Forum Discussion

GKrembsler's avatar
GKrembsler
Copper Contributor
Jan 13, 2023

CVE 2022 41099

Hi, As a CISO and security consultant, I want to know the extent of the impact of this vulnerability. https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41099 My current understanding ...
microsoft defender for endpoint
security
PeterRising's avatar
PeterRising
MVP
I agree that this is something that should be getting more attention than it is. I have to admit that I was not aware of it and there seems not to be much info or awareness out there.

Have you seen these pages? Lots of interesting detail and debate, and some scripts that may work.

https://www.reddit.com/r/sysadmin/comments/10a1enh/how_are_you_updating_winre_to_address_cve202241099/
https://www.elevenforum.com/t/important-issue-to-be-aware-of-if-you-use-bitlocker-on-your-os-drive.11818/page-2#post-244851
GKrembsler's avatar
GKrembsler
Copper Contributor
Jan 15, 2023

PeterRising,
Yes Peter - i know them all searching for answers.
There's two issues:
1st - how to patch WinRE - this is something i can handle. There's also a script on github going a different way and copying a patched wim-file to replace the unpatched version directly in the partition. But this all is not a solution as if am able to replace the wim directly everybody can extract the unpatched version out of any iso image in any version.

2nd - if this is the problem i can see, this is a high Risk in my risk table and if i go through all the options i can no longer trust bitlocker!

To say something about this risk i'd need info about the attack itself. Without, i can not make any trustworthy comment. If the issue is build into the wim, there's no way to prevent one to mount this wim on a separate disk, boot the computer and use it to crack bitlocker. So neither disabling the WinRE nor deleting it from the HD will be a solution.

If this becomes true, we have a really big problem with nearly every windows computer.

I hope microsoft will give info about the attack itself. If not we can only "guess" and in this case my reaction as CISO would be to disable any Bitlocker and replace it with a differens solution.

Non encrypted disks on a computer is no way ...

  • hipslu's avatar
    hipslu
    Copper Contributor
    Jan 17, 2023
    in my understanding, blocking booting from external media and requiring a pin (pre boot auth) would be needed to be on the safe side again - what do you think?
    • GKrembsler's avatar
      GKrembsler
      Copper Contributor
      Jan 17, 2023
      Hello hipslu,
      i do not think this is a solution.
      The attacker needs to have physical access to the computer. If so i'd take the "HDD" and put it into a different system.
      There i can do whatever needed. So none of you suggestions would be a handicap for me 😉
      But - maybe if there's something in the way the attack is working. for example if we need to have access to the machines TPM - it would be a different picture.
      At the moment i can only hope that we will become information so it is possible to calculate the risk and find a solution.
      • hipslu's avatar
        hipslu
        Copper Contributor
        Jan 17, 2023
        hi GKrembsler,
        since the key is stored in tpm, taking out the hdd would not help much - this is no risk imho

Resources