2019, 2016, and 2013: November 9, 2021 (KB5007409)](<https://support.microsoft.com/help/5007409>)\n\n## File information\n\n### File hash information\n\nUpdate name| File name| SHA256 hash \n---|---|--- \nExchange Server 2019 CU11 SU3| Exchange2019-KB5008631-x64-en.msp| F2B6ED1DF21F33C3B640D14F4C35D9B2B63FAAD36ADCB5A185D2CB28F31AD69F \nExchange Server 2019 CU10 SU4| Exchange2019-KB5008631-x64-en.msp| F568797B5B47C1ECA35BEEF066D2C42AF26FD3FA02E95EF7081B58061B9FA499 \nExchange Server 2016 CU22 SU3| Exchange2016-KB5008631-x64-en.msp| 8C59EF1433251BEAB8A79367D9C0CC377B01FBEEB32F613A083F1173E59EEE04 \nExchange Server 2016 CU21 SU4| Exchange2016-KB5008631-x64-en.msp| B52A62E1BB23D3DE65CB0141BEA3EB8BA14DC7D967D1EE4163D534D6FA6DA507 \nExchange Server 2013 CU23 SU1| Exchange2013-KB5008631-x64-en.msp| 45E8BF571637E7B7329EEBDC331EB862DFA40696E8DE180CE396F67C97BF9B96 \n \n### Exchange Server file information\n\nFor a list of the files that are provided in this security update, download the file information for security update 5008631 for the appropriate product.\n\n * [File table for Exchange Server 2019 CU11 SU3 (KB5008631)](<https://download.microsoft.com/download/f/c/a/fcaf04d4-c144-418e-8590-e68e3006a470/KB5008631 Exchange 2019 CU11 SU3.csv>)\n * [File table for Exchange Server 2019 CU10 SU4 (KB5008631)](<https://download.microsoft.com/download/7/6/9/7690a75d-2bd5-48a6-a0c7-9f0163dd73c8/KB5008631 Exchange 2019 CU10 SU4.csv>)\n * [File table for Exchange Server 2016 CU22 SU3 (KB5008631)](<https://download.microsoft.com/download/a/d/f/adf94188-0d27-4087-b45a-220d8b5370a5/KB5008631 Exchange 2016 CU22 SU3.csv>)\n * [File table for Exchange Server 2016 CU21 SU4 (KB5008631)](<https://download.microsoft.com/download/1/9/4/1947a1ad-0cda-4496-8bde-4911aecca458/KB5008631 Exchange 2016 CU21 SU4.csv>)\n * [File table for Exchange Server 2013 CU23 SU13 (KB5008631)](<https://download.microsoft.com/download/4/7/b/47b0a68b-71f2-418f-abe2-6462907d4ba3/KB5008631 Exchange 2013 CU23 SU13.csv>)\n\n## Information about protection and security\n\nProtect yourself online: [Windows Security support](<https://support.microsoft.com/hub/4099151>)Learn how we guard against cyber threats: [Microsoft Security](<https://www.microsoft.com/security>)\n", "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 9.0, "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-01-11T08:00:00", "type": "mskb", "title": "Description of the security update for Microsoft Exchange Server 2019, 2016, and 2013: January 11, 2022 (KB5008631)", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 6.5, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 8.3, "vectorString": "AV:A/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "ADJACENT_NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21846", "CVE-2022-21855", "CVE-2022-21969"], "modified": "2022-01-11T08:00:00", "id": "KB5008631", "href": "https://support.microsoft.com/en-us/help/5008631", "cvss": {"score": 8.3, "vector": "AV:A/AC:L/Au:N/C:C/I:C/A:C"}}], "kaspersky": [{"lastseen": "2022-01-15T06:11:58", "description": "### *Detect date*:\n01/11/2022\n\n### *Severity*:\nWarning\n\n### *Description*:\nMultiple vulnerabilities were found in Microsoft Exchange Server. Malicious users can exploit this vulnerability to execute arbitrary code.\n\n### *Affected products*:\nMicrosoft Exchange Server 2013 Cumulative Update 23 \nMicrosoft Exchange Server 2016 Cumulative Update 21 \nMicrosoft Exchange Server 2016 Cumulative Update 22 \nMicrosoft Exchange Server 2019 Cumulative Update 10 \nMicrosoft Exchange Server 2019 Cumulative Update 11\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2022-21855](<https://nvd.nist.gov/vuln/detail/CVE-2022-21855>) \n[CVE-2022-21846](<https://nvd.nist.gov/vuln/detail/CVE-2022-21846>) \n[CVE-2022-21969](<https://nvd.nist.gov/vuln/detail/CVE-2022-21969>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Exchange Server](<https://threats.kaspersky.com/en/product/Microsoft-Exchange-Server/>)\n\n### *CVE-IDS*:\n[CVE-2022-21855](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21855>)5.0Critical \n[CVE-2022-21846](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21846>)5.0Critical \n[CVE-2022-21969](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21969>)5.0Critical\n\n### *KB list*:\n[5008631](<http://support.microsoft.com/kb/5008631>)", "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 9.0, "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-01-11T00:00:00", "type": "kaspersky", "title": "KLA12419 Multiple vulnerabilities in Microsoft Exchange Server", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 6.5, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 8.3, "vectorString": "AV:A/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "ADJACENT_NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21846", "CVE-2022-21855", "CVE-2022-21969"], "modified": "2022-01-12T00:00:00", "id": "KLA12419", "href": "https://threats.kaspersky.com/en/vulnerability/KLA12419/", "cvss": {"score": 8.3, "vector": "AV:A/AC:L/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2023-01-27T14:08:52", "description": "The Microsoft Exchange Server installed on the remote host is missing security updates. It is, therefore, affected by a remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary code.", "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 9.0, "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-01-14T00:00:00", "type": "nessus", "title": "Security Updates for Exchange (January 2022)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 6.5, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 8.3, "vectorString": "AV:A/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "ADJACENT_NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21846", "CVE-2022-21855", "CVE-2022-21969"], "modified": "2022-03-11T00:00:00", "cpe": ["cpe:2.3:a:microsoft:exchange_server:*:*:*:*:*:*:*:*"], "id": "SMB_NT_MS22_JAN_EXCHANGE.NASL", "href": "https://www.tenable.com/plugins/nessus/156745", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc. \n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(156745);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/03/11\");\n\n script_cve_id(\"CVE-2022-21846\", \"CVE-2022-21855\", \"CVE-2022-21969\");\n script_xref(name:\"MSKB\", value:\"5008631\");\n script_xref(name:\"MSFT\", value:\"MS22-5008631\");\n script_xref(name:\"IAVA\", value:\"2022-A-0009-S\");\n\n script_name(english:\"Security Updates for Exchange (January 2022)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The Microsoft Exchange Server installed on the remote host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The Microsoft Exchange Server installed on the remote host is missing security updates. It is, therefore, affected by\na remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized\narbitrary code.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5008631\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released KB5008631 to address this issue.\");\n script_set_cvss_base_vector(\"CVSS2#AV:A/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-21846\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/01/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/01/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/01/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:exchange_server\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ms_bulletin_checks_possible.nasl\", \"microsoft_exchange_installed.nbin\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('install_func.inc');\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nexit_if_productname_not_server();\n\nvar bulletin = 'MS22-01';\nvar kbs = make_list(\n '5008631'\n);\n\nif (get_kb_item('Host/patch_management_checks'))\n hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nvar install = get_single_install(app_name:'Microsoft Exchange');\n\nvar path = install['path'];\nvar version = install['version'];\nvar release = install['RELEASE'];\nvar port = kb_smb_transport();\n\nif (\n release != 150 && # 2013\n release != 151 && # 2016\n release != 152 # 2019\n) audit(AUDIT_INST_VER_NOT_VULN, 'Exchange', version);\n\nvar kb_checks =\n{\n '150' :\n {\n '23' : '15.00.1497.028',\n 'unsupported' : 22\n },\n '151' :\n {\n '21' : '15.01.2308.021',\n '22' : '15.01.2375.018',\n 'unsupported' : 20\n },\n '152' :\n {\n '10' : '15.02.0922.020',\n '11' : '15.02.0986.015',\n 'unsupported' : 9}\n};\n\nvar cu = 0;\nif (!empty_or_null(install['CU']))\n cu = install['CU'];\nvar kb = '5008631';\nvar unsupported = FALSE;\n\nif (kb_checks[release]['unsupported'] >= cu) unsupported_cu = TRUE;\n else if (empty_or_null(kb_checks[release][cu])) audit(AUDIT_HOST_NOT, 'affected');\n\n\nvar fixedver = kb_checks[release][cu];\n\nif ((fixedver && hotfix_is_vulnerable(path:hotfix_append_path(path:path, value:\"Bin\"), file:'ExSetup.exe', version:fixedver, bulletin:bulletin, kb:kb))\n || (unsupported_cu && report_paranoia == 2))\n{\n if (unsupported_cu)\n hotfix_add_report('The Microsoft Exchange Server installed at ' + path +\n ' has an unsupported Cumulative Update (CU) installed and may be ' +\n 'vulnerable to the CVEs contained within the advisory. Unsupported ' +\n 'Exchange CU versions are not typically included in Microsoft ' +\n 'advisories and are not indicated as affected.\\n',\n bulletin:bulletin, kb:kb);\n\n set_kb_item(name:'SMB/Missing/' + bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, 'affected');\n}\n", "cvss": {"score": 8.3, "vector": "AV:A/AC:L/Au:N/C:C/I:C/A:C"}}], "attackerkb": [{"lastseen": "2022-10-30T05:04:07", "description": "Microsoft Exchange Server Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-21846, CVE-2022-21855.\n\n \n**Recent assessments:** \n \n**gwillcox-r7** at July 10, 2022 7:02am UTC reported:\n\nThere is a nice writeup on this at <https://medium.com/@frycos/searching-for-deserialization-protection-bypasses-in-microsoft-exchange-cve-2022-21969-bfa38f63a62d>. The bug appears to be a deserialization bug that occurs when loading a specific file, however according to the demo video at <https://gist.github.com/Frycos/a446d86d75c09330d77f37ca28923ddd> it seems to be more of a local attack. That being said it would grant you an LPE to SYSTEM if you were able to trigger it. Furthermore Frycos mentions that he thinks Microsoft didn\u2019t fix the root issue when he wrote the blog (as of January 12th 2022), so its possible the root issue wasn\u2019t fixed, though Frycos mentioned he didn\u2019t look into this further.\n\nFrom <https://twitter.com/MCKSysAr/status/1524518517990727683> it does seem like at the very least some exploitation attempts have been made to try exploit this although writing to `C:\\Program Files\\Microsoft\\Exchange Server\\V15\\UnifiedMessaging\\voicemail` to trigger the bug via making it process a voicemail has proven to be difficult to do. It does however note my tip, shown later in this writeup, of how to bypass the deny list by using `System.Runtime.Remoting.ObjRef` as was pointed out online, was valid.\n\nWhat follows below is some of my notes that I wrote up a while back and never published. Hopefully they are of help to someone.\n\n# Overview\n\n## Background info\n\nDeserialization vulnerability leading to RCE potentially. \nGot a CVSS 3.1 score of 9.0 with a temporal score metric score of 7.8.\n\nInteresting that it mentions the attack vector is Adjacent and the article notes that this may be only cause of the way that he exploited it and may indicate they didn\u2019t fix the root issue.\n\nLow attack complexity and low privileges required seems to indicate it may be authenticated but you don\u2019t need many privileges??? I need to check on this further.\n\nHigh impact on everything else suggest this is a full compromise; this would be in line with leaking the hash.\n\n## Affected\n\n * Microsoft Exchange Server 2019 Cumulative Update 11 prior to January 2022 security update. \n\n * Microsoft Exchange Server 2019 Cumulative Update 10 prior to January 2022 security update. \n\n * Microsoft Exchange Server 2016 Cumulative Update 22 prior to January 2022 security update. \n\n * Microsoft Exchange Server 2016 Cumulative Update 21 prior to January 2022 security update. \n\n * Microsoft Exchange Server 2013 Cumulative Update 23 prior to January 2022 security update. \n\n\n## Fixed By\n\nKB5008631\n\n## Other vulns fixed in same patch\n\nCVE-2022-21846 &lt;\u2013 NSA reported this one. \nCVE-2022-21855 &lt;\u2013 Reported by Andrew Ruddick of MSRC.\n\n# Writeup Review\n\nOriginal writeup: <https://www.instapaper.com/read/1487196325>\n\nWe have well known _sinks_ in [[.NET]] whereby one can make deserialization calls from unprotected formatters such as `BinaryFormatter`. These formatters as noted in [[CVE-2021-42321]] don\u2019t have any `SerializationBinder` or similar binders attached to them, which means that they are open to deserialize whatever they like, without any binder limiting them to what they can deserialize.\n\nInitial search for vulnerabilities took place around Exchange\u2019s `Rpc` functions, which use a binary protocol created by Microsoft for communication instead of using normal HTTP requests.\n\nLooking around we can see `Microsoft.Exchange.Rpc.ExchangeCertificates.ExchangeCertificateRpcServer` contains several function prototypes:\n \n \n // Microsoft.Exchange.Rpc.ExchangeCertificate.ExchangeCertificateRpcServer \n using System; \n using System.Security; \n using Microsoft.Exchange.Rpc; \n \n internal abstract class ExchangeCertificateRpcServer : RpcServerBase \n { \n \u00a0\u00a0\u00a0\u00a0public unsafe static IntPtr RpcIntfHandle = (IntPtr)<Module>.IExchangeCertificate_v1_0_s_ifspec; \n \n \u00a0\u00a0\u00a0\u00a0public abstract byte[] GetCertificate(int version, byte[] pInBytes); \n \n \u00a0\u00a0\u00a0\u00a0public abstract byte[] CreateCertificate(int version, byte[] pInBytes); \n \n \u00a0\u00a0\u00a0\u00a0public abstract byte[] RemoveCertificate(int version, byte[] pInBytes); \n \n \u00a0\u00a0\u00a0\u00a0public abstract byte[] ExportCertificate(int version, byte[] pInBytes, SecureString password); \n \n \u00a0\u00a0\u00a0\u00a0public abstract byte[] ImportCertificate(int version, byte[] pInBytes, SecureString password); \n \n \u00a0\u00a0\u00a0\u00a0public abstract byte[] EnableCertificate(int version, byte[] pInBytes); \n \n \u00a0\u00a0\u00a0\u00a0public ExchangeCertificateRpcServer() \n \u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0} \n }\n \n\nThese are then implemented in `Microsoft.Exchange.Servicelets.ExchangeCertificate.ExchangeCertificateServer`.\n \n \n // Microsoft.Exchange.Servicelets.ExchangeCertificate.ExchangeCertificateServer \n using System; \n using System.Security; \n using System.Security.AccessControl; \n using System.Security.Principal; \n using Microsoft.Exchange.Management.SystemConfigurationTasks; \n using Microsoft.Exchange.Rpc; \n using Microsoft.Exchange.Rpc.ExchangeCertificate; \n using Microsoft.Exchange.Servicelets.ExchangeCertificate; \n \n internal class ExchangeCertificateServer : ExchangeCertificateRpcServer \n { \n \u00a0\u00a0\u00a0\u00a0internal const string RequestStoreName = \"REQUEST\"; \n \n \u00a0\u00a0\u00a0\u00a0private static ExchangeCertificateServer server; \n \n \u00a0\u00a0\u00a0\u00a0public static bool Start(out Exception e) \n \u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0e = null; \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0SecurityIdentifier securityIdentifier = new SecurityIdentifier(WellKnownSidType.BuiltinAdministratorsSid, null); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0FileSystemAccessRule accessRule = new FileSystemAccessRule(securityIdentifier, FileSystemRights.Read, AccessControlType.Allow); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0FileSecurity fileSecurity = new FileSecurity(); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0fileSecurity.SetOwner(securityIdentifier); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0fileSecurity.SetAccessRule(accessRule); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0try \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0server = (ExchangeCertificateServer)RpcServerBase.RegisterServer(typeof(ExchangeCertificateServer), fileSecurity, 1u, isLocalOnly: false); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0return true; \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0catch (RpcException ex) \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0RpcException ex2 = (RpcException)(e = ex); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0return false; \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0} \n \n \u00a0\u00a0\u00a0\u00a0public static void Stop() \n \u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0if (server != null) \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0RpcServerBase.StopServer(ExchangeCertificateRpcServer.RpcIntfHandle); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0server = null; \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0} \n \n \u00a0\u00a0\u00a0\u00a0public override byte[] CreateCertificate(int version, byte[] inputBlob) \n \u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0return ExchangeCertificateServerHelper.CreateCertificate(ExchangeCertificateRpcVersion.Version1, inputBlob); \n \u00a0\u00a0\u00a0\u00a0} \n \n \u00a0\u00a0\u00a0\u00a0public override byte[] GetCertificate(int version, byte[] inputBlob) \n \u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0return ExchangeCertificateServerHelper.GetCertificate(ExchangeCertificateRpcVersion.Version1, inputBlob); \n \u00a0\u00a0\u00a0\u00a0} \n \n \u00a0\u00a0\u00a0\u00a0public override byte[] RemoveCertificate(int version, byte[] inputBlob) \n \u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0return ExchangeCertificateServerHelper.RemoveCertificate(ExchangeCertificateRpcVersion.Version1, inputBlob); \n \u00a0\u00a0\u00a0\u00a0} \n \n \u00a0\u00a0\u00a0\u00a0public override byte[] ExportCertificate(int version, byte[] inputBlob, SecureString password) \n \u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0return ExchangeCertificateServerHelper.ExportCertificate(ExchangeCertificateRpcVersion.Version1, inputBlob, password); \n \u00a0\u00a0\u00a0\u00a0} \n \n \u00a0\u00a0\u00a0\u00a0public override byte[] ImportCertificate(int version, byte[] inputBlob, SecureString password) \n \u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0return ExchangeCertificateServerHelper.ImportCertificate(ExchangeCertificateRpcVersion.Version1, inputBlob, password); \n \u00a0\u00a0\u00a0\u00a0} \n \n \u00a0\u00a0\u00a0\u00a0public override byte[] EnableCertificate(int version, byte[] inputBlob) \n \u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0return ExchangeCertificateServerHelper.EnableCertificate(ExchangeCertificateRpcVersion.Version1, inputBlob); \n \u00a0\u00a0\u00a0\u00a0} \n }\n \n\nExamining these functions we can see a lot of them take a byte array input named `byte[] inputBlob`. If we follow the `ImportCertificate()` function here as an example we can see that the implementation will call into `Microsoft.Exchange.Servicelets.ExchangeCertificate.ExchangeCertificateServerHelper`, as is also true for the other functions.\n \n \n // Microsoft.Exchange.Servicelets.ExchangeCertificate.ExchangeCertificateServerHelper \n using System; \n using System.Collections.Generic; \n using System.Management.Automation; \n using System.Security; \n using System.Security.Cryptography; \n using System.Security.Cryptography.X509Certificates; \n using System.Text; \n using Microsoft.Exchange.Data; \n using Microsoft.Exchange.Data.Common; \n using Microsoft.Exchange.Data.Directory; \n using Microsoft.Exchange.Data.Directory.Management; \n using Microsoft.Exchange.Data.Directory.SystemConfiguration; \n using Microsoft.Exchange.Extensions; \n using Microsoft.Exchange.Management.FederationProvisioning; \n using Microsoft.Exchange.Management.Metabase; \n using Microsoft.Exchange.Management.SystemConfigurationTasks; \n using Microsoft.Exchange.Management.Tasks; \n using Microsoft.Exchange.Net; \n using Microsoft.Exchange.Security.Cryptography.X509Certificates; \n using Microsoft.Exchange.Servicelets.ExchangeCertificate; \n \n internal class ExchangeCertificateServerHelper \n { \n \n ... \n \n \u00a0\u00a0\u00a0\u00a0public static byte[] ImportCertificate(ExchangeCertificateRpcVersion rpcVersion, byte[] inputBlob, SecureString password) \n \u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0bool flag = false; \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0ExchangeCertificateRpc exchangeCertificateRpc = new ExchangeCertificateRpc(rpcVersion, inputBlob, null); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0if (string.IsNullOrEmpty(exchangeCertificateRpc.ImportCert)) \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0return ExchangeCertificateRpc.SerializeError(rpcVersion, Strings.ImportCertificateDataInvalid, ErrorCategory.ReadError); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0Server server = null; \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0ITopologyConfigurationSession topologyConfigurationSession = DirectorySessionFactory.Default.CreateTopologyConfigurationSession(ConsistencyMode.IgnoreInvalid, ADSessionSettings.FromRootOrgScopeSet(), 1159, \"ImportCertificate\", \"d:\\\\dbs\\\\sh\\\\e19dt\\\\1103_100001\\\\cmd\\\\c\\\\sources\\\\Dev\\\\Management\\\\src\\\\ServiceHost\\\\Servicelets\\\\ExchangeCertificate\\\\Program\\\\ExchangeCertificateServer.cs\"); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0try \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0server = ManageExchangeCertificate.FindLocalServer(topologyConfigurationSession); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0catch (LocalServerNotFoundException) \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0flag = true; \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0if (flag || !ManageExchangeCertificate.IsServerRoleSupported(server)) \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0return ExchangeCertificateRpc.SerializeError(rpcVersion, Strings.RoleDoesNotSupportExchangeCertificateTasksException, ErrorCategory.InvalidOperation); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0X509Store x509Store = new X509Store(StoreName.My, StoreLocation.LocalMachine); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0try \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0x509Store.Open(OpenFlags.ReadWrite | OpenFlags.OpenExistingOnly); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0catch (CryptographicException) \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0x509Store = null; \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0List<ServiceData> installed = new List<ServiceData>(); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0GetInstalledRoles(topologyConfigurationSession, server, installed); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0try \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0byte[] array = null; \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0if (CertificateEnroller.TryAcceptPkcs7(exchangeCertificateRpc.ImportCert, out var thumbprint, out var untrustedRoot)) \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0X509Certificate2Collection x509Certificate2Collection = x509Store.Certificates.Find(X509FindType.FindByThumbprint, thumbprint, validOnly: false); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0if (x509Certificate2Collection.Count > 0) \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0if (!string.IsNullOrEmpty(exchangeCertificateRpc.ImportDescription)) \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0x509Certificate2Collection[0].FriendlyName = exchangeCertificateRpc.ImportDescription; \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0ExchangeCertificate exchangeCertificate = new ExchangeCertificate(x509Certificate2Collection[0]); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0UpdateServices(exchangeCertificate, server, installed); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0exchangeCertificateRpc.ReturnCert = exchangeCertificate; \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0return exchangeCertificateRpc.SerializeOutputParameters(rpcVersion); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0if (untrustedRoot) \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0return ExchangeCertificateRpc.SerializeError(rpcVersion, Strings.ImportCertificateUntrustedRoot, ErrorCategory.ReadError); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0try \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0array = Convert.FromBase64String(exchangeCertificateRpc.ImportCert); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0catch (FormatException) \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0return ExchangeCertificateRpc.SerializeError(rpcVersion, Strings.ImportCertificateBase64DataInvalid, ErrorCategory.ReadError); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0X509Certificate2 x509Certificate = null; \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0try \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0X509KeyStorageFlags x509KeyStorageFlags = X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.PersistKeySet; \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0bool flag2 = password == null || password.Length == 0; \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0X509Certificate2Collection x509Certificate2Collection2 = new X509Certificate2Collection(); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0if (exchangeCertificateRpc.ImportExportable) \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0x509KeyStorageFlags |= X509KeyStorageFlags.Exportable; \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0x509Certificate2Collection2.Import(array, flag2 ? null : password.AsUnsecureString(), x509KeyStorageFlags); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0x509Certificate = ManageExchangeCertificate.FindImportedCertificate(x509Certificate2Collection2); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0catch (CryptographicException) \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0return ExchangeCertificateRpc.SerializeError(rpcVersion, Strings.ImportCertificateDataInvalid, ErrorCategory.ReadError); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0if (x509Certificate == null) \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0return ExchangeCertificateRpc.SerializeError(rpcVersion, Strings.ImportCertificateDataInvalid, ErrorCategory.ReadError); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0if (!string.IsNullOrEmpty(exchangeCertificateRpc.ImportDescription)) \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0x509Certificate.FriendlyName = exchangeCertificateRpc.ImportDescription; \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0if (x509Store.Certificates.Find(X509FindType.FindByThumbprint, x509Certificate.Thumbprint, validOnly: false).Count > 0) \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0return ExchangeCertificateRpc.SerializeError(rpcVersion, Strings.ImportCertificateAlreadyExists(x509Certificate.Thumbprint), ErrorCategory.WriteError); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0x509Store.Add(x509Certificate); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0ExchangeCertificate exchangeCertificate2 = new ExchangeCertificate(x509Certificate); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0UpdateServices(exchangeCertificate2, server, installed); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0exchangeCertificateRpc.ReturnCert = exchangeCertificate2; \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0finally \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0x509Store?.Close(); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0return exchangeCertificateRpc.SerializeOutputParameters(rpcVersion); \n \u00a0\u00a0\u00a0\u00a0} \n \n ...\n \n\nWe can see from this that most functions appear to be calling `Microsoft.Exchange.Management.SystemConfigurationTasks.ExchangeCertificateRpc.ExchangeCertificateRpc()`. This has some interesting code relevant to deserialization:\n \n \n // Microsoft.Exchange.Management.SystemConfigurationTasks.ExchangeCertificateRpc \n using System.Collections.Generic; \n using Microsoft.Exchange.Rpc.ExchangeCertificate; \n \n public ExchangeCertificateRpc(ExchangeCertificateRpcVersion version, byte[] inputBlob, byte[] outputBlob) \n { \n \u00a0\u00a0\u00a0\u00a0inputParameters = new Dictionary<RpcParameters, object>(); \n \u00a0\u00a0\u00a0\u00a0if (inputBlob != null) \n \u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0switch (version) \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0case ExchangeCertificateRpcVersion.Version1: \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0inputParameters = (Dictionary<RpcParameters, object>)DeserializeObject(inputBlob, customized: false); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0break; \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0case ExchangeCertificateRpcVersion.Version2: \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0inputParameters = BuildInputParameters(inputBlob); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0break; \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0outputParameters = new Dictionary<RpcOutput, object>(); \n \u00a0\u00a0\u00a0\u00a0if (outputBlob != null) \n \u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0switch (version) \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0case ExchangeCertificateRpcVersion.Version1: \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0outputParameters = (Dictionary<RpcOutput, object>)DeserializeObject(outputBlob, customized: false); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0break; \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0case ExchangeCertificateRpcVersion.Version2: \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0outputParameters = BuildOutputParameters(outputBlob); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0break; \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0} \n }\n \n\nHere we can see that the `byte[] inputBlob` from earlier is passed to `DeserializeObject(inputBlob, customized: false)` in the case that `ExchangeCertificateRpcVersion` parameter passed in is `ExchangeCertificateRpcVersion.Version1`.\n\nOkay so already we know we have one limitation in that we need to set the `version` parameter here to `ExchangeCertificateRpcVersion.Version1` somehow.\n\nKeeping this in mind lets explore further and look at the `Microsoft.Exchange.Management.SystemConfigurationTasks.ExchangeCertificateRpc.DeserializeObject(inputBlob, customized:false)` call implementation.\n \n \n // Microsoft.Exchange.Management.SystemConfigurationTasks.ExchangeCertificateRpc \n using System.IO; \n using Microsoft.Exchange.Data.Serialization; \n using Microsoft.Exchange.Diagnostics; \n \n private object DeserializeObject(byte[] data, bool customized) \n { \n \u00a0\u00a0\u00a0\u00a0if (data != null) \n \u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0using (MemoryStream serializationStream = new MemoryStream(data)) \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0bool strictModeStatus = Microsoft.Exchange.Data.Serialization.Serialization.GetStrictModeStatus(DeserializeLocation.ExchangeCertificateRpc); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0return ExchangeBinaryFormatterFactory.CreateBinaryFormatter(DeserializeLocation.ExchangeCertificateRpc, strictModeStatus, allowedTypes, allowedGenerics).Deserialize(serializationStream); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0return null; \n }\n \n\nInteresting so we can see that we create a new `MemoryStream` object from our `byte[] data` parameter and use this to create a serialization stream of type `MemoryStream`. We then check using `Microsoft.Exchange.Data.Serialization.Serialization.GetStrictModeStatus` to see if `DeserializeLocation.ExchangeCertificateRpc` requires strict mode for deserialization or not and we set the boolean `strictModeStatus` to this result.\n\nFinally we create a binary formatter using `ExchangeBinaryFormatterFactory.CreateBinaryFormatter(DeserializeLocation.ExchangeCertificateRpc, strictModeStatus, allowedTypes, allowedGenerics)` and then call its `Deserialize()` method on the serialized `MemoryStream` object we created earlier using `byte[] data`.\n\nNote that before the November 2021 patch, this `DeserializeObject` function actually looked like this:\n \n \n // Microsoft.Exchange.Management.SystemConfigurationTasks.ExchangeCertificateRpc \n using System.IO; \n using Microsoft.Exchange.Data.Serialization; \n using Microsoft.Exchange.Diagnostics; \n \n private object DeserializeObject(byte[] data, bool customized) \n { \n \u00a0\u00a0\u00a0\u00a0if (data != null) \n \u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0using (MemoryStream serializationStream = new MemoryStream(data)) \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0BinaryFormatter binaryFormatter = new BinaryFormatter();\n \t\t\tif (customized)\n \t\t\t{\n \t\t\t\tbinaryFormatter.Binder = new CustomizedSerializationBinder();\n \t\t\t}\n \t\t\treturn binaryFormatter.Deserialize(memoryStream);\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0return null; \n }\n \n \n\nAs we can see the earlier code here was using `BinaryFormatter` to deserialize the payload without using a proper `SerializationBinder` or really any protection at all for that matter.\n\n## Looking At DeserializeObject() Deeper\n\nLets look at the November 2022 edition of `Microsoft.Exchange.Management.SystemConfigurationTasks.ExchangeCertificateRpc.DeserializeObject(inputBlob, customized:false)` again:\n \n \n // Microsoft.Exchange.Management.SystemConfigurationTasks.ExchangeCertificateRpc \n using System.IO; \n using Microsoft.Exchange.Data.Serialization; \n using Microsoft.Exchange.Diagnostics; \n \n private object DeserializeObject(byte[] data, bool customized) \n { \n \u00a0\u00a0\u00a0\u00a0if (data != null) \n \u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0using (MemoryStream serializationStream = new MemoryStream(data)) \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0bool strictModeStatus = Microsoft.Exchange.Data.Serialization.Serialization.GetStrictModeStatus(DeserializeLocation.ExchangeCertificateRpc); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0return ExchangeBinaryFormatterFactory.CreateBinaryFormatter(DeserializeLocation.ExchangeCertificateRpc, strictModeStatus, allowedTypes, allowedGenerics).Deserialize(serializationStream); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0return null; \n }\n \n\nWhat we want to check here now is the `ExchangeBinaryFormatterFactor.CreateBinaryFormatter` call. What does the code for this look like?