CVE-2022-21993 Overview
CVE-2022-21993 is an information disclosure vulnerability in the Windows Services for NFS ONCRPC XDR Driver. The flaw allows a remote, unauthenticated attacker to read sensitive memory contents from affected Windows systems over the network. Microsoft disclosed the issue on February 9, 2022 as part of its monthly security update cycle. The vulnerability affects a broad range of Windows client and server versions where the Services for NFS role or feature is enabled. The EPSS probability of 23.968% places this issue in the 96th percentile, indicating elevated exploitation likelihood compared to most CVEs.
Critical Impact
A network-accessible attacker can disclose confidential information from kernel memory on Windows hosts running Services for NFS, with no authentication or user interaction required.
Affected Products
- Microsoft Windows 10 (multiple builds: 1607, 1809, 1909, 20H2, 21H1, 21H2)
- Microsoft Windows 11, Windows 8.1, and Windows RT 8.1
- Microsoft Windows Server 2012, 2012 R2, 2016, 2019, 2022, and Server 20H2
Discovery Timeline
- 2022-02-09 - CVE-2022-21993 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2022-21993
Vulnerability Analysis
The vulnerability resides in the Open Network Computing Remote Procedure Call (ONCRPC) External Data Representation (XDR) driver shipped with Windows Services for Network File System (NFS). XDR is the serialization format used to encode arguments and results passed between NFS clients and servers. When the driver processes malformed or specially crafted XDR-encoded RPC messages, it returns memory contents that should not be exposed to the caller. The result is an information disclosure primitive accessible over the network.
Services for NFS is an optional Windows feature that enables Windows hosts to act as NFS servers or clients for UNIX and Linux interoperability. Systems with this role enabled expose the ONCRPC listener and are reachable through this attack path.
Root Cause
The defect is classified under NVD-CWE-noinfo, and Microsoft has not published the underlying memory handling detail. Based on the CVSS impact profile, the driver leaks data without modifying integrity or availability. The condition is consistent with improper bounds handling or uninitialized memory disclosure during XDR parsing in the kernel-mode driver.
Attack Vector
Exploitation occurs over the network against the RPC endpoint used by Services for NFS, typically TCP/UDP port 2049 and the portmapper on port 111. The attacker sends crafted ONCRPC requests with malformed XDR payloads. No credentials or user interaction are required. Successful exploitation returns memory fragments that may contain sensitive kernel data useful for further attacks, including bypassing address space layout randomization (ASLR).
No public proof-of-concept code or exploit module is currently documented for CVE-2022-21993, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Refer to the Microsoft Security Update Guide for vendor technical detail.
Detection Methods for CVE-2022-21993
Indicators of Compromise
- Unexpected inbound traffic to TCP/UDP ports 111 (portmapper) and 2049 (NFS) from external or unauthorized internal sources.
- Malformed ONCRPC requests with truncated, oversized, or non-conforming XDR fields directed at Windows hosts running the Services for NFS role.
- Repeated RPC NULL or unusual procedure calls against NFS endpoints suggesting reconnaissance or probing.
Detection Strategies
- Inventory Windows endpoints and servers where the ServerForNFS or ClientForNFS Windows features are installed and enabled.
- Inspect network flow data for unauthorized clients establishing sessions to NFS RPC services.
- Apply intrusion detection signatures that flag malformed XDR structures and anomalous ONCRPC framing on port 2049.
Monitoring Recommendations
- Enable Windows Filtering Platform (WFP) and firewall logging for connections to NFS-related ports and correlate with asset inventory.
- Forward Windows event logs and network telemetry to a centralized analytics platform for retention and detection rule execution.
- Alert on patch state drift for the February 2022 cumulative updates across all in-scope Windows builds.
How to Mitigate CVE-2022-21993
Immediate Actions Required
- Apply the February 2022 Microsoft security updates that address CVE-2022-21993 to all affected Windows client and server builds.
- Identify hosts with Services for NFS enabled and prioritize patching for any system exposing NFS ports beyond trusted segments.
- Restrict inbound access to TCP/UDP 111 and 2049 to authorized NFS clients using host firewalls and network ACLs.
Patch Information
Microsoft released security updates addressing CVE-2022-21993 on February 9, 2022. Patch identifiers vary by operating system and build; consult the Microsoft Security Update Guide for the exact KB numbers applicable to each affected Windows version.
Workarounds
- Disable Services for NFS on hosts that do not require UNIX or Linux file sharing interoperability using Disable-WindowsOptionalFeature -Online -FeatureName ServerForNFS-Infrastructure.
- Block external access to the NFS RPC endpoints (ports 111 and 2049) at the perimeter and internal segmentation firewalls.
- Limit NFS client connectivity to known IP ranges via Windows Defender Firewall inbound rules until patches are deployed.
# Configuration example: disable Server for NFS and restrict NFS ports
Disable-WindowsOptionalFeature -Online -FeatureName ServerForNFS-Infrastructure
Disable-WindowsOptionalFeature -Online -FeatureName ClientForNFS-Infrastructure
New-NetFirewallRule -DisplayName "Block-NFS-2049" -Direction Inbound `
-Protocol TCP -LocalPort 2049 -Action Block
New-NetFirewallRule -DisplayName "Block-Portmap-111" -Direction Inbound `
-Protocol TCP -LocalPort 111 -Action Block
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
