Skip content

LRQA discovers critical Microsoft vpn vulnerability resulting in essential patch

The race for connectivity during the COVID-19 pandemic left a trail of cyber risk to mitigate. In doing so, LRQA’s cybersecurity team uncovered a potentially critical Microsoft vulnerability before it was exploited.

CVE-2022-21972 is a Windows vulnerability hidden in legacy Microsoft VPN code for decades. It risks most Windows server versions since Windows 7.

Thanks to LRQA, Microsoft released a patch on 10th May 2022. Once installed, you can remove this high-risk vulnerability within your network for good.

Understanding Microsoft’s VPN CVE-2022-21972

CVE-2022-21972 is a Use-After-Free (UAF) vulnerability. This means there is potential to misuse freed memory on a target machine. In this instance, processing a message to the VPN frees up an underlying structure used to store data whilst still in use. This leaves the door open for something unexpected to control or use the freed memory.

To trigger the CVE-2022-21972 vulnerability, two things must happen at the same time: one CPU core must free the memory structure whilst another is still using it. Furthermore, there is a 30-second time limit to make it trigger.

This situation is called a race condition, many things must operate simultaneously to activate the vulnerability. Complex to trigger, it might appear lower risk, yet there is potential for critical damage. That is why Microsoft have scored CVE-2022-21972 as an 8 on the Common Vulnerability Scoring System (CVSS). 10 is considered the highest possible cyber risk.

Read an accompanying blog on our Labs website
exploring the technical detail and code involved
in discovering this vulnerability

What potential risk does this vulnerability pose?

Should the vulnerability trigger, without doubt, any server would crash. Unexpected activity processing in the freed memory would ensure this. Thankfully, CVE-2022-21972 cannot trigger on desktops (even though the Microsoft patch covers this too).

But the potential risk is far greater than a system crash.

At LRQA, our vulnerability research team established how CVE-2022-21972 could become a full-scale exploit in the hands of an accomplished cyber-attacker. With the patch now released, we can safely look to fully understand the ultimate risk.

Fundamentally, an attacker could take remote control of the freed memory and install code on the server. Alarmingly, this remote access would remain under the radar of any anti-virus software.

From this point, CVE-2022-21972 has the potential to become ‘wormable’. In other words, it could quickly spread from one VPN server to another causing widespread damage. The attackers would have unprecedented control. Accelerating the spread, no user interaction would be necessary. If the server was running and connected to the internet, the attacker could gain access.

Small and medium-sized businesses at risk

As the Microsoft VPN is an entry-level option, this vulnerability presents the greatest risk to smaller operators.

During the COVID-19 pandemic, business IT developed rapidly as everyone rushed to achieve remote productivity. This was often at the expense of sufficient security review or mitigation of potential risk.

For businesses with a cloud infrastructure, perhaps using Azure too, opting for a Microsoft VPN running on a Windows server was an obvious choice.

What many IT teams forget is that Microsoft typically installs more software than you need, ensuring backwards compatibility and choice. Post-install configuration is, therefore, vital – yet often overlooked.

In this case, the VPN protocol includes legacy code developed decades ago. Whilst having the code ensures backward compatibility, most organisations do not need it.

Therefore, to ensure a more robust system, every business must uninstall or disable software and features they do not need.

Working with Microsoft to establish the cause

Once a software vulnerability has been discovered, releasing a patch takes time. LRQA reported CVE-2022-21972 to Microsoft on 29th October 2021. Microsoft released the patch six months later, on 10th May 2022.

In fact, we informed Microsoft about two high-risk vulnerabilities within its legacy VPN protocol. A fix for the second is also within the 10th May patch.

LRQA worked closely with Microsoft for several months, establishing clear proof of concept and creating a reliable trigger for its hardware and operating system configuration. Without doing this, Microsoft cannot determine the root cause. Once at this point, Microsoft can develop a fix to release in a patch.

Install the patch now

Many businesses delay installing Microsoft patches, often by months. They are put off by short-term disruption in-house as they might have to go offline briefly and interrupt operations.

Our advice is simple. Do not delay, patch now.

As an alternative, your IT team might consider disabling the VPN protocol that is causing the vulnerability. It is far easier – and faster – to install Microsoft’s patch.

CVE-2022-21972, and detail on how it triggers, is now publicly available to you, and cyber-attackers across the globe.

This is exactly the scenario WannaCry exploited in 2017. They targeted known Microsoft weaknesses in organisations that delayed patching to eliminate them. 200,000 computers across 150 countries were affected, leading to multiple ransomware demands and damage running into billions of dollars.

As skilled attackers research the CVE-2022-21972 vulnerability, we could potentially see associated malware circulating, this will not take long. Cybercriminals want to take advantage of patching delays, do not let that be your organisation. Talk to your IT team today and ensure they are aware of the Microsoft patch released on 10th May. Then, install it as soon as possible.


You can read an accompanying blog on our LRQA Cyber Labs articles exploring the technical detail and code involved in discovering this vulnerability here.