\n \n \n // Microsoft.Exchange.Diagnostics.ExchangeBinaryFormatterFactory \n using System.Runtime.Serialization.Formatters.Binary; \n \n public static BinaryFormatter CreateBinaryFormatter(DeserializeLocation usageLocation, bool strictMode = false, string[] allowList = null, string[] allowedGenerics = null) \n { \n \u00a0\u00a0\u00a0\u00a0return new BinaryFormatter \n \u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0Binder = new ChainedSerializationBinder(usageLocation, strictMode, allowList, allowedGenerics) \n \u00a0\u00a0\u00a0\u00a0}; \n }\n \n\nAh our good old friend `ChainedSerializationBinder` and `BinaryFormatter`. Looks like we will need to create a `BinaryFormatter` serialized payload and `ChainedSerializationBinder` will be the validator.\n\nAs mentioned in the article to bypass this logic we need to ensure that `strictMode` is set to `False` and that we are not using any fully qualified assembly name in the deny list defined in `Microsoft.Exchange.Diagnostics.ChainedSerializationBinder.GlobalDisallowedTypesForDeserialization`, which will pretty much kill all publicly known .NET deserialization gadgets from ysoserial.NET.\n\nFor reference this is the code for `ChainedSerializationBinder` in November 2021 Update:\n \n \n // Microsoft.Exchange.Diagnostics.ChainedSerializationBinder \n using System; \n using System.Collections.Generic; \n using System.IO; \n using System.Linq; \n using System.Reflection; \n using System.Runtime.Serialization; \n using Microsoft.Exchange.Diagnostics; \n \n public class ChainedSerializationBinder : SerializationBinder \n { \n \u00a0\u00a0\u00a0\u00a0private const string TypeFormat = \"{0}, {1}\"; \n \n \u00a0\u00a0\u00a0\u00a0private static readonly HashSet<string> AlwaysAllowedPrimitives = new HashSet<string> \n \u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0typeof(string).FullName, \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0typeof(int).FullName, \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0typeof(uint).FullName, \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0typeof(long).FullName, \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0typeof(ulong).FullName, \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0typeof(double).FullName, \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0typeof(float).FullName, \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0typeof(bool).FullName, \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0typeof(short).FullName, \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0typeof(ushort).FullName, \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0typeof(byte).FullName, \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0typeof(char).FullName, \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0typeof(DateTime).FullName, \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0typeof(TimeSpan).FullName, \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0typeof(Guid).FullName \n \u00a0\u00a0\u00a0\u00a0}; \n \n \u00a0\u00a0\u00a0\u00a0private bool strictMode; \n \n \u00a0\u00a0\u00a0\u00a0private DeserializeLocation location; \n \n \u00a0\u00a0\u00a0\u00a0private Func<string, Type> typeResolver; \n \n \u00a0\u00a0\u00a0\u00a0private HashSet<string> allowedTypesForDeserialization; \n \n \u00a0\u00a0\u00a0\u00a0private HashSet<string> allowedGenericsForDeserialization; \n \n \u00a0\u00a0\u00a0\u00a0private bool serializationOnly; \n \n \u00a0\u00a0\u00a0\u00a0protected static HashSet<string> GlobalDisallowedTypesForDeserialization { get; private set; } = BuildDisallowedTypesForDeserialization(); \n \n \n \u00a0\u00a0\u00a0\u00a0protected static HashSet<string> GlobalDisallowedGenericsForDeserialization { get; private set; } = BuildGlobalDisallowedGenericsForDeserialization(); \n \n \n \u00a0\u00a0\u00a0\u00a0public ChainedSerializationBinder() \n \u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0serializationOnly = true; \n \u00a0\u00a0\u00a0\u00a0} \n \n \u00a0\u00a0\u00a0\u00a0public ChainedSerializationBinder(DeserializeLocation usageLocation, bool strictMode = false, string[] allowList = null, string[] allowedGenerics = null) \n \u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0this.strictMode = strictMode; \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0allowedTypesForDeserialization = ((allowList != null && allowList.Length != 0) ? new HashSet<string>(allowList) : null); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0allowedGenericsForDeserialization = ((allowedGenerics != null && allowedGenerics.Length != 0) ? new HashSet<string>(allowedGenerics) : null); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0typeResolver = typeResolver ?? ((Func<string, Type>)((string s) => Type.GetType(s))); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0location = usageLocation; \n \u00a0\u00a0\u00a0\u00a0} \n \n \u00a0\u00a0\u00a0\u00a0public override void BindToName(Type serializedType, out string assemblyName, out string typeName) \n \u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0string text = null; \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0string text2 = null; \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0InternalBindToName(serializedType, out assemblyName, out typeName); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0if (assemblyName == null && typeName == null) \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0assemblyName = text; \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0typeName = text2; \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0} \n \n \u00a0\u00a0\u00a0\u00a0public override Type BindToType(string assemblyName, string typeName) \n \u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0if (serializationOnly) \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0throw new InvalidOperationException(\"ChainedSerializationBinder was created for serialization only.\u00a0\u00a0This instance cannot be used for deserialization.\"); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0Type type = InternalBindToType(assemblyName, typeName); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0if (type != null) \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0ValidateTypeToDeserialize(type); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0return type; \n \u00a0\u00a0\u00a0\u00a0} \n \n \u00a0\u00a0\u00a0\u00a0protected virtual Type InternalBindToType(string assemblyName, string typeName) \n \u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0return LoadType(assemblyName, typeName); \n \u00a0\u00a0\u00a0\u00a0} \n \n \u00a0\u00a0\u00a0\u00a0protected Type LoadType(string assemblyName, string typeName) \n \u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0Type type = null; \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0try \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0type = Type.GetType($\"{typeName}, {assemblyName}\"); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0catch (TypeLoadException) \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0catch (FileLoadException) \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0if (type == null) \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0string shortName = assemblyName.Split(',')[0]; \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0try \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0type = Type.GetType($\"{typeName}, {shortName}\"); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0catch (TypeLoadException) \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0catch (FileLoadException) \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0if (type == null) \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0Assembly[] assemblies = AppDomain.CurrentDomain.GetAssemblies(); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0IEnumerable<Assembly> source = assemblies.Where((Assembly x) => shortName == x.FullName.Split(',')[0]); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0Assembly assembly = (source.Any() ? source.First() : null); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0if (assembly != null) \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0type = assembly.GetType(typeName); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0else \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0Assembly[] array = assemblies; \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0foreach (Assembly assembly2 in array) \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0try \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0type = assembly2.GetType(typeName); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0if (!(type != null)) \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0continue; \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0return type; \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0catch \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0return type; \n \u00a0\u00a0\u00a0\u00a0} \n \n \u00a0\u00a0\u00a0\u00a0protected virtual void InternalBindToName(Type serializedType, out string assemblyName, out string typeName) \n \u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0assemblyName = null; \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0typeName = null; \n \u00a0\u00a0\u00a0\u00a0} \n \n \u00a0\u00a0\u00a0\u00a0protected void ValidateTypeToDeserialize(Type typeToDeserialize) \n \u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0if (typeToDeserialize == null) \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0return; \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0string fullName = typeToDeserialize.FullName; \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0bool flag = strictMode; \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0try \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0if (!strictMode && (allowedTypesForDeserialization == null || !allowedTypesForDeserialization.Contains(fullName)) && GlobalDisallowedTypesForDeserialization.Contains(fullName)) \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0flag = true; \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0throw new InvalidOperationException($\"Type {fullName} failed deserialization (BlockList).\"); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0if (typeToDeserialize.IsConstructedGenericType) \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0fullName = typeToDeserialize.GetGenericTypeDefinition().FullName; \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0if (allowedGenericsForDeserialization == null || !allowedGenericsForDeserialization.Contains(fullName) || GlobalDisallowedGenericsForDeserialization.Contains(fullName)) \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0throw new BlockedDeserializeTypeException(fullName, BlockedDeserializeTypeException.BlockReason.NotInAllow, location); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0else if (!AlwaysAllowedPrimitives.Contains(fullName) && (allowedTypesForDeserialization == null || !allowedTypesForDeserialization.Contains(fullName) || GlobalDisallowedTypesForDeserialization.Contains(fullName)) && !typeToDeserialize.IsArray && !typeToDeserialize.IsEnum && !typeToDeserialize.IsAbstract && !typeToDeserialize.IsInterface) \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0throw new BlockedDeserializeTypeException(fullName, BlockedDeserializeTypeException.BlockReason.NotInAllow, location); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0catch (BlockedDeserializeTypeException ex) \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0DeserializationTypeLogger.Singleton.Log(ex.TypeName, ex.Reason, location, (flag || strictMode) ? DeserializationTypeLogger.BlockStatus.TrulyBlocked : DeserializationTypeLogger.BlockStatus.WouldBeBlocked); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0if (flag) \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0throw; \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0} \n \n \u00a0\u00a0\u00a0\u00a0private static HashSet<string> BuildDisallowedGenerics() \n \u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0return new HashSet<string> { typeof(SortedSet<>).GetGenericTypeDefinition().FullName }; \n \u00a0\u00a0\u00a0\u00a0} \n \n \u00a0\u00a0\u00a0\u00a0private static HashSet<string> BuildDisallowedTypesForDeserialization() \n \u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0return new HashSet<string> \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\"Microsoft.Data.Schema.SchemaModel.ModelStore\", \"Microsoft.FailoverClusters.NotificationViewer.ConfigStore\", \"Microsoft.IdentityModel.Claims.WindowsClaimsIdentity\", \"Microsoft.Management.UI.Internal.FilterRuleExtensions\", \"Microsoft.Management.UI.FilterRuleExtensions\", \"Microsoft.Reporting.RdlCompile.ReadStateFile\", \"Microsoft.TeamFoundation.VersionControl.Client.PolicyEnvelope\", \"Microsoft.VisualStudio.DebuggerVisualizers.VisualizerObjectSource\", \"Microsoft.VisualStudio.Editors.PropPageDesigner.PropertyPageSerializationService+PropertyPageSerializationStore\", \"Microsoft.VisualStudio.EnterpriseTools.Shell.ModelingPackage\", \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\"Microsoft.VisualStudio.Modeling.Diagnostics.XmlSerialization\", \"Microsoft.VisualStudio.Publish.BaseProvider.Util\", \"Microsoft.VisualStudio.Text.Formatting.TextFormattingRunProperties\", \"Microsoft.VisualStudio.Web.WebForms.ControlDesignerStateCache\", \"Microsoft.Web.Design.Remote.ProxyObject\", \"System.Activities.Presentation.WorkflowDesigner\", \"System.AddIn.Hosting.AddInStore\", \"System.AddIn.Hosting.Utils\", \"System.CodeDom.Compiler.TempFileCollection\", \"System.Collections.Hashtable\", \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\"System.ComponentModel.Design.DesigntimeLicenseContextSerializer\", \"System.Configuration.Install.AssemblyInstaller\", \"System.Configuration.SettingsPropertyValue\", \"System.Data.DataSet\", \"System.Data.DataViewManager\", \"System.Data.Design.MethodSignatureGenerator\", \"System.Data.Design.TypedDataSetGenerator\", \"System.Data.Design.TypedDataSetSchemaImporterExtension\", \"System.Data.SerializationFormat\", \"System.DelegateSerializationHolder\", \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\"System.Drawing.Design.ToolboxItemContainer\", \"System.Drawing.Design.ToolboxItemContainer+ToolboxItemSerializer\", \"System.IdentityModel.Services.Tokens.MachineKeySessionSecurityTokenHandler\", \"System.IdentityModel.Tokens.SessionSecurityToken\", \"System.IdentityModel.Tokens.SessionSecurityTokenHandler\", \"System.IO.FileSystemInfo\", \"System.Management.Automation.PSObject\", \"System.Management.IWbemClassObjectFreeThreaded\", \"System.Messaging.BinaryMessageFormatter\", \"System.Resources.ResourceReader\", \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\"System.Resources.ResXResourceSet\", \"System.Runtime.Remoting.Channels.BinaryClientFormatterSink\", \"System.Runtime.Remoting.Channels.BinaryClientFormatterSinkProvider\", \"System.Runtime.Remoting.Channels.BinaryServerFormatterSink\", \"System.Runtime.Remoting.Channels.BinaryServerFormatterSinkProvider\", \"System.Runtime.Remoting.Channels.CrossAppDomainSerializer\", \"System.Runtime.Remoting.Channels.SoapClientFormatterSink\", \"System.Runtime.Remoting.Channels.SoapClientFormatterSinkProvider\", \"System.Runtime.Remoting.Channels.SoapServerFormatterSink\", \"System.Runtime.Remoting.Channels.SoapServerFormatterSinkProvider\", \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\"System.Runtime.Serialization.Formatters.Binary.BinaryFormatter\", \"System.Runtime.Serialization.Formatters.Soap.SoapFormatter\", \"System.Runtime.Serialization.NetDataContractSerializer\", \"System.Security.Claims.ClaimsIdentity\", \"System.Security.Claims.ClaimsPrincipal\", \"System.Security.Principal.WindowsIdentity\", \"System.Security.Principal.WindowsPrincipal\", \"System.Security.SecurityException\", \"System.Web.Security.RolePrincipal\", \"System.Web.Script.Serialization.JavaScriptSerializer\", \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\"System.Web.Script.Serialization.SimpleTypeResolver\", \"System.Web.UI.LosFormatter\", \"System.Web.UI.MobileControls.SessionViewState+SessionViewStateHistoryItem\", \"System.Web.UI.ObjectStateFormatter\", \"System.Windows.Data.ObjectDataProvider\", \"System.Windows.Forms.AxHost+State\", \"System.Windows.ResourceDictionary\", \"System.Workflow.ComponentModel.Activity\", \"System.Workflow.ComponentModel.Serialization.ActivitySurrogateSelector\", \"System.Xml.XmlDataDocument\", \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\"System.Xml.XmlDocument\" \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0}; \n \u00a0\u00a0\u00a0\u00a0} \n \n \u00a0\u00a0\u00a0\u00a0private static HashSet<string> BuildGlobalDisallowedGenericsForDeserialization() \n \u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0return new HashSet<string>(); \n \u00a0\u00a0\u00a0\u00a0} \n }\n \n\n**Interesting to note that this doesn\u2019t seem to contain the entries for `System.Runtime.Remoting.ObjectRef`** which was a new gadget chain just added with <https://github.com/pwntester/ysoserial.net/pull/115> that relies on a rouge .NET remoting server like <https://github.com/codewhitesec/RogueRemotingServer>. There is a writeup on this at <https://codewhitesec.blogspot.com/2022/01/dotnet-remoting-revisited.html> that explains more but this would allow RCE via a serialized payload attached to the rouge .NET remoting server.