Forum Discussion

GKrembsler's avatar
GKrembsler
Copper Contributor
Jan 13, 2023

CVE 2022 41099

Hi, As a CISO and security consultant, I want to know the extent of the impact of this vulnerability. https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41099 My current understanding ...
microsoft defender for endpoint
security
GKrembsler's avatar
GKrembsler
Copper Contributor
Jan 15, 2023

PeterRising 

Hi, here's what i did:

 

ReAgentc.exe /disable
Dism /Get-ImageInfo /ImageFile:c:\windows\system32\recovery\winre.wim /index:1
dism /mount-Wim /wimfile:c:\windows\system32\recovery\winre.wim /index:1 /MountDir:c:\temp\winre-mount
dism /Add-Package /image:”c:\temp\Winre-mount” /packagepath:”c:\temp\windows10.0-kb5019961-x64_bc5dc8a94f416fbcc5a85709ad09f1741f395b40.msu”
dism /image:c:\temp\winre-mount /Get-Packages >c:\temp\get-packages.txt
dism /image:c:\temp\winre-mount /cleanup-image /StartComponentCleanup /ResetBase
dism /Unmount-Image /MountDir:c:\temp\winre-mount /commit
ReAgentc.exe /enable

 

This brought up the info:

REAGENTC.EXE: Windows RE kann auf einem Volume mit aktivierter BitLocker-Laufwerkverschlüsselung nicht aktiviert werden.

 

In english this means that WinRE can not be activated on a computer with activated bitlocker.

 

I also checked the size of the resulting wim and shrinked it with an additional dism command. same result.

 

Even writing back the original wim (i saved a backup) is not possible.

 

On a second computer i just used the /disable and directly after this the /enable - same error.

 

What would be very helpfull is an information about the attack itself to be able to calculate the risk.

 

What is happening if one is writing back a "unpatched" wim directly to the partition by mounting it first. Will this meam that an attacker can replay the wim with an unpatched version an will be alobe to disable Bitlocker after that?

 

Thanks for any answer or reaction...

Resources