[German]Another small addendum to the January 2023 patchday (January 10, 2023). Administrators should make sure that their Windows servers acting as domain controllers are up to date with the latest patches. This is because two serious vulnerabilities in the Lightweight Directory Access Protocol (LDAP) have been closed with the January 2023 updates.
Advertising
There are two serious vulnerabilities in Windows Lightweight Directory Access Protocol (LDAP) that have been closed with the January 2023 security updates. I had not addressed it in the overview of my blog post Microsoft Security Update Summary (January 10, 2023). I also didn't find anything in Microsoft's support articles dealing with the indivual January 2023 security updates.
Two LDAP vulnerabilities
But German blog reader Dennis Könn alerted me about some vulnerabilities in a private message on Facebook (thanks for that). And he posted a link to a blog post from MVP Sander Berkower. Berkower points out the two serious LDAP vulnerabilities that have also been disclosed by Microsoft.
- CVE-2023-21676: Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability; CVSSv3-Score 8.8/7.7; this vulnerability in Lightweight Directory Access Protocol (LDAP) allows an authenticated attacker to remotely execute code on Windows Server installations that are configured as domain controllers. The attack is a low-complexity attack over the network.
- CVE-2023-21557: Windows Lightweight Directory Access Protocol (LDAP) Denial of Service Vulnerability; CVSSv3-Score 7.5/6.5; the vulnerability in Windows Lightweight Directory Access Protocol (LDAP) allows an unauthenticated attacker to bypass a buffer length check. This can be exploited for an information leak, meaning attackers can grab information. To achieve this, all that is required is to send a specially crafted request over the network to a vulnerable domain controller.
These vulnerabilities exist in all Windows client and Windows server versions that are still supported. Microsoft considers this so critical that the Windows Server 2008 and Windows Server 2008 R2 operating systems have also been provided with updates via the ESU program.
List of Windows updates
I have pulled out the list of individual January 2023 updates for the supported versions of Windows below. The exact details of which security update closes one of the CVEs for which Windows is listed in Microsoft's CVEs linked above.
- KB5022291: Windows Server 2022
- KB5022303: Windows 11 22H2
- KB5022287: Windows 11 21H2
- KB5022282: Windows 10 Version 20H2 – 22H2
- KB5022286: Windows 10 Enterprise 2019 LTSC /Windows Server 2019
- KB5022289: Windows 10 Version 1607, Windows Server 2016
- KB5022297: Windows 10 Version 1507
- KB5022352: (Monthly Rollup) Windows 8.1; Windows Server 2012 R2
- KB5022346: (Security Only Quality Update) Windows 8.1; Windows Server 2012 R2
- KB5022348: (Monthly Rollup) Windows Server 2012, Windows Embedded 8 Standard
- KB5022343 :(Security-only Update) Windows Server 2012, Windows Embedded 8 Standard
- KB5022338: (Monthly Quality Rollup) Windows 7 SP1, Windows Server 2008 R2 SP1
- KB5022339: (Security-only update) Windows 7 SP1, Windows Server 2008 R2 SP1
Administrators should examine these updates in their test environments for their impact on domain controllers and then install them in production environments. I reported about problems with the installation of updates in January 2023 (especially with Windows Server 20212 R2) in the blog post Windows January 2023 patchday issues and also suggested workarounds.
Advertising
Similar articles:
Microsoft Office Updates (January 3, 2022)
Microsoft Security Update Summary (January 10, 2023)
Patchday: Windows 10 Updates (January 10, 2023)
Patchday: Windows 11/Server 2022 Updates (January 10, 2023)
Windows 7/Server 2008 R2; Windows 8.1/Server 2012 R2: Updates (January 10, 2023)
Patchday: Microsoft Office Updates (January 10, 2023)
Exchange Server Security Updates (January 10, 2023)
Windows January 2023 patchday issues