\n\nAnyway so from earlier we know that the strict mode is determined via the line `bool strictModeStatus = Microsoft.Exchange.Data.Serialization.Serialization.GetStrictModeStatus(DeserializeLocation.ExchangeCertificateRpc);` so this provides our other bypass.\n\nLets check if the result of this is `False` or not:\n\nSo from here we can likely supply a `System.Runtime.Remoting.ObjectRef`, take advantage of the lack of strict checking on this, and get the whole exploit to work. The problem now is finding the whole chain to reach this vulnerable call and then trigger the deserialization.\n\n# January 2022 Patch Analysis\n\n * No adjustments to the `ChainedSerializationBinder` deny list at all. \n\n\nHere is the Jan 2022 version of the deny list:\n \n \n \u00a0\u00a0\u00a0\u00a0private static HashSet<string> BuildDisallowedTypesForDeserialization() \n \u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0return new HashSet<string> \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\"Microsoft.Data.Schema.SchemaModel.ModelStore\", \"Microsoft.FailoverClusters.NotificationViewer.ConfigStore\", \"Microsoft.IdentityModel.Claims.WindowsClaimsIdentity\", \"Microsoft.Management.UI.Internal.FilterRuleExtensions\", \"Microsoft.Management.UI.FilterRuleExtensions\", \"Microsoft.Reporting.RdlCompile.ReadStateFile\", \"Microsoft.TeamFoundation.VersionControl.Client.PolicyEnvelope\", \"Microsoft.VisualStudio.DebuggerVisualizers.VisualizerObjectSource\", \"Microsoft.VisualStudio.Editors.PropPageDesigner.PropertyPageSerializationService+PropertyPageSerializationStore\", \"Microsoft.VisualStudio.EnterpriseTools.Shell.ModelingPackage\", \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\"Microsoft.VisualStudio.Modeling.Diagnostics.XmlSerialization\", \"Microsoft.VisualStudio.Publish.BaseProvider.Util\", \"Microsoft.VisualStudio.Text.Formatting.TextFormattingRunProperties\", \"Microsoft.VisualStudio.Web.WebForms.ControlDesignerStateCache\", \"Microsoft.Web.Design.Remote.ProxyObject\", \"System.Activities.Presentation.WorkflowDesigner\", \"System.AddIn.Hosting.AddInStore\", \"System.AddIn.Hosting.Utils\", \"System.CodeDom.Compiler.TempFileCollection\", \"System.Collections.Hashtable\", \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\"System.ComponentModel.Design.DesigntimeLicenseContextSerializer\", \"System.Configuration.Install.AssemblyInstaller\", \"System.Configuration.SettingsPropertyValue\", \"System.Data.DataSet\", \"System.Data.DataViewManager\", \"System.Data.Design.MethodSignatureGenerator\", \"System.Data.Design.TypedDataSetGenerator\", \"System.Data.Design.TypedDataSetSchemaImporterExtension\", \"System.Data.SerializationFormat\", \"System.DelegateSerializationHolder\", \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\"System.Drawing.Design.ToolboxItemContainer\", \"System.Drawing.Design.ToolboxItemContainer+ToolboxItemSerializer\", \"System.IdentityModel.Services.Tokens.MachineKeySessionSecurityTokenHandler\", \"System.IdentityModel.Tokens.SessionSecurityToken\", \"System.IdentityModel.Tokens.SessionSecurityTokenHandler\", \"System.IO.FileSystemInfo\", \"System.Management.Automation.PSObject\", \"System.Management.IWbemClassObjectFreeThreaded\", \"System.Messaging.BinaryMessageFormatter\", \"System.Resources.ResourceReader\", \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\"System.Resources.ResXResourceSet\", \"System.Runtime.Remoting.Channels.BinaryClientFormatterSink\", \"System.Runtime.Remoting.Channels.BinaryClientFormatterSinkProvider\", \"System.Runtime.Remoting.Channels.BinaryServerFormatterSink\", \"System.Runtime.Remoting.Channels.BinaryServerFormatterSinkProvider\", \"System.Runtime.Remoting.Channels.CrossAppDomainSerializer\", \"System.Runtime.Remoting.Channels.SoapClientFormatterSink\", \"System.Runtime.Remoting.Channels.SoapClientFormatterSinkProvider\", \"System.Runtime.Remoting.Channels.SoapServerFormatterSink\", \"System.Runtime.Remoting.Channels.SoapServerFormatterSinkProvider\", \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\"System.Runtime.Serialization.Formatters.Binary.BinaryFormatter\", \"System.Runtime.Serialization.Formatters.Soap.SoapFormatter\", \"System.Runtime.Serialization.NetDataContractSerializer\", \"System.Security.Claims.ClaimsIdentity\", \"System.Security.Claims.ClaimsPrincipal\", \"System.Security.Principal.WindowsIdentity\", \"System.Security.Principal.WindowsPrincipal\", \"System.Security.SecurityException\", \"System.Web.Security.RolePrincipal\", \"System.Web.Script.Serialization.JavaScriptSerializer\", \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\"System.Web.Script.Serialization.SimpleTypeResolver\", \"System.Web.UI.LosFormatter\", \"System.Web.UI.MobileControls.SessionViewState+SessionViewStateHistoryItem\", \"System.Web.UI.ObjectStateFormatter\", \"System.Windows.Data.ObjectDataProvider\", \"System.Windows.Forms.AxHost+State\", \"System.Windows.ResourceDictionary\", \"System.Workflow.ComponentModel.Activity\", \"System.Workflow.ComponentModel.Serialization.ActivitySurrogateSelector\", \"System.Xml.XmlDataDocument\", \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\"System.Xml.XmlDocument\" \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0}; \n \u00a0\u00a0\u00a0\u00a0}\n \n\nLooking at this in [[Meld]] shows that the deny list for `ChainedSerializationBinder` did not change between November 2021 and January 2022. So we could use `System.Runtime.Remoting.ObjRef` to bypass this deny list, potentially also allowing RCE on the latest version.\n\n * Removed `Microsoft.Exchange.DxStore.Common.DxBinarySerializationUtil` which seemed to have some options for doing unsafe deserialization. \n\n \n \n using System;\n using System.IO;\n using FUSE.Weld.Base;\n using Microsoft.Exchange.Diagnostics;\n using Microsoft.Exchange.DxStore.Server;\n \n namespace Microsoft.Exchange.DxStore.Common;\n \n public static class DxBinarySerializationUtil\n {\n \tprivate static readonly string[] allowedTypes = new string[101]\n \t{\n \t\ttypeof(ExceptionUri).FullName,\n \t\ttypeof(Ranges).FullName,\n \t\ttypeof(Range).FullName,\n \t\ttypeof(Target).FullName,\n \t\ttypeof(CommonSettings).FullName,\n \t\ttypeof(DataStoreStats).FullName,\n \t\ttypeof(DxStoreAccessClientException).FullName,\n \t\ttypeof(DxStoreAccessClientTransientException).FullName,\n \t\ttypeof(DxStoreAccessReply).FullName,\n \t\ttypeof(DxStoreAccessReply.CheckKey).FullName,\n \t\ttypeof(DxStoreAccessReply.DeleteKey).FullName,\n \t\ttypeof(DxStoreAccessReply.DeleteProperty).FullName,\n \t\ttypeof(DxStoreAccessReply.ExecuteBatch).FullName,\n \t\ttypeof(DxStoreAccessReply.GetAllProperties).FullName,\n \t\ttypeof(DxStoreAccessReply.GetProperty).FullName,\n \t\ttypeof(DxStoreAccessReply.GetPropertyNames).FullName,\n \t\ttypeof(DxStoreAccessReply.GetSubkeyNames).FullName,\n \t\ttypeof(DxStoreAccessReply.SetProperty).FullName,\n \t\ttypeof(DxStoreAccessRequest).FullName,\n \t\ttypeof(DxStoreAccessRequest.CheckKey).FullName,\n \t\ttypeof(DxStoreAccessRequest.DeleteKey).FullName,\n \t\ttypeof(DxStoreAccessRequest.DeleteProperty).FullName,\n \t\ttypeof(DxStoreAccessRequest.ExecuteBatch).FullName,\n \t\ttypeof(DxStoreAccessRequest.GetAllProperties).FullName,\n \t\ttypeof(DxStoreAccessRequest.GetProperty).FullName,\n \t\ttypeof(DxStoreAccessRequest.GetPropertyNames).FullName,\n \t\ttypeof(DxStoreAccessRequest.GetSubkeyNames).FullName,\n \t\ttypeof(DxStoreAccessRequest.SetProperty).FullName,\n \t\ttypeof(DxStoreAccessServerTransientException).FullName,\n \t\ttypeof(DxStoreBatchCommand).FullName,\n \t\ttypeof(DxStoreBatchCommand.CreateKey).FullName,\n \t\ttypeof(DxStoreBatchCommand.DeleteKey).FullName,\n \t\ttypeof(DxStoreBatchCommand.DeleteProperty).FullName,\n \t\ttypeof(DxStoreBatchCommand.SetProperty).FullName,\n \t\ttypeof(DxStoreBindingNotSupportedException).FullName,\n \t\ttypeof(DxStoreClientException).FullName,\n \t\ttypeof(DxStoreClientTransientException).FullName,\n \t\ttypeof(DxStoreCommand).FullName,\n \t\ttypeof(DxStoreCommand.ApplySnapshot).FullName,\n \t\ttypeof(DxStoreCommand.CreateKey).FullName,\n \t\ttypeof(DxStoreCommand.DeleteKey).FullName,\n \t\ttypeof(DxStoreCommand.DeleteProperty).FullName,\n \t\ttypeof(DxStoreCommand.DummyCommand).FullName,\n \t\ttypeof(DxStoreCommand.ExecuteBatch).FullName,\n \t\ttypeof(DxStoreCommand.PromoteToLeader).FullName,\n \t\ttypeof(DxStoreCommand.SetProperty).FullName,\n \t\ttypeof(DxStoreCommand.UpdateMembership).FullName,\n \t\ttypeof(DxStoreCommand.VerifyStoreIntegrity).FullName,\n \t\ttypeof(DxStoreCommand.VerifyStoreIntegrity2).FullName,\n \t\ttypeof(DxStoreCommandConstraintFailedException).FullName,\n \t\ttypeof(DxStoreInstanceClientException).FullName,\n \t\ttypeof(DxStoreInstanceClientTransientException).FullName,\n \t\ttypeof(DxStoreInstanceComponentNotInitializedException).FullName,\n \t\ttypeof(DxStoreInstanceKeyNotFoundException).FullName,\n \t\ttypeof(DxStoreInstanceNotReadyException).FullName,\n \t\ttypeof(DxStoreInstanceServerException).FullName,\n \t\ttypeof(DxStoreInstanceServerTransientException).FullName,\n \t\ttypeof(DxStoreInstanceStaleStoreException).FullName,\n \t\ttypeof(DxStoreManagerClientException).FullName,\n \t\ttypeof(DxStoreManagerClientTransientException).FullName,\n \t\ttypeof(DxStoreManagerGroupNotFoundException).FullName,\n \t\ttypeof(DxStoreManagerServerException).FullName,\n \t\ttypeof(DxStoreManagerServerTransientException).FullName,\n \t\ttypeof(DxStoreReplyBase).FullName,\n \t\ttypeof(DxStoreRequestBase).FullName,\n \t\ttypeof(DxStoreSerializeException).FullName,\n \t\ttypeof(DxStoreServerException).FullName,\n \t\ttypeof(DxStoreServerFault).FullName,\n \t\ttypeof(DxStoreServerTransientException).FullName,\n \t\ttypeof(HttpReply).FullName,\n \t\ttypeof(HttpReply.DxStoreReply).FullName,\n \t\ttypeof(HttpReply.ExceptionReply).FullName,\n \t\ttypeof(HttpReply.GetInstanceStatusReply).FullName,\n \t\ttypeof(HttpRequest).FullName,\n \t\ttypeof(HttpRequest.DxStoreRequest).FullName,\n \t\ttypeof(HttpRequest.GetStatusRequest).FullName,\n \t\ttypeof(HttpRequest.GetStatusRequest.Reply).FullName,\n \t\ttypeof(HttpRequest.PaxosMessage).FullName,\n \t\ttypeof(InstanceGroupConfig).FullName,\n \t\ttypeof(InstanceGroupMemberConfig).FullName,\n \t\ttypeof(InstanceGroupSettings).FullName,\n \t\ttypeof(InstanceManagerConfig).FullName,\n \t\ttypeof(InstanceSnapshotInfo).FullName,\n \t\ttypeof(InstanceStatusInfo).FullName,\n \t\ttypeof(LocDescriptionAttribute).FullName,\n \t\ttypeof(PaxosBasicInfo).FullName,\n \t\ttypeof(PaxosBasicInfo.GossipDictionary).FullName,\n \t\ttypeof(ProcessBasicInfo).FullName,\n \t\ttypeof(PropertyNameInfo).FullName,\n \t\ttypeof(PropertyValue).FullName,\n \t\ttypeof(ReadOptions).FullName,\n \t\ttypeof(ReadResult).FullName,\n \t\ttypeof(WcfTimeout).FullName,\n \t\ttypeof(WriteOptions).FullName,\n \t\ttypeof(WriteResult).FullName,\n \t\ttypeof(WriteResult.ResponseInfo).FullName,\n \t\ttypeof(GroupStatusInfo).FullName,\n \t\ttypeof(GroupStatusInfo.NodeInstancePair).FullName,\n \t\ttypeof(InstanceMigrationInfo).FullName,\n \t\ttypeof(KeyContainer).FullName,\n \t\ttypeof(DateTimeOffset).FullName\n \t};\n \n \tprivate static readonly string[] allowedGenerics = new string[6] { \"System.Collections.Generic.ObjectEqualityComparer`1\", \"System.Collections.Generic.EnumEqualityComparer`1\", \"System.Collections.Generic.EqualityComparer`1\", \"System.Collections.Generic.GenericEqualityComparer`1\", \"System.Collections.Generic.KeyValuePair`2\", \"System.Collections.Generic.List`1\" };\n \n \tpublic static void Serialize(MemoryStream ms, object obj)\n \t{\n \t\tExchangeBinaryFormatterFactory.CreateSerializeOnlyFormatter().Serialize(ms, obj);\n \t}\n \n \tpublic static object DeserializeUnsafe(Stream s)\n \t{\n \t\treturn ExchangeBinaryFormatterFactory.CreateBinaryFormatter(DeserializeLocation.HttpBinarySerialize).Deserialize(s);\n \t}\n \n \tpublic static object Deserialize(Stream s)\n \t{\n \t\treturn DeserializeSafe(s);\n \t}\n \n \tpublic static object DeserializeSafe(Stream s)\n \t{\n \t\treturn ExchangeBinaryFormatterFactory.CreateBinaryFormatter(DeserializeLocation.SwordFish_AirSync, strictMode: false, allowedTypes, allowedGenerics).Deserialize(s);\n \t}\n }\n \n\n * Added in `Microsoft.Exchange.DxStore.Common.IDxStoreDynamicConfig.cs` which has the following code: \n\n \n \n namespace Microsoft.Exchange.DxStore.Common;\n \n public interface IDxStoreDynamicConfig\n {\n \tbool IsRemovePublicKeyToken { get; }\n \n \tbool IsSerializerIncompatibleInitRemoved { get; }\n \n \tbool EnableResolverTypeCheck { get; }\n \n \tbool EnableResolverTypeCheckException { get; }\n }\n \n\n# Exploit Chain\n\nLets start at the deserialization chain and work backwards.\n \n \n Microsoft.Exchange.Management.SystemConfigurationTasks.ExchangeCertificateRpc.DeserializeObject\n Microsoft.Exchange.Management.SystemConfigurationTasks.ExchangeCertificateRpc.ExchangeCertificateRpc(ExchangeCertificateRpcVersion version, byte[] inputBlob, byte[] outputBlob)\n Microsoft.Exchange.Servicelets.ExchangeCertificate.ExchangeCertificateServerHelper.GetCertificate(int version, byte[] inputBlob)\n Microsoft.Exchange.Servicelets.ExchangeCertificate.ExchangeCertificateServer.GetCertificate(int version, byte[] inputBlob)\n \n\nWe can then use the `Get-ExchangeCertificate` commandlet from <https://docs.microsoft.com/en-us/powershell/module/exchange/get-exchangecertificate?view=exchange-ps> and set a breakpoint inside `Microsoft.Exchange.ExchangeCertificateServicelet.dll` specifically within the `Microsoft.Exchange.Servicelets.ExchangeCertificate.GetCertificate` handler.\n\nUnfortunately it seems like the current way things work we are sending a `ExchangeCertificateRpcVersion rpcVersion` with a version of `Version2`.\n\nExploited process is `Microsoft.Exchange.ServiceHost.exe` which runs as `NT AUTHORITY\\SYSTEM`.\n\nAssessed Attacker Value: 3 \nAssessed Attacker Value: 3Assessed Attacker Value: 3\n", "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 9.0, "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-08T00:00:00", "type": "attackerkb", "title": "CVE-2022-21969", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 6.5, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 8.3, "vectorString": "AV:A/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "ADJACENT_NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42321", "CVE-2022-21846", "CVE-2022-21855", "CVE-2022-21969"], "modified": "2022-02-08T00:00:00", "id": "AKB:0A7DD7B4-3522-4B79-B4A6-3B2A86B2EADE", "href": "https://attackerkb.com/topics/QdE4FMzghj/cve-2022-21969", "cvss": {"score": 8.3, "vector": "AV:A/AC:L/Au:N/C:C/I:C/A:C"}}], "avleonov": [{"lastseen": "2022-01-19T21:27:02", "description": "Hello everyone! This episode will be about Microsoft Patch Tuesday for January 2022. Traditionally, I will use my open source Vulristics tool for analysis. This time I didn&#x27;t make any changes to how connectors work. The report generation worked correctly on the first try.\n\n`python3.8 vulristics.py --report-type \"ms_patch_tuesday\" --mspt-year 2022 --mspt-month \"January\" --rewrite-flag \"True\"`\n\nThe only thing I have improved is the detection of types of vulnerabilities and vulnerable products. &quot;Unknown Vulnerability Type&quot; was for two vulnerabilities, so I added the &quot;Elevation Of Privilege&quot; \u0438 &quot;Cross-Site Scripting&quot; spelling options. I added detections for 13 products and 19 Windows components. I also corrected the method for sorting vulnerabilities with the same Vulristics score. Previously, such vulnerabilities were sorted by CVE id, now they are sorted by vulnerability type and product. This allows you to see the clusters of similar vulnerabilities.\n\nEach time I rebuilt the report with the same command, but without recollecting the data:\n\n`python3.8 vulristics.py --report-type \"ms_patch_tuesday\" --mspt-year 2022 --mspt-month \"January\" --rewrite-flag \"False\"`\n\nThe full report is available here:\n\n[ms_patch_tuesday_january2022_report_with_comments_ext_img.html](<https://avleonov.com/vulristics_reports/ms_patch_tuesday_january2022_report_with_comments_ext_img.html>)\n\nlet&#x27;s now look at the report. There are 97 vulnerabilities in total. \n\nIf we only look at CVSS:\n\n * Critical: 6\n * High: 63\n * Medium: 28\n * Low: 0\n\nBut according to my Vulrisitcs Vulnerability Score, everything is not so critical:\n\n * Urgent: 0\n * Critical: 1\n * High: 34\n * Medium: 62\n * Low: 0\n\nThe only critical vulnerability became so much after the publication of Patch Tuesday. **Elevation of Privilege** - Windows Win32k (CVE-2022-21882). A local, authenticated attacker could gain elevated local system or administrator privileges through a vulnerability in the Win32k.sys driver. Exploitation in the wild is mentioned at Microsoft. None of the Vulnerability Management vendors mentioned this vulnerability in their reviews. \n\nNow let&#x27;s see the High vulnerabilities.