Login Sign Up

CVE-2022-21993

7.5 HIGH

📋 TL;DR

This vulnerability in Windows Services for NFS ONCRPC XDR Driver allows attackers to read sensitive information from kernel memory. It affects Windows systems with NFS services enabled, potentially exposing credentials or other sensitive data.

💻 Affected Systems

Products:
  • Windows Services for NFS
Versions: Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows 10, Windows 11
Operating Systems: Windows
Default Config Vulnerable: ✅ No
Notes: Only vulnerable when Windows Services for NFS is installed and enabled. Not installed by default on most Windows systems.

📦 What is this software?

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 11 by Microsoft

View all CVEs affecting Windows 11 →

Windows 11 by Microsoft

View all CVEs affecting Windows 11 →

Windows 8.1 by Microsoft

View all CVEs affecting Windows 8.1 →

Windows 8.1 by Microsoft

View all CVEs affecting Windows 8.1 →

Windows Rt 8.1 by Microsoft

View all CVEs affecting Windows Rt 8.1 →

Windows Server by Microsoft

View all CVEs affecting Windows Server →

Windows Server by Microsoft

View all CVEs affecting Windows Server →

Windows Server 2012 by Microsoft

View all CVEs affecting Windows Server 2012 →

Windows Server 2012 by Microsoft

View all CVEs affecting Windows Server 2012 →

Windows Server 2016 by Microsoft

View all CVEs affecting Windows Server 2016 →

Windows Server 2019 by Microsoft

View all CVEs affecting Windows Server 2019 →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could extract sensitive kernel memory contents including credentials, encryption keys, or other system secrets leading to privilege escalation or lateral movement.

🟠

Likely Case

Information disclosure of kernel memory contents that could aid in further attacks or expose sensitive system information.

🟢

If Mitigated

Limited impact with proper network segmentation and access controls preventing unauthorized access to NFS services.

🌐 Internet-Facing: MEDIUM - Only affects systems with NFS services exposed to untrusted networks, which is less common for internet-facing systems.
🏢 Internal Only: MEDIUM - Internal systems with NFS services could be targeted by authenticated attackers on the network.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires attacker to have access to the NFS service and ability to send specially crafted requests.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: January 2022 security updates (KB5009557 for Windows 10 21H2, KB5009555 for Windows 10 21H1, etc.)

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21993

Restart Required: Yes

Instructions:

1. Install the January 2022 Windows security updates from Windows Update. 2. Alternatively, download and install the specific KB patch for your Windows version. 3. Restart the system to complete the installation.

🔧 Temporary Workarounds

Disable Windows Services for NFS

windows

Remove or disable the vulnerable component if not required

Remove-WindowsFeature FS-NFS-Service (PowerShell)
dism /online /disable-feature /featurename:ServerForNFS-Infrastructure (Command Prompt)

Network segmentation

windows

Restrict access to NFS services using firewall rules

New-NetFirewallRule -DisplayName "Block NFS" -Direction Inbound -Protocol TCP -LocalPort 2049 -Action Block (PowerShell)

🧯 If You Can't Patch

  • Disable Windows Services for NFS if not required for business operations
  • Implement strict network access controls to limit which systems can access NFS services

🔍 How to Verify

Check if Vulnerable:

Check if Windows Services for NFS is installed: Get-WindowsFeature FS-NFS-Service | Select-Object Installed

Check Version:

systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

Verify Fix Applied:

Verify January 2022 security updates are installed: Get-HotFix -Id KB5009557, KB5009555, or other relevant KB numbers

📡 Detection & Monitoring

Log Indicators:

  • Unusual NFS service activity in Windows Event Logs
  • Failed authentication attempts to NFS services

Network Indicators:

  • Unusual traffic to NFS port 2049
  • Multiple failed NFS protocol requests

SIEM Query:

source="windows" AND (event_id=4625 OR event_id=4771) AND service_name="NFS"

📊 Metadata

CVE ID: CVE-2022-21993
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Published: February 9, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON