Multiple vulnerabilities in Microsoft Windows IKE Extension
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 6 |
| CVE-ID | CVE-2022-21890 CVE-2022-21843 CVE-2022-21883 CVE-2022-21848 CVE-2022-21849 CVE-2022-21889 |
| CWE-ID | CWE-20 CWE-94 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
Windows Operating systems & Components / Operating system Windows Server Operating systems & Components / Operating system |
| Vendor | Microsoft |
Security Bulletin
This security bulletin contains information about 6 vulnerabilities.
1) Input validation error
EUVDB-ID: #VU59403
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-21890
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input Windows IKE Extension. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.
MitigationInstall updates from vendor's website.
Vulnerable software versionsWindows: 7 - 11 21H2
Windows Server: 2008 R2 - 2022
External linkshttp://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21890
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Input validation error
EUVDB-ID: #VU59408
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-21843
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input in Windows IKE Extension. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.
MitigationInstall updates from vendor's website.
Vulnerable software versionsWindows: 7 - 11 21H2
Windows Server: 2008 R2 - 2022
External linkshttp://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21843
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Input validation error
EUVDB-ID: #VU59407
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-21883
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input in Windows IKE Extension. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.
MitigationInstall updates from vendor's website.
Vulnerable software versionsWindows: 7 - 11 21H2
Windows Server: 2008 R2 - 2022
External linkshttp://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21883
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Input validation error
EUVDB-ID: #VU59406
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-21848
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input in Windows IKE Extension. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.
MitigationInstall updates from vendor's website.
Vulnerable software versionsWindows: 7 - 11 21H2
Windows Server: 2008 - 2022
External linkshttp://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21848
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Code Injection
EUVDB-ID: #VU59405
Risk: High
CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-21849
CWE-ID:
CWE-94 - Improper Control of Generation of Code ('Code Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to improper input validation in Windows IKE Extension. A remote attacker can send a specially crafted request and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsWindows: 10 - 11 21H2
Windows Server: 2016 - 2022
External linkshttp://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21849
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Input validation error
EUVDB-ID: #VU59404
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-21889
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input in Windows IKE Extension. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.
MitigationInstall updates from vendor's website.
Vulnerable software versionsWindows: 7 - 11 21H2
Windows Server: 2008 R2 - 2022
External linkshttp://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21889
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