\n\n**Remote Code Execution** - HTTP Protocol Stack (CVE-2022-21907). This vulnerability is highlighted by all VM vendors, except for some reason Rapid7. To exploit this vulnerability an unauthenticated attacker could send a specially crafted packet to a vulnerable server utilizing the HTTP Protocol Stack (http.sys) to process packets. No user interaction, no privileges required. Microsoft warns that this flaw is considered wormable and has a flag \u201cExploitation More Likely\u201d. According to the advisory, Windows Server 2019 and Windows 10 version 1809 do not have the HTTP Trailer Support feature enabled by default, however this mitigation does not apply to other affected versions of Windows. While this is definitely more server-centric vulnerability, remember that Windows clients can also run http.sys, so all affected versions are affected by this bug.\n\n**Remote Code Execution** - Remote Procedure Call Runtime (CVE-2022-21922). Microsoft Remote Procedure Call (RPC) defines a powerful technology for creating distributed client/server programs. The RPC run-time stubs and libraries manage most of the processes relating to network protocols and communication. The authenticated attacker with non-admin credentials could take advantage of this vulnerability to execute malicious code through the RPC runtime. It looks like an interesting vulnerability for lateral movement in infrastructure. But for some reason, VM vendors ignored this vulnerability.\n\n**Remote Code Execution** - Microsoft Exchange (CVE-2022-21969, CVE-2022-21846 and CVE-2022-21855). 3 vulnerabilities with the same severity level. Exchange vulnerabilities are always interesting because Exchange servers are usually accessible from the Internet. But this time, these vulnerabilities are less critical. They cannot be exploited directly over the public internet (attackers need to be \u201cadjacent\u201d to the target system in terms of network topology).\n\n**Remote Code Execution** - Windows Remote Desktop Client (CVE-2022-21850, CVE-2022-21851) and **Remote Code Execution** - Windows Remote Desktop Protocol (CVE-2022-21893). For all CVEs, an attacker would need to convince a user on an affected version of the Remote Desktop Client to connect to a malicious RDP server. \n\n**Remote Code Execution** - Windows IKE Extension (CVE-2022-21849). Internet Key Exchange is the protocol used to set up a security association (SA) in the IPsec protocol suite. While at this time the details of this vulnerability are limited, a remote attacker could trigger multiple vulnerabilities when the IPSec service is running on the Windows system without being authenticated. \n\nI would also like to draw attention to these vulnerabilities:\n\n**Remote Code Execution** - Microsoft SharePoint (CVE-2022-21837). An attacker can use this vulnerability to gain access to the domain and could perform remote code execution on the SharePoint server to elevate themselves to SharePoint admin.\n\n**Remote Code Execution** - Microsoft Office (CVE-2022-21840) and **Remote Code Execution** - Microsoft Word (CVE-2022-21842). Exploitation would require social engineering to entice a victim to open an attachment or visit a malicious website \u2013 thankfully the Windows preview pane is not a vector for this attack.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-01-16T20:17:20", "type": "avleonov", "title": "Microsoft Patch Tuesday January 2022", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21837", "CVE-2022-21840", "CVE-2022-21842", "CVE-2022-21846", "CVE-2022-21849", "CVE-2022-21850", "CVE-2022-21851", "CVE-2022-21855", "CVE-2022-21882", "CVE-2022-21893", "CVE-2022-21907", "CVE-2022-21922", "CVE-2022-21969"], "modified": "2022-01-16T20:17:20", "id": "AVLEONOV:D630CE92574B03FCC2E79DCA5007AAFC", "href": "https://avleonov.com/2022/01/16/microsoft-patch-tuesday-january-2022/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "thn": [{"lastseen": "2022-05-09T12:37:43", "description": "[](<https://thehackernews.com/new-images/img/a/AVvXsEjhBjNHjU-yR3MwrRHvUS9tDvlmZ8hZdIuBZLlTiLvekhf4svlWJy4OELJMXg06rTqKY-p4BvsU0T8jjJl6NFi3ByDa_8Bm2AEF0p-kQEfufx4DTJRrPfnWneln3r_fQXG0mtIGvUKcm_8SWaGbR_SFykKEZokaVBdGvVTWLiVQgnyK_Ae02rDLl0eF>)\n\nMicrosoft on Tuesday kicked off its first set of updates for 2022 by [plugging 96 security holes](<https://msrc.microsoft.com/update-guide/releaseNote/2022-Jan>) across its software ecosystem, while urging customers to prioritize patching for what it calls a critical \"wormable\" vulnerability.\n\nOf the 96 vulnerabilities, nine are rated Critical and 89 are rated Important in severity, with six zero-day publicly known at the time of the release. This is in addition to [29 issues](<https://docs.microsoft.com/en-us/deployedge/microsoft-edge-relnotes-security>) patched in Microsoft Edge on January 6, 2022. None of the disclosed bugs are listed as under attack.\n\nThe patches cover a swath of the computing giant's portfolio, including Microsoft Windows and Windows Components, Exchange Server, Microsoft Office and Office Components, SharePoint Server, .NET Framework, Microsoft Dynamics, Open-Source Software, Windows Hyper-V, Windows Defender, and Windows Remote Desktop Protocol (RDP).\n\nChief among them is [CVE-2022-21907](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-21907>) (CVSS score: 9.8), a remote code execution vulnerability rooted in the HTTP Protocol Stack. \"In most situations, an unauthenticated attacker could send a specially crafted packet to a targeted server utilizing the HTTP Protocol Stack (http.sys) to process packets,\" Microsoft noted in its advisory.\n\nRussian security researcher Mikhail Medvedev has been credited with discovering and reporting the error, with the Redmond-based company stressing that it's wormable, meaning no user interaction is necessary to trigger and propagate the infection.\n\n\"Although Microsoft has provided an official patch, this CVE is another reminder that software features allow opportunities for attackers to misuse functionalities for malicious acts,\" Danny Kim, principal architect at Virsec, said.\n\nMicrosoft also resolved six zero-days as part of its Patch Tuesday update, two of which are an integration of third-party fixes concerning the open-source libraries curl and libarchive.\n\n * [CVE-2021-22947](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-22947>) (CVSS score: N/A) \u2013 Open-Source curl Remote Code Execution Vulnerability\n * [CVE-2021-36976](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-36976>) (CVSS score: N/A) \u2013 Open-Source libarchive Remote Code Execution Vulnerability\n * [CVE-2022-21836](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-21836>) (CVSS score: 7.8) \u2013 Windows Certificate Spoofing Vulnerability\n * [CVE-2022-21839](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-21839>) (CVSS score: 6.1) \u2013 Windows Event Tracing Discretionary Access Control List Denial of Service Vulnerability\n * [CVE-2022-21874](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-21874>) (CVSS score: 7.8) \u2013 Windows Security Center API Remote Code Execution Vulnerability\n * [CVE-2022-21919](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-21919>) (CVSS score: 7.0) \u2013 Windows User Profile Service Elevation of Privilege Vulnerability\n\nAnother critical vulnerability of note concerns a remote code execution flaw ([CVE-2022-21849](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-21849>), CVSS score: 9.8) in Windows Internet Key Exchange ([IKE](<https://en.wikipedia.org/wiki/Internet_Key_Exchange>)) version 2, which Microsoft said could be weaponized by a remote attacker to \"trigger multiple vulnerabilities without being authenticated.\"\n\nOn top of that, the patch also remediates a number of remote code execution flaws affecting Exchange Server, Microsoft Office ([CVE-2022-21840](<https://cve-2022-21840>)), SharePoint Server, RDP ([CVE-2022-21893](<https://www.cyberark.com/resources/threat-research-blog/attacking-rdp-from-inside>)), and Windows Resilient File System as well as privilege escalation vulnerabilities in Active Directory Domain Services, Windows Accounts Control, Windows Cleanup Manager, and Windows Kerberos, among others.\n\nIt's worth stressing that CVE-2022-21907 and the three shortcomings uncovered in [Exchange Server](<https://thehackernews.com/2021/03/microsoft-exchange-cyber-attack-what-do.html>) ([CVE-2022-21846](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-21846>), [CVE-2022-21855](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-21855>), and [CVE-2022-21969](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-21969>), CVSS scores: 9.0) have all been labeled as \"exploitation more likely,\" necessitating that the patches are applied immediately to counter potential real-world attacks targeting the weaknesses. The U.S. National Security Agency (NSA) has been acknowledged for flagging CVE-2022-21846.\n\n\"This massive Patch Tuesday comes during a time of chaos in the security industry whereby professionals are working overtime to remediate [Log4Shell](<https://thehackernews.com/2022/01/microsoft-warns-of-continued-attacks.html>) \u2014 reportedly the worst vulnerability seen in decades,\" Bharat Jogi, director of vulnerability and threat Research at Qualys, said.\n\n\"Events such as Log4Shell [\u2026] bring to the forefront the importance of having an automated inventory of everything that is used by an organization in their environment,\" Jogi added, stating \"It is the need of the hour to automate deployment of patches for events with defined schedules (e.g., MSFT Patch Tuesday), so security professionals can focus energy to respond efficiently to unpredictable events that pose dastardly risk.\"\n\n### Software Patches from Other Vendors\n\nBesides Microsoft, security updates have also been released by other vendors to rectify several vulnerabilities, counting \u2014\n\n * [Adobe](<https://helpx.adobe.com/security.html>)\n * [Android](<https://source.android.com/security/bulletin/2022-01-01>)\n * [Cisco](<https://tools.cisco.com/security/center/publicationListing.x>)\n * [Citrix](<https://support.citrix.com/search/#/All%20Products?ct=Software%20Updates,Security%20Bulletins&searchText=&sortBy=Modified%20date&pageIndex=1>)\n * [Google Chrome](<https://thehackernews.com/2022/01/google-releases-new-chrome-update-to.html>)\n * [Juniper Networks](<https://kb.juniper.net/InfoCenter/index?page=content&channel=SECURITY_ADVISORIES>)\n * Linux distributions [Oracle Linux](<https://linux.oracle.com/ords/f?p=105:21>), [Red Hat](<https://access.redhat.com/security/security-updates/#/security-advisories?q=&p=2&sort=portal_publication_date%20desc&rows=10&portal_advisory_type=Security%20Advisory&documentKind=Errata>), and [SUSE](<https://lists.suse.com/pipermail/sle-security-updates/2022-January/thread.html>)\n * Mozilla [Firefox](<https://www.mozilla.org/en-US/security/advisories/mfsa2022-01/>), [Firefox ESR](<https://www.mozilla.org/en-US/security/advisories/mfsa2022-02>), and [Thunderbird](<https://www.mozilla.org/en-US/security/advisories/mfsa2022-03/>)\n * [Samba](<https://www.samba.org/samba/history/security.html>)\n * [SAP](<https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=596902035>)\n * [Schneider Electric](<https://www.se.com/ww/en/work/support/cybersecurity/security-notifications.jsp>)\n * [Siemens](<https://new.siemens.com/global/en/products/services/cert.html#SecurityPublications>)\n * [VMware](<https://thehackernews.com/2022/01/vmware-patches-important-bug-affecting.html>), and\n * [WordPress](<https://wordpress.org/news/2022/01/wordpress-5-8-3-security-release/>)\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-01-12T06:42:00", "type": "thn", "title": "First Patch Tuesday of 2022 Brings Fix for a Critical 'Wormable' Windows Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22947", "CVE-2021-36976", "CVE-2022-21836", "CVE-2022-21839", "CVE-2022-21840", "CVE-2022-21846", "CVE-2022-21849", "CVE-2022-21855", "CVE-2022-21874", "CVE-2022-21893", "CVE-2022-21907", "CVE-2022-21919", "CVE-2022-21969"], "modified": "2022-01-16T08:40:23", "id": "THN:00A15BC93C4697B74FA1D56130C0C35E", "href": "https://thehackernews.com/2022/01/first-patch-tuesday-of-2022-brings-fix.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "threatpost": [{"lastseen": "2022-01-12T01:28:08", "description": "Microsoft has addressed a total of 97 security vulnerabilities in its January 2022 Patch Tuesday update \u2013 nine of them rated critical \u2013 including six that are listed as publicly known zero-days.\n\nThe fixes [cover a swath](<https://msrc.microsoft.com/update-guide/>) of the computing giant\u2019s portfolio, including: Microsoft Windows and Windows Components, Microsoft Edge (Chromium-based), Exchange Server, Microsoft Office and Office Components, SharePoint Server, .NET Framework, Microsoft Dynamics, Open-Source Software, Windows Hyper-V, Windows Defender, and Windows Remote Desktop Protocol (RDP).\n\n\u201cThis is an unusually large update for January,\u201d Dustin Childs, a researcher with Trend Micro\u2019s Zero Day Initiative (ZDI), explained. \u201cOver the last few years, the average number of patches released in January is about half this volume. We\u2019ll see if this volume continues throughout the year. It\u2019s certainly a change from the smaller releases that ended 2021 [Microsoft [patched 67 bugs](<https://threatpost.com/exploited-microsoft-zero-day-spoofing-malware/177045/>) in December].\u201d\n\n## **Zero-Day Tsunami**\n\nNone of the zero-days are listed as being actively exploited, though two (CVE-2022-21919 and CVE-2022-21836) have public exploit code available. They are:\n\n * [**CVE-2021-22947**](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-22947>): HackerOne-assigned CVE in open-source Curl library (RCE)\n * [**CVE-2021-36976**](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-36976>): MITRE-assigned CVE in open-source Libarchive (RCE)\n * [**CVE-2022-21874**](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-21874>): Local Windows Security Center API (RCE, CVSS score of 7.8)\n * [**CVE-2022-21919**](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-21919>): Windows User Profile Service (privilege escalation, CVSS 7.0)\n * [**CVE-2022-21839**](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-21839>): Windows Event Tracing Discretionary Access Control List (denial-of-service, CVSS 6.1).\n * [**CVE-2022-21836**](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-21836>): Windows Certificate (spoofing, CVSS 7.8).\n\n\u201cThe [cURL bug] was actually disclosed by HackerOne back in September 2021,\u201d Childs said in ZDI\u2019s Patch Tuesday [analysis](<https://www.zerodayinitiative.com/blog/2022/1/11/the-january-2022-security-update-review>). \u201cThis patch includes the latest cURL libraries into Microsoft products. This is why this CVE is listed as publicly known. Similarly, the patch for the Libarchive library was also disclosed in 2021, and the latest version of this library is now being incorporated into Microsoft products.\u201d\n\n## **Patch Immediately: Critical, Wormable Bug**\n\nOut of the critical bugs, a remote code-execution (RCE) issue in the HTTP protocol stack stands out for researchers, given that it\u2019s wormable \u2013 i.e., an exploit could self-propagate through a network with no user interaction. It carries the most severe CVSS vulnerability-severity rating of the entire update, coming in at 9.8 on the 10-point scale.\n\nThe bug **([CVE-2022-21907](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21907>))** can be exploited by sending specially crafted packets to a system using the HTTP protocol stack (http.sys) to process packets.\n\n\u201cThe CVE targets the HTTP trailer support feature, which allows a sender to include additional fields in a message to supply metadata, by providing a specially-crafted message that can lead to remote code execution,\u201d Danny Kim, principal architect at Virsec, explained via email.\n\n\u201cNo user interaction, no privileges required and an elevated service add up to a wormable bug,\u201d Childs warned. \u201cWhile this is definitely more server-centric, remember that Windows clients can also run http.sys, so all affected versions are affected by this bug. Test and deploy this patch quickly.\u201d\n\nKim noted that CVE-2022-21907 is a particularly dangerous CVE because of its ability to allow for an attack to affect an entire intranet once the attack succeeds.\n\n\u201cThe CVE is the latest example of how software capabilities can be warped and weaponized,\u201d he noted. \u201cAlthough Microsoft has provided an official patch, this CVE is another reminder that software features allow opportunities for attackers to misuse functionalities for malicious acts.\u201d\n\n## **Other Critical Security Holes for January 2022 \u2013 One Unpatched**\n\nAnother interesting critical-rated RCE issue is **[CVE-2022-21840](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21840>)** in Microsoft Office, which, importantly, does not yet have a patch for Office 2019 for Mac and Microsoft Office LTSC for Mac 2021 (CVSS 8.8).\n\n\u201cMost Office-related RCE bugs are important-severity since they require user interaction and often have warning dialogs, too,\u201d said Childs, noting that the Preview Pane is not the attack vector. \u201cInstead, this bug is likely critical due to the lack of warning dialogs when opening a specially crafted file.