Forum Discussion

GKrembsler's avatar
GKrembsler
Copper Contributor
Jan 13, 2023

CVE 2022 41099

Hi, As a CISO and security consultant, I want to know the extent of the impact of this vulnerability. https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41099 My current understanding ...
microsoft defender for endpoint
security
GKrembsler's avatar
GKrembsler
Copper Contributor
Jan 15, 2023

PeterRising 

Hi, here's what i did:

 

ReAgentc.exe /disable
Dism /Get-ImageInfo /ImageFile:c:\windows\system32\recovery\winre.wim /index:1
dism /mount-Wim /wimfile:c:\windows\system32\recovery\winre.wim /index:1 /MountDir:c:\temp\winre-mount
dism /Add-Package /image:”c:\temp\Winre-mount” /packagepath:”c:\temp\windows10.0-kb5019961-x64_bc5dc8a94f416fbcc5a85709ad09f1741f395b40.msu”
dism /image:c:\temp\winre-mount /Get-Packages >c:\temp\get-packages.txt
dism /image:c:\temp\winre-mount /cleanup-image /StartComponentCleanup /ResetBase
dism /Unmount-Image /MountDir:c:\temp\winre-mount /commit
ReAgentc.exe /enable

 

This brought up the info:

REAGENTC.EXE: Windows RE kann auf einem Volume mit aktivierter BitLocker-Laufwerkverschlüsselung nicht aktiviert werden.

 

In english this means that WinRE can not be activated on a computer with activated bitlocker.

 

I also checked the size of the resulting wim and shrinked it with an additional dism command. same result.

 

Even writing back the original wim (i saved a backup) is not possible.

 

On a second computer i just used the /disable and directly after this the /enable - same error.

 

What would be very helpfull is an information about the attack itself to be able to calculate the risk.

 

What is happening if one is writing back a "unpatched" wim directly to the partition by mounting it first. Will this meam that an attacker can replay the wim with an unpatched version an will be alobe to disable Bitlocker after that?

 

Thanks for any answer or reaction...

PeterRising's avatar
PeterRising
MVP
Jan 15, 2023
I agree that this is something that should be getting more attention than it is. I have to admit that I was not aware of it and there seems not to be much info or awareness out there.

Have you seen these pages? Lots of interesting detail and debate, and some scripts that may work.

https://www.reddit.com/r/sysadmin/comments/10a1enh/how_are_you_updating_winre_to_address_cve202241099/
https://www.elevenforum.com/t/important-issue-to-be-aware-of-if-you-use-bitlocker-on-your-os-drive.11818/page-2#post-244851
  • GKrembsler's avatar
    GKrembsler
    Copper Contributor
    Jan 15, 2023

    PeterRising,
    Yes Peter - i know them all searching for answers.
    There's two issues:
    1st - how to patch WinRE - this is something i can handle. There's also a script on github going a different way and copying a patched wim-file to replace the unpatched version directly in the partition. But this all is not a solution as if am able to replace the wim directly everybody can extract the unpatched version out of any iso image in any version.

    2nd - if this is the problem i can see, this is a high Risk in my risk table and if i go through all the options i can no longer trust bitlocker!

    To say something about this risk i'd need info about the attack itself. Without, i can not make any trustworthy comment. If the issue is build into the wim, there's no way to prevent one to mount this wim on a separate disk, boot the computer and use it to crack bitlocker. So neither disabling the WinRE nor deleting it from the HD will be a solution.

    If this becomes true, we have a really big problem with nearly every windows computer.

    I hope microsoft will give info about the attack itself. If not we can only "guess" and in this case my reaction as CISO would be to disable any Bitlocker and replace it with a differens solution.

    Non encrypted disks on a computer is no way ...

    • hipslu's avatar
      hipslu
      Copper Contributor
      Jan 17, 2023
      in my understanding, blocking booting from external media and requiring a pin (pre boot auth) would be needed to be on the safe side again - what do you think?
      • GKrembsler's avatar
        GKrembsler
        Copper Contributor
        Jan 17, 2023
        Hello hipslu,
        i do not think this is a solution.
        The attacker needs to have physical access to the computer. If so i'd take the "HDD" and put it into a different system.
        There i can do whatever needed. So none of you suggestions would be a handicap for me 😉
        But - maybe if there's something in the way the attack is working. for example if we need to have access to the machines TPM - it would be a different picture.
        At the moment i can only hope that we will become information so it is possible to calculate the risk and find a solution.

Resources