\u201d\n\nMicrosoft also patched **[CVE-2022-21846](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21846>)** \u2013 a critical RCE bug in Microsoft Exchange Server reported by the National Security Agency, which is listed as \u201cexploitation more likely\u201d (CVSS 9.0). It\u2019s one of three Exchange RCEs being fixed this month (the others are CVE-2022-21969 and CVE-2022-21855), all of which are listed as being \u201cnetwork adjacent,\u201d meaning the attacker would need to be on a target network already to be successful.\n\nDespite the \u201cexploitation more likely\u201d rating, \u201cMicrosoft notes the attack vector is adjacent, meaning exploitation will require more legwork for an attacker, unlike the ProxyLogon and ProxyShell vulnerabilities which were remotely exploitable,\u201d Satnam Narang, staff research engineer at Tenable, said via email.\n\nOne of the zero-days is listed as critical too, it should be noted: **[CVE-2021-22947](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-22947>)**, which is the one found in the open-source cURL library used by Windows to transfer data using various network protocols. It allows RCE leading to man-in-the-middle (MiTM) attacks, according to Automox researcher Maarten Buis.\n\n\u201cAn attacker could carry out a MitM attack by exploiting how cURL handles cached or pipelined responses from IMAP, POP3, SMTP or FTP servers,\u201d he explained in [a Tuesday posting](<https://blog.automox.com/automox-experts-weigh-in-january-patch-tuesday-2022>). \u201cThe attacker would inject the fake response, then pass through the TLS traffic from the legitimate server and trick curl into sending the attackers\u2019 data back to the user as valid and authenticated.\u201d\n\nThe public disclosure significantly increases the chances of exploit, he warned.\n\nAnd, a privilege-escalation issue is unusually flagged as critical: **[CVE-2022-21857](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21857>)** in Active Directory Domain Services (CVSS 8.8).\n\n\u201cThis patch fixes a bug that allowed attackers to elevate privileges across an Active Directory trust boundary under certain conditions,\u201d Childs said. \u201cMicrosoft deemed the flaw sufficient enough for a critical rating. This does require some level of privileges, so again, an insider or other attacker with a foothold in a network could use this for lateral movement and maintaining a presence within an enterprise.\u201d\n\nThere\u2019s another critical privilege-escalation issue, **[CVE-2022-21833](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21833>)** in the Virtual Machine IDE Drive (CVSS 7.8), but the complexity is marked high. According to Automox, to exploit it, a threat actor would need to gain access to an underprivileged account, such as through an unsecure user password or an account with minimal access controls, to expose this vulnerability.\n\nThus, \u201cseeing this bug in the wild would likely take quite a bit of work,\u201d Childs said.\n\nTwo critical issues in the DirectX Graphics Kernel carry a rating of 7.8 out of 10 on the CVSS vulnerability-severity scale and allow RCE: **[CVE-2022-21912](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21912>)** and **[CVE-2022-21898](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21898>)**.\n\nTo exploit these, viewing a specially crafted media file could result in code execution, and are likely present in most systems, according to Automox researcher Jay Goodman.\n\n\u201cThe DirectX graphics kernel is a subsystem that enables internal components like graphics cards and drives or external devices like printers and input devices,\u201d he said. \u201cAttackers could use these remote code execution vulnerabilities to deploy and execute code on a target system. This can allow attackers to easily take full control of the system as well as create a base of operations within the network to spread to other systems. Common and widespread vulnerabilities like these are critical for attackers trying to steal corporate data or infiltrating sensitive systems. It is important for organizations to patch and remediate within the 72 hour window to minimize exposure.\u201d\n\nAnd finally, there\u2019s **[CVE-2022-21917](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21917>)** in HEVC Video Extensions (RCE, CVSS 7.8).\n\n\u201cSuccessful exploitation would require an attacker to bait an authenticated user into opening a maliciously crafted media file, which would result in remote code execution on the victim\u2019s machine,\u201d explained Automox researcher Justin Knapp. \u201cMicrosoft does not provide mitigation recommendations aside from patching. However, most affected customers will automatically be updated via the Microsoft Store and guidance is provided to check the package version to ensure it has the current update.\u201d\n\nThe monster Patch Tuesday couldn\u2019t come at a worse time, noted Bharat Jogi, director of vulnerability and threat research at Qualys.\n\n\u201cThis massive Patch Tuesday comes during a time of chaos in the security industry whereby professionals are working overtime to remediate Log4Shell \u2013 reportedly the worst vulnerability seen in decades,\u201d he said via email. \u201cUnpredictable events such as Log4Shell add significant stress to the security professionals dealing with such outbreaks.\u201d\n\n**_Password_**_ _**_Reset: [On-Demand Event](<https://threatpost.com/webinars/password-reset-claiming-control-of-credentials-to-stop-attacks/>):_**_ Fortify 2022 with a password-security strategy built for today\u2019s threats. This [Threatpost Security Roundtable](<https://threatpost.com/webinars/password-reset-claiming-control-of-credentials-to-stop-attacks/>), built for infosec professionals, centers on enterprise credential management, the new password basics and mitigating post-credential breaches. Join Darren James, with Specops Software and Roger Grimes, defense evangelist at KnowBe4 and Threatpost host Becky Bracken. _**_[Register &amp; stream this FREE session today](<https://threatpost.com/webinars/password-reset-claiming-control-of-credentials-to-stop-attacks/>)_**_ \u2013 sponsored by Specops Software._\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-01-11T21:54:57", "type": "threatpost", "title": "Microsoft Faces Wormable, Critical RCE Bug & 6 Zero-Days", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22947", "CVE-2021-36976", "CVE-2022-21833", "CVE-2022-21836", "CVE-2022-21839", "CVE-2022-21840", "CVE-2022-21846", "CVE-2022-21855", "CVE-2022-21857", "CVE-2022-21874", "CVE-2022-21898", "CVE-2022-21907", "CVE-2022-21912", "CVE-2022-21917", "CVE-2022-21919", "CVE-2022-21969"], "modified": "2022-01-11T21:54:57", "id": "THREATPOST:05E04E358AB0AB9A5BF524854B34E49D", "href": "https://threatpost.com/microsoft-wormable-critical-rce-bug-zero-day/177564/", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "qualysblog": [{"lastseen": "2022-01-19T21:27:03", "description": "### Microsoft Patch Tuesday \u2013 January 2022 \n\nMicrosoft patched 126 vulnerabilities in their January 2022 Patch Tuesday release. Out of these, nine are rated as critical severity. As of this writing, none of the 126 vulnerabilities are known to be actively exploited. \n\nMicrosoft has fixed problems in their software including Remote Code Execution (RCE) vulnerabilities, privilege escalation security flaws, spoofing bugs, and Denial of Service (DoS) issues. \n\n#### Critical Microsoft Vulnerabilities Patched \n\n[**CVE-2022-21907**](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21907>)** - HTTP Protocol Stack Remote Code Execution Vulnerability** \n\nThis vulnerability has a CVSSv3.1 score of **9.8**/10. This vulnerability affects Windows Servers configured as a webserver. To exploit this vulnerability an unauthenticated attacker could send a specially crafted packet to a vulnerable server utilizing the HTTP Protocol Stack to process packets. This vulnerability is known to be wormable. Exploitability Assessment: _Exploitation More Likely_. \n\n[**CVE-2022-21849**](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21849>)** - Windows IKE Extension Remote Code Execution Vulnerability** \n\nThis vulnerability has a CVSSv3.1 score of **9.8**/10. This vulnerability affects systems with Internet Key Exchange (IKE) version 2. While at this time the details of this vulnerability are limited, a remote attacker could trigger multiple vulnerabilities when the IPSec service is running on the Windows system without being authenticated. Exploitability Assessment: _Exploitation Less Likely_. \n\n[**CVE-2022-21846**](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21846>)** - Microsoft Exchange Server Remote Code Execution Vulnerability** \n\nThis vulnerability was discovered and reported to Microsoft by National Security Agency (NSA). This vulnerability has a CVSSv3.1 score of **9.0**/10. This vulnerability&#x27;s attack is limited at the protocol level to a logically adjacent topology. This means it cannot simply be done across the internet, but instead needs something specifically tied to the target. Good examples would include the same shared physical network (such as Bluetooth or IEEE 802.11), logical network (e.g. local IP subnet), or from within a secure or otherwise limited administrative domain (e.g. MPLS, secure VPN to an administrative network zone). This is common to many attacks that require man-in-the-middle type setups or that rely on initially gaining a foothold in another environment. Exploitability Assessment: _Exploitation More Likely_. \n\n[**CVE-2022-21837**](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21837>)** - Microsoft SharePoint Server Remote Code Execution Vulnerability** \n\nThis vulnerability has a CVSSv3.1 score of **8.3**/10. An attacker can use this vulnerability to gain access to the domain and could perform remote code execution on the SharePoint server to elevate themselves to SharePoint admin. Assessment: _Exploitation Less Likely_. \n\n[**CVE-2022-21840**](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21840>)** - Microsoft Office Remote Code Execution Vulnerability** \n\nThis vulnerability has a CVSSv3.1 score of **8.8**/10. This vulnerability can only be exploited if the user opens a specifically crafted file. \n\nIn the case of an email attack, an attacker might take advantage of the vulnerability by emailing the victim a specially constructed file and convincing them to open it. \n\nAn attacker might host a website (or utilize a compromised website that accepts or hosts user-provided content) that contains a specially crafted file tailored to exploit a vulnerability in a web-based attack scenario. Exploitability Assessment: _Exploitation Less Likely_. \n\n### Adobe Patch Tuesday \u2013 January 2022 \n\nAdobe released updates to fix 41 CVEs affecting Adobe Acrobat and Reader, Bridge, Illustrator, InCopy and InDesign. Of these 41 vulnerabilities, 22 are treated as Critical. Adobe has released security updates for Adobe Acrobat and Reader for Windows and macOS. These updates address multiple critical, important, and moderate vulnerabilities. Successful exploitation could lead to arbitrary code execution, memory leak, application denial of service, security feature bypass and privilege escalation. \n\n### Discover and Prioritize Patch Tuesday Vulnerabilities in VMDR \n\nQualys VMDR automatically detects new Patch Tuesday vulnerabilities using continuous updates to its Knowledge Base (KB). \n\nYou can see all your impacted hosts by these vulnerabilities using the following QQL query: \n\nvulnerabilities.vulnerability:(qid:`50118` OR qid:`91851` OR qid:`91852` OR qid:`91853` OR qid:`91854` OR qid:`110398` OR qid:`110399` OR qid:`376232`) \n\n\n\n### Respond by Patching \n\nVMDR rapidly remediates Windows hosts by deploying the most relevant and applicable per-technology version patches. You can simply select respective QIDs in the Patch Catalog and filter on the \u201cMissing\u201d patches to identify and deploy the applicable, available patches in one go. \n\nThe following QQL will return the missing patches pertaining to this Patch Tuesday. \n\n(qid:`50118` OR qid:`91851` OR qid:`91852` OR qid:`91853` OR qid:`91854` OR qid:`110398` OR qid:`110399` OR qid:`376232`) \n\n\n\n### Patch Tuesday Dashboard \n\nThe annual Patch Tuesday dashboard is available in our online Community: [Dashboard Toolbox \u2013 Unified Dashboard: 2022 Patch Tuesday (QID Based) Dashboard](<https://success.qualys.com/discussions/s/article/000006821>)\n\n### Webinar Series: This Month in Vulnerabilities and Patches\n\nTo help customers leverage the seamless integration between Qualys VMDR and Patch Management and reduce the median time to remediate critical vulnerabilities, the Qualys Research team is hosting a monthly webinar series: \n\n[This Month in Vulnerabilities and Patches](<https://gateway.on24.com/wcc/eh/3347108/category/97049/patch-tuesday>). \n\nWe will discuss this month&#x27;s high-impact vulnerabilities, including those that are part of January 2022 Patch Tuesday. We will walk you through the steps to address the key vulnerabilities using Qualys VMDR and Patch Management. \n\nWe will cover the significant vulnerabilities published this month: \n\n * Microsoft Patch Tuesday, January 2022 \n * Adobe Patch Tuesday, January 2022 \n\n[Join us live or watch on-demand!](<https://gateway.on24.com/wcc/eh/3347108/category/97049/patch-tuesday>) \n\nLive on Thursday, January 13, 2022, or later [on demand](<https://gateway.on24.com/wcc/eh/3347108/category/82812/on-demand-webinars>). \n\n### About Patch Tuesday\n\nPatch Tuesday QIDs are published as [Security Alerts](<https://www.qualys.com/research/security-alerts/>), typically late in the evening on the day of [Patch Tuesday](<https://blog.qualys.com/tag/patch-tuesday>), followed shortly thereafter by query updates for the annual dashboard community article. \n\n### Contributor \n\n[Debra M. Fezza Reed](<https://blog.qualys.com/author/dmfezzareed>), Solutions Architect, Subject Matter Expert Dashboards and Reporting", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-01-11T23:32:18", "type": "qualysblog", "title": "Microsoft & Adobe Patch Tuesday (January 2022) \u2013 Microsoft 126 Vulnerabilities with 9 Critical, Adobe 41 Vulnerabilities, 22 critical", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21837", "CVE-2022-21840", "CVE-2022-21846", "CVE-2022-21849", "CVE-2022-21907"], "modified": "2022-01-11T23:32:18", "id": "QUALYSBLOG:AC6278F5B653A98CD5A97D6001369111", "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "krebs": [{"lastseen": "2022-01-19T20:17:21", "description": "**Microsoft** today released updates to plug nearly 120 security holes in **Windows** and supported software. Six of the vulnerabilities were publicly detailed already, potentially giving attackers a head start in figuring out how to exploit them in unpatched systems. More concerning, Microsoft warns that one of the flaws fixed this month is &quot;wormable,&quot; meaning no human interaction would be required for an attack to spread from one vulnerable Windows box to another.\n\n\n\nNine of the vulnerabilities fixed in this month&#x27;s Patch Tuesday received Microsoft&#x27;s &quot;critical&quot; rating, meaning malware or miscreants can exploit them to gain remote access to vulnerable Windows systems through no help from the user.\n\nBy all accounts, the most severe flaw addressed today is [CVE-2022-21907,](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21907>) a critical, remote code execution flaw in the &quot;**HTTP Protocol Stack**.&quot; Microsoft says the flaw affects **Windows 10** and **Windows 11**, as well as **Server 2019** and **Server 2022**.\n\n&quot;While this is definitely more server-centric, remember that Windows clients can also run http.sys, so all affected versions are affected by this bug,&quot; said **Dustin Childs** from **Trend Micro&#x27;s Zero Day Initiative**. &quot;Test and deploy this patch quickly.&quot;\n\nQuickly indeed. In May 2021, Microsoft patched a similarly critical and wormable vulnerability in the HTTP Protocol Stack; less than a week later, computer code made to exploit the flaw [was posted online](<https://www.bleepingcomputer.com/news/security/exploit-released-for-wormable-windows-http-vulnerability/>).\n\nMicrosoft also fixed three more remote code execution flaws in **Exchange Server**, a technology that hundreds of thousands of organizations worldwide use to manage their email. Exchange flaws are a major target of malicious hackers. Almost a year ago, hundreds of thousands of Exchange servers worldwide were compromised by malware after attackers started mass-exploiting four zero-day flaws in Exchange.\n\nMicrosoft says the limiting factor with these three newly found Exchange flaws is that an attacker would need to be tied to the target&#x27;s network somehow to exploit them. But **Satnam Narang** at **Tenable** notes Microsoft has labeled all three Exchange flaws as &quot;exploitation more likely.&quot;\n\n&quot;One of the flaws, [CVE-2022-21846](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21846>), was disclosed to Microsoft by the **National Security Agency**,&quot; Narang said. &quot;Despite the rating, Microsoft notes the attack vector is adjacent, meaning exploitation will require more legwork for an attacker, unlike the ProxyLogon and ProxyShell vulnerabilities which were remotely exploitable.&quot;\n\nSecurity firm **Rapid7** points out that roughly a quarter of the security updates this month address vulnerabilities in Microsoft&#x27;s **Edge** browser via Chromium.\n\n&quot;None of these have yet been seen exploited in the wild, though six were publicly disclosed prior to today,&quot; Rapid7&#x27;s **Greg Wiseman** said. &quot;This includes two Remote Code Execution vulnerabilities affecting open source libraries that are bundled with more recent versions of Windows: [CVE-2021-22947](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-22947>), which affects the curl library, and [CVE-2021-36976](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36976>) which affects libarchive.&quot;\n\nWiseman said slightly less scary than the HTTP Protocol Stack vulnerability is [CVE-2022-21840](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21840>), which affects all supported versions of Office, as well as Sharepoint Server.\n\n&quot;Exploitation would require social engineering to entice a victim to open an attachment or visit a malicious website,&quot; he said. &quot;Thankfully the Windows preview pane is not a vector for this attack.&quot;\n\nOther patches include fixes for **.NET Framework**, **Microsoft Dynamics**, **Windows Hyper-V**, **Windows Defender**, and the **Windows Remote Desktop Protocol** (RDP). As usual, the **SANS Internet Storm Center** has a [per-patch breakdown by severity and impact](<https://isc.sans.edu/forums/diary/Microsoft+Patch+Tuesday+January+2022/28230/>).\n\nStandard disclaimer: Before you update Windows, _please_ make sure you have backed up your system and/or important files. It\u2019s not uncommon for a Windows update package to hose one\u2019s system or prevent it from booting properly, and some updates have been known to erase or corrupt files.\n\nSo do yourself a favor and backup before installing any patches. Windows 10 even has some [built-in tools](<https://lifehacker.com/how-to-back-up-your-computer-automatically-with-windows-1762867473>) to help you do that, either on a per-file/folder basis or by making a complete and bootable copy of your hard drive all at once.\n\nAnd if you wish to ensure Windows has been set to pause updating so you can back up your files and/or system before the operating system decides to reboot and install patches on its own schedule, [see this guide](<https://www.computerworld.com/article/3543189/check-to-make-sure-you-have-windows-updates-paused.html>).\n\nIf you experience glitches or problems installing any of these patches this month, please consider leaving a comment about it below; there\u2019s a decent chance other readers have experienced the same and may chime in here with useful tips.\n\n**Update, Jan. 12, 9:02 a.m.:** Apparently some of the updates Microsoft released yesterday -- KB5009557 (2019) and KB5009555 (2022) -- are causing something to fail on domain controllers, which then keep rebooting every few minutes. That&#x27;s according to [this growing thread on Reddit](<https://old.reddit.com/r/sysadmin/comments/s21ae1/january_updates_causing_unexpected_reboots_on/>) (hat tip to [@campuscodi](<https://twitter.com/campuscodi/status/1481231994080178180>)).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-01-11T22:18:55", "type": "krebs", "title": "\u2018Wormable\u2019 Flaw Leads January 2022 Patch Tuesday", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22947", "CVE-2021-36976", "CVE-2022-21840", "CVE-2022-21846", "CVE-2022-21907"], "modified": "2022-01-11T22:18:55", "id": "KREBS:62B4C5DD1022EFBE81E351F756E43F36", "href": "https://krebsonsecurity.com/2022/01/wormable-flaw-leads-january-2022-patch-tuesday/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "hivepro": [{"lastseen": "2022-01-20T15:30:50", "description": "THREAT LEVEL: Red. For a detailed advisory, download the pdf file here. Microsoft has fixed 97 vulnerabilities, with nine classified as Critical and 88 as Important and among them 6 zero-days. Following are the type of security vulnerabilities reported in multiple Microsoft products: 41 Elevation of Privilege Vulnerabilities 29 Remote Code Execution Vulnerabilities 9 Security Feature Bypass Vulnerabilities 6 Information Disclosure Vulnerabilities 9 Denial of Service Vulnerabilities 3 Spoofing Vulnerabilities Six zero-day vulnerabilities were addressed in the January\u2019s patch Tuesday: CVE-2021-22947: Remote Code-Execution vulnerability in open-source Curl library. CVE-2021-36976: Remote Code-Execution vulnerability in open-source Libarchive. CVE-2022-21874: Remote Code-Execution vulnerability in Local Windows Security Center API. CVE-2022-21919: Privilege escalation vulnerability in Windows User Profile Service. CVE-2022-21839: Denial-of-Service vulnerability in Windows Event Tracing Discretionary Access Control List. CVE-2022-21836: Spoofing vulnerability in Windows Certificate. Some of the critical vulnerabilities are listed below: CVE-2022-21846: Remote Code-Execution vulnerability in Microsoft exchange server which. CVE-2022-21840: Remote Code-Execution vulnerability in Microsoft Office 365. CVE-2022-21857: Active Directory Domain Services Elevation of Privilege Vulnerability CVE-2022-21898: Privilege escalation vulnerability in DirectX Graphics. CVE-2022-21912: DirectX Graphics Kernel Remote Code Execution Vulnerability. CVE-2022-21907: HTTP Protocol Stack Remote Code-Execution Vulnerability CVE-2022-21917: HEVC Video Extensions Remote Code-Execution Vulnerability. Out of the critical bugs, a Remote Code-Execution (CVE-2022-21907) issue in the HTTP protocol stack (HTTP.sys) used as a protocol listener for processing HTTP requests by the Windows Internet Information Services (IIS) web server. Successful exploitation requires an attacker to send maliciously crafted packets to targeted Windows servers, which use the vulnerable HTTP Protocol Stack for processing packets. Hive Pro threat researchers recommend users to prioritize patching this flaw on all the affected servers since it could allow unauthenticated attackers to remotely execute arbitrary code in low complexity attacks and &quot;in most situations,&quot; without requiring user interaction. Vulnerabiliy Details Patch Links https://msrc.microsoft.com/update-guide/ References https://www.bleepingcomputer.com/microsoft-patch-tuesday-reports/Jan-2022.html https://threatpost.com/microsoft-wormable-critical-rce-bug-zero-day/177564/ https://www.bleepingcomputer.com/news/microsoft/microsoft-new-critical-windows-http-vulnerability-is-wormable/ https://www.bleepingcomputer.com/news/microsoft/microsoft-new-critical-windows-http-vulnerability-is-wormable/ https://thehackernews.com/2022/01/first-patch-tuesday-of-2022-brings-fix.html", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-01-12T07:30:07", "type": "hivepro", "title": "Microsoft Patch Tuesday fixes critical zero-days along with 97 other flaws", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22947", "CVE-2021-36976", "CVE-2022-21836", "CVE-2022-21839", "CVE-2022-21840", "CVE-2022-21846", "CVE-2022-21857", "CVE-2022-21874", "CVE-2022-21898", "CVE-2022-21907", "CVE-2022-21912", "CVE-2022-21917", "CVE-2022-21919"], "modified": "2022-01-12T07:30:07", "id": "HIVEPRO:C224B728F67C8D1703A8BF2411600695", "href": "https://www.hivepro.com/microsoft-patch-tuesday-fixes-critical-zero-days-along-with-97-other-flaws/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "rapid7blog": [{"lastseen": "2022-01-18T23:27:22", "description": "\n\nThe first Patch Tuesday of 2022 sees Microsoft publishing fixes for over 120 CVEs across the bulk of their product line, including 29 previously patched CVEs affecting their Edge browser via Chromium. None of these have yet been seen exploited in the wild, though six were publicly disclosed prior to today. This includes two Remote Code Execution (RCE) vulnerabilities in open source libraries that are bundled with more recent versions of Windows: [CVE-2021-22947](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-22947>), which affects the curl library, and [CVE-2021-36976](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-36976>) which affects libarchive.\n\nThe majority of this month\u2019s patched vulnerabilities, such as [CVE-2022-21857](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21857>) (affecting Active Directory Domain Services), allow attackers to elevate their privileges on systems or networks they already have a foothold in. \n\n### Critical RCEs\n\nBesides [CVE-2021-22947](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-22947>) (libcurl), several other Critical RCE vulnerabilities were also fixed. Most of these have caveats that reduce their scariness to some degree. The worst of these is [CVE-2021-21907](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-21907>), affecting the Windows HTTP protocol stack. Although it carries a CVSSv3 base score of 9.8 and is considered potentially \u201cwormable\u201d by Microsoft, similar vulnerabilities have not proven to be rampantly exploited (see the AttackerKB analysis for [CVE-2021-31166](<https://attackerkb.com/topics/pZcouFxeCW/cve-2021-31166/rapid7-analysis>)).\n\nNot quite as bad is [CVE-2022-21840](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-21840>), which affects all supported versions of Office, as well as Sharepoint Server. Exploitation would require social engineering to entice a victim to open an attachment or visit a malicious website \u2013 thankfully the Windows preview pane is not a vector for this attack.\n\n[CVE-2022-21846](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-21846>) affects Exchange Server, but cannot be exploited directly over the public internet (attackers need to be \u201cadjacent\u201d to the target system in terms of network topology). This restriction also applies to [CVE-2022-21855](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-21855>) and [CVE-2022-21969](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-21969>), two less severe RCEs in Exchange this month.\n\n[CVE-2022-21912](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21912>) and [CVE-2022-21898](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21898>) both affect DirectX Graphics and require local access. [CVE-2022-21917](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21917>) is a vulnerability in the Windows Codecs library. In most cases, systems should automatically get patched; however, some organizations may have the vulnerable codec preinstalled on their gold images and disable Windows Store updates.\n\nDefenders should prioritize patching servers (Exchange, Sharepoint, Hyper-V, and IIS) followed by web browsers and other client software.\n\n## Summary charts\n\n\n\n## Summary tables\n\n### Browser vulnerabilities\n\nCVE | Title | Exploited | Publicly disclosed | CVSSv3 base | Additional FAQ \n---|---|---|---|---|--- \n[CVE-2022-21930](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21930>) | Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability | No | No | 4.2 | Yes \n[CVE-2022-21931](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21931>) | Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability | No | No | 4.2 | Yes \n[CVE-2022-21929](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21929>) | Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability | No | No | 2.5 | Yes \n[CVE-2022-21954](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21954>) | Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability | No | No | 6.1 | Yes \n[CVE-2022-21970](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21970>) | Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability | No | No | 6.1 | Yes \n[CVE-2022-0120](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0120>) | Chromium: CVE-2022-0120 Inappropriate implementation in Passwords | No | No | nan | Yes \n[CVE-2022-0118](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0118>) | Chromium: CVE-2022-0118 Inappropriate implementation in WebShare | No | No | nan | Yes \n[CVE-2022-0117](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0117>) | Chromium: CVE-2022-0117 Policy bypass in Service Workers | No | No | nan | Yes \n[CVE-2022-0116](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0116>) | Chromium: CVE-2022-0116 Inappropriate implementation in Compositing | No | No | nan | Yes \n[CVE-2022-0115](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0115>) | Chromium: CVE-2022-0115 Uninitialized Use in File API | No | No | nan | Yes \n[CVE-2022-0114](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0114>) | Chromium: CVE-2022-0114 Out of bounds memory access in Web Serial | No | No | nan | Yes \n[CVE-2022-0113](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0113>) | Chromium: CVE-2022-0113 Inappropriate implementation in Blink | No | No | nan | Yes \n[CVE-2022-0112](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0112>) | Chromium: CVE-2022-0112 Incorrect security UI in Browser UI | No | No | nan | Yes \n[CVE-2022-0111](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0111>) | Chromium: CVE-2022-0111 Inappropriate implementation in Navigation | No | No | nan | Yes \n[CVE-2022-0110](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0110>) | Chromium: CVE-2022-0110 Incorrect security UI in Autofill | No | No | nan | Yes \n[CVE-2022-0109](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0109>) | Chromium: CVE-2022-0109 Inappropriate implementation in Autofill | No | No | nan | Yes \n[CVE-2022-0108](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0108>) | Chromium: CVE-2022-0108 Inappropriate implementation in Navigation | No | No | nan | Yes \n[CVE-2022-0107](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0107>) | Chromium: CVE-2022-0107 Use after free in File Manager API | No | No | nan | Yes \n[CVE-2022-0106](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0106>) | Chromium: CVE-2022-0106 Use after free in Autofill | No | No | nan | Yes \n[CVE-2022-0105](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0105>) | Chromium: CVE-2022-0105 Use after free in PDF | No | No | nan | Yes \n[CVE-2022-0104](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0104>) | Chromium: CVE-2022-0104 Heap buffer overflow in ANGLE | No | No | nan | Yes \n[CVE-2022-0103](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0103>) | Chromium: CVE-2022-0103 Use after free in SwiftShader | No | No | nan | Yes \n[CVE-2022-0102](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0102>) | Chromium: CVE-2022-0102 Type Confusion in V8 | No | No | nan | Yes \n[CVE-2022-0101](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0101>) | Chromium: CVE-2022-0101 Heap buffer overflow in Bookmarks | No | No | nan | Yes \n[CVE-2022-0100](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0100>) | Chromium: CVE-2022-0100 Heap buffer overflow in Media streams API | No | No | nan | Yes \n[CVE-2022-0099](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0099>) | Chromium: CVE-2022-0099 Use after free in Sign-in | No | No | nan | Yes \n[CVE-2022-0098](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0098>) | Chromium: CVE-2022-0098 Use after free in Screen Capture | No | No | nan | Yes \n[CVE-2022-0097](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0097>) | Chromium: CVE-2022-0097 Inappropriate implementation in DevTools | No | No | nan | Yes \n[CVE-2022-0096](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0096>) | Chromium: CVE-2022-0096 Use after free in Storage | No | No | nan | Yes \n \n### Developer Tools vulnerabilities\n\nCVE | Title | Exploited | Publicly disclosed | CVSSv3 base | Additional FAQ \n---|---|---|---|---|--- \n[CVE-2022-21911](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21911>) | .NET Framework Denial of Service Vulnerability | No | No | 7.5 | No \n \n### ESU Windows vulnerabilities\n\nCVE | Title | Exploited | Publicly disclosed | CVSSv3 base | Additional FAQ \n---|---|---|---|---|--- \n[CVE-2022-21924](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21924>) | Workstation Service Remote Protocol Security Feature Bypass Vulnerability | No | No | 5.3 | No \n[CVE-2022-21834](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21834>) | Windows User-mode Driver Framework Reflector Driver Elevation of Privilege Vulnerability | No | No | 7 | No \n[CVE-2022-21919](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21919>) | Windows User Profile Service Elevation of Privilege Vulnerability | No | Yes | 7 | No \n[CVE-2022-21885](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21885>) | Windows Remote Access Connection Manager Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2022-21914](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21914>) | Windows Remote Access Connection Manager Elevation of Privilege Vulnerability | No | No | 7.8 | Yes \n[CVE-2022-21920](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21920>) | Windows Kerberos Elevation of Privilege Vulnerability | No | No | 8.8 | Yes \n[CVE-2022-21908](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21908>) | Windows Installer Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2022-21843](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21843>) | Windows IKE Extension Denial of Service Vulnerability | No | No | 7.5 | Yes \n[CVE-2022-21883](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21883>) | Windows IKE Extension Denial of Service Vulnerability | No | No | 7.5 | Yes \n[CVE-2022-21848](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21848>) | Windows IKE Extension Denial of Service Vulnerability | No | No | 7.5 | Yes \n[CVE-2022-21889](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21889>) | Windows IKE Extension Denial of Service Vulnerability | No | No | 7.5 | Yes \n[CVE-2022-21890](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21890>) | Windows IKE Extension Denial of Service Vulnerability | No | No | 7.5 | Yes \n[CVE-2022-21900](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21900>) | Windows Hyper-V Security Feature Bypass Vulnerability | No | No | 4.6 | Yes \n[CVE-2022-21905](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21905>) | Windows Hyper-V Security Feature Bypass Vulnerability | No | No | 4.6 | Yes \n[CVE-2022-21880](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21880>) | Windows GDI+ Information Disclosure Vulnerability | No | No | 7.5 | Yes \n[CVE-2022-21915](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21915>) | Windows GDI+ Information Disclosure Vulnerability | No | No | 6.5 | Yes \n[CVE-2022-21904](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21904>) | Windows GDI Information Disclosure Vulnerability | No | No | 7.5 | Yes \n[CVE-2022-21903](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21903>) | Windows GDI Elevation of Privilege Vulnerability | No | No | 7 | No \n[CVE-2022-21899](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21899>) | Windows Extensible Firmware Interface Security Feature Bypass Vulnerability | No | No | 5.5 | No \n[CVE-2022-21916](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21916>) | Windows Common Log File System Driver Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2022-21897](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21897>) | Windows Common Log File System Driver Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2022-21838](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21838>) | Windows Cleanup Manager Elevation of Privilege Vulnerability | No | No | 5.5 | Yes \n[CVE-2022-21836](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21836>) | Windows Certificate Spoofing Vulnerability | No | Yes | 7.8 | Yes \n[CVE-2022-21925](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21925>) | Windows BackupKey Remote Protocol Security Feature Bypass Vulnerability | No | No | 5.3 | No \n[CVE-2022-21862](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21862>) | Windows Application Model Core API Elevation of Privilege Vulnerability | No | No | 7 | No \n[CVE-2022-21859](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21859>) | Windows Accounts Control Elevation of Privilege Vulnerability | No | No | 7 | No \n[CVE-2022-21833](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21833>) | Virtual Machine IDE Drive Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2022-21922](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21922>) | Remote Procedure Call Runtime Remote Code Execution Vulnerability | No | No | 8.8 | Yes \n[CVE-2022-21893](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21893>) | Remote Desktop Protocol Remote Code Execution Vulnerability | No | No | 8.8 | Yes \n[CVE-2022-21850](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21850>) | Remote Desktop Client Remote Code Execution Vulnerability | No | No | 8.8 | Yes \n[CVE-2022-21851](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21851>) | Remote Desktop Client Remote Code Execution Vulnerability | No | No | 8.8 | Yes \n[CVE-2022-21835](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21835>) | Microsoft Cryptographic Services Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2022-21884](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21884>) | Local Security Authority Subsystem Service Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2022-21913](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21913>) | Local Security Authority (Domain Policy) Remote Protocol Security Feature Bypass | No | No | 5.3 | No \n[CVE-2022-21857](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21857>) | Active Directory Domain Services Elevation of Privilege Vulnerability | No | No | 8.8 | Yes \n \n### Exchange Server vulnerabilities\n\nCVE | Title | Exploited | Publicly disclosed | CVSSv3 base | Additional FAQ \n---|---|---|---|---|--- \n[CVE-2022-21846](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21846>) | Microsoft Exchange Server Remote Code Execution Vulnerability | No | No | 9 | Yes \n[CVE-2022-21855](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21855>) | Microsoft Exchange Server Remote Code Execution Vulnerability | No | No | 9 | Yes \n[CVE-2022-21969](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21969>) | Microsoft Exchange Server Remote Code Execution Vulnerability | No | No | 9 | Yes \n \n### Microsoft Dynamics vulnerabilities\n\nCVE | Title | Exploited | Publicly disclosed | CVSSv3 base | Additional FAQ \n---|---|---|---|---|--- \n[CVE-2022-21932](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21932>) | Microsoft Dynamics 365 Customer Engagement Cross-Site Scripting Vulnerability | No | No | 7.6 | No \n[CVE-2022-21891](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21891>) | Microsoft Dynamics 365 (on-premises) Spoofing Vulnerability | No | No | 7.6 | No \n \n### Microsoft Office vulnerabilities\n\nCVE | Title | Exploited | Publicly disclosed | CVSSv3 base | Additional FAQ \n---|---|---|---|---|--- \n[CVE-2022-21842](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21842>) | Microsoft Word Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2022-21837](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21837>) | Microsoft SharePoint Server Remote Code Execution Vulnerability | No | No | 8.3 | Yes \n[CVE-2022-21840](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21840>) | Microsoft Office Remote Code Execution Vulnerability | No | No | 8.8 | Yes \n[CVE-2022-21841](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21841>) | Microsoft Excel Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n \n### Windows vulnerabilities\n\nCVE | Title | Exploited | Publicly disclosed | CVSSv3 base | Additional FAQ \n---|---|---|---|---|--- \n[CVE-2022-21895](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21895>) | Windows User Profile Service Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2022-21864](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21864>) | Windows UI Immersive Server API Elevation of Privilege Vulnerability | No | No | 7 | No \n[CVE-2022-21866](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21866>) | Windows System Launcher Elevation of Privilege Vulnerability | No | No | 7 | No \n[CVE-2022-21875](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21875>) | Windows Storage Elevation of Privilege Vulnerability | No | No | 7 | No \n[CVE-2022-21863](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21863>) | Windows StateRepository API Server file Elevation of Privilege Vulnerability | No | No | 7 | No \n[CVE-2022-21874](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21874>) | Windows Security Center API Remote Code Execution Vulnerability | No | Yes | 7.8 | No \n[CVE-2022-21892](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21892>) | Windows Resilient File System (ReFS) Remote Code Execution Vulnerability | No | No | 6.8 | Yes \n[CVE-2022-21958](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21958>) | Windows Resilient File System (ReFS) Remote Code Execution Vulnerability | No | No | 6.8 | Yes \n[CVE-2022-21959](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21959>) | Windows Resilient File System (ReFS) Remote Code Execution Vulnerability | No | No | 6.8 | Yes \n[CVE-2022-21960](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21960>) | Windows Resilient File System (ReFS) Remote Code Execution Vulnerability | No | No | 6.8 | Yes \n[CVE-2022-21961](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21961>) | Windows Resilient File System (ReFS) Remote Code Execution Vulnerability | No | No | 6.8 | Yes \n[CVE-2022-21962](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21962>) | Windows Resilient File System (ReFS) Remote Code Execution Vulnerability | No | No | 6.8 | Yes \n[CVE-2022-21963](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21963>) | Windows Resilient File System (ReFS) Remote Code Execution Vulnerability | No | No | 6.4 | Yes \n[CVE-2022-21928](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21928>) | Windows Resilient File System (ReFS) Remote Code Execution Vulnerability | No | No | 6.3 | Yes \n[CVE-2022-21867](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21867>) | Windows Push Notifications Apps Elevation Of Privilege Vulnerability | No | No | 7 | No \n[CVE-2022-21888](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21888>) | Windows Modern Execution Server Remote Code Execution Vulnerability | No | No | 7.8 | No \n[CVE-2022-21881](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21881>) | Windows Kernel Elevation of Privilege Vulnerability | No | No | 7 | No \n[CVE-2022-21879](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21879>) | Windows Kernel Elevation of Privilege Vulnerability | No | No | 5.5 | No \n[CVE-2022-21849](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21849>) | Windows IKE Extension Remote Code Execution Vulnerability | No | No | 9.8 | Yes \n[CVE-2022-21901](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21901>) | Windows Hyper-V Elevation of Privilege Vulnerability | No | No | 9 | Yes \n[CVE-2022-21847](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21847>) | Windows Hyper-V Denial of Service Vulnerability | No | No | 6.5 | No \n[CVE-2022-21878](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21878>) | Windows Geolocation Service Remote Code Execution Vulnerability | No | No | 7.8 | No \n[CVE-2022-21872](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21872>) | Windows Event Tracing Elevation of Privilege Vulnerability | No | No | 7 | No \n[CVE-2022-21839](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21839>) | Windows Event Tracing Discretionary Access Control List Denial of Service Vulnerability | No | Yes | 6.1 | No \n[CVE-2022-21868](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21868>) | Windows Devices Human Interface Elevation of Privilege Vulnerability | No | No | 7 | No \n[CVE-2022-21921](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21921>) | Windows Defender Credential Guard Security Feature Bypass Vulnerability | No | No | 4.4 | No \n[CVE-2022-21906](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21906>) | Windows Defender Application Control Security Feature Bypass Vulnerability | No | No | 5.5 | No \n[CVE-2022-21852](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21852>) | Windows DWM Core Library Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2022-21902](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21902>) | Windows DWM Core Library Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2022-21896](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21896>) | Windows DWM Core Library Elevation of Privilege Vulnerability | No | No | 7 | No \n[CVE-2022-21858](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21858>) | Windows Bind Filter Driver Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2022-21860](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21860>) | Windows AppContracts API Server Elevation of Privilege Vulnerability | No | No | 7 | No \n[CVE-2022-21876](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21876>) | Win32k Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2022-21882](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21882>) | Win32k Elevation of Privilege Vulnerability | No | No | 7 | Yes \n[CVE-2022-21887](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21887>) | Win32k Elevation of Privilege Vulnerability | No | No | 7 | Yes \n[CVE-2022-21873](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21873>) | Tile Data Repository Elevation of Privilege Vulnerability | No | No | 7 | No \n[CVE-2022-21861](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21861>) | Task Flow Data Engine Elevation of Privilege Vulnerability | No | No | 7 | No \n[CVE-2022-21870](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21870>) | Tablet Windows User Interface Application Core Elevation of Privilege Vulnerability | No | No | 7 | No \n[CVE-2022-21877](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21877>) | Storage Spaces Controller Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2022-21894](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21894>) | Secure Boot Security Feature Bypass Vulnerability | No | No | 4.4 | No \n[CVE-2022-21964](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21964>) | Remote Desktop Licensing Diagnoser Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2021-22947](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-22947>) | Open Source Curl Remote Code Execution Vulnerability | No | Yes | nan | Yes \n[CVE-2022-21871](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21871>) | Microsoft Diagnostics Hub Standard Collector Runtime Elevation of Privilege Vulnerability | No | No | 7 | No \n[CVE-2022-21910](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21910>) | Microsoft Cluster Port Driver Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-36976](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-36976>) | Libarchive Remote Code Execution Vulnerability | No | Yes | nan | Yes \n[CVE-2022-21907](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21907>) | HTTP Protocol Stack Remote Code Execution Vulnerability | No | No | 9.8 | Yes \n[CVE-2022-21917](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21917>) | HEVC Video Extensions Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2022-21912](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21912>) | DirectX Graphics Kernel Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2022-21898](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21898>) | DirectX Graphics Kernel Remote Code Execution Vulnerability | No | No | 7.8 | No \n[CVE-2022-21918](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21918>) | DirectX Graphics Kernel File Denial of Service Vulnerability | No | No | 6.5 | No \n[CVE-2022-21865](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21865>) | Connected Devices Platform Service Elevation of Privilege Vulnerability | No | No | 7 | No \n[CVE-2022-21869](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21869>) | Clipboard User Service Elevation of Privilege Vulnerability | No | No | 7 | No", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2022-01-11T21:41:56", "type": "rapid7blog", "title": "Patch Tuesday - January 2022", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21907", "CVE-2021-22947", "CVE-2021-31166", "CVE-2021-36976", "CVE-2022-0096", "CVE-2022-0097", "CVE-2022-0098", "CVE-2022-0099", "CVE-2022-0100", "CVE-2022-0101", "CVE-2022-0102", "CVE-2022-0103", "CVE-2022-0104", "CVE-2022-0105", "CVE-2022-0106", "CVE-2022-0107", "CVE-2022-0108", "CVE-2022-0109", "CVE-2022-0110", "CVE-2022-0111", "CVE-2022-0112", "CVE-2022-0113", "CVE-2022-0114", "CVE-2022-0115", "CVE-2022-0116", "CVE-2022-0117", "CVE-2022-0118", "CVE-2022-0120", "CVE-2022-21833", "CVE-2022-21834", "CVE-2022-21835", "CVE-2022-21836", "CVE-2022-21837", "CVE-2022-21838", "CVE-2022-21839", "CVE-2022-21840", "CVE-2022-21841", "CVE-2022-21842", "CVE-2022-21843", "CVE-2022-21846", "CVE-2022-21847", "CVE-2022-21848", "CVE-2022-21849", "CVE-2022-21850", "CVE-2022-21851", "CVE-2022-21852", "CVE-2022-21855", "CVE-2022-21857", "CVE-2022-21858", "CVE-2022-21859", "CVE-2022-21860", "CVE-2022-21861", "CVE-2022-21862", "CVE-2022-21863", "CVE-2022-21864", "CVE-2022-21865", "CVE-2022-21866", "CVE-2022-21867", "CVE-2022-21868", "CVE-2022-21869", "CVE-2022-21870", "CVE-2022-21871", "CVE-2022-21872", "CVE-2022-21873", "CVE-2022-21874", "CVE-2022-21875", "CVE-2022-21876", "CVE-2022-21877", "CVE-2022-21878", "CVE-2022-21879", "CVE-2022-21880", "CVE-2022-21881", "CVE-2022-21882", "CVE-2022-21883", "CVE-2022-21884", "CVE-2022-21885", "CVE-2022-21887", "CVE-2022-21888", "CVE-2022-21889", "CVE-2022-21890", "CVE-2022-21891", "CVE-2022-21892", "CVE-2022-21893", "CVE-2022-21894", "CVE-2022-21895", "CVE-2022-21896", "CVE-2022-21897", "CVE-2022-21898", "CVE-2022-21899", "CVE-2022-21900", "CVE-2022-21901", "CVE-2022-21902", "CVE-2022-21903", "CVE-2022-21904", "CVE-2022-21905", "CVE-2022-21906", "CVE-2022-21907", "CVE-2022-21908", "CVE-2022-21910", "CVE-2022-21911", "CVE-2022-21912", "CVE-2022-21913", "CVE-2022-21914", "CVE-2022-21915", "CVE-2022-21916", "CVE-2022-21917", "CVE-2022-21918", "CVE-2022-21919", "CVE-2022-21920", "CVE-2022-21921", "CVE-2022-21922", "CVE-2022-21924", "CVE-2022-21925", "CVE-2022-21928", "CVE-2022-21929", "CVE-2022-21930", "CVE-2022-21931", "CVE-2022-21932", "CVE-2022-21954", "CVE-2022-21958", "CVE-2022-21959", "CVE-2022-21960", "CVE-2022-21961", "CVE-2022-21962", "CVE-2022-21963", "CVE-2022-21964", "CVE-2022-21969", "CVE-2022-21970"], "modified": "2022-01-11T21:41:56", "id": "RAPID7BLOG:20364300767E58631FFE0D21622E63A3", "href": "https://blog.rapid7.com/2022/01/11/patch-tuesday-january-2022/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}