CVE 2022 41099

Copper Contributor

Hi,

As a CISO and security consultant, I want to know the extent of the impact of this vulnerability.

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41099
My current understanding is that it affects all current versions of Windows. Defender for Endpoint, on the other hand, shows me very few affected systems. Also, the problem does not appear to be resolvable. After I applied the update in WinRE, re-enabling it with ReAgentc.exe /enable was simply blocked.
This is an indication that the problem persists?
There is currently no indication of how the attack is carried out but this is certainly not a problem for the relevant attacker groups
The impact is rated "high" in terms of confidentiality, even by Microsoft.
I see a huge problem here!
Almost all computers come with WinRE on the market. Thus, any stolen computer can easily become a victim. All data stored encrypted on it becomes accessible.
From a CISO's point of view, this is a horror scenario and demands appropriate reactions.
What do you think about this - am I just panicking unnecessarily or is this actually a huge problem?

11 Replies
Hi could you please elaborate on what happened when the ReAgentc.exe /enable action was blocked? Did this produce an error? Also, did you run the update to a running PC or an offline image?

@PeterRising 

Hi, here's what i did:

 

ReAgentc.exe /disable
Dism /Get-ImageInfo /ImageFile:c:\windows\system32\recovery\winre.wim /index:1
dism /mount-Wim /wimfile:c:\windows\system32\recovery\winre.wim /index:1 /MountDir:c:\temp\winre-mount
dism /Add-Package /image:”c:\temp\Winre-mount” /packagepath:”c:\temp\windows10.0-kb5019961-x64_bc5dc8a94f416fbcc5a85709ad09f1741f395b40.msu”
dism /image:c:\temp\winre-mount /Get-Packages >c:\temp\get-packages.txt
dism /image:c:\temp\winre-mount /cleanup-image /StartComponentCleanup /ResetBase
dism /Unmount-Image /MountDir:c:\temp\winre-mount /commit
ReAgentc.exe /enable

 

This brought up the info:

REAGENTC.EXE: Windows RE kann auf einem Volume mit aktivierter BitLocker-Laufwerkverschlüsselung nicht aktiviert werden.

 

In english this means that WinRE can not be activated on a computer with activated bitlocker.

 

I also checked the size of the resulting wim and shrinked it with an additional dism command. same result.

 

Even writing back the original wim (i saved a backup) is not possible.

 

On a second computer i just used the /disable and directly after this the /enable - same error.

 

What would be very helpfull is an information about the attack itself to be able to calculate the risk.

 

What is happening if one is writing back a "unpatched" wim directly to the partition by mounting it first. Will this meam that an attacker can replay the wim with an unpatched version an will be alobe to disable Bitlocker after that?

 

Thanks for any answer or reaction...

I agree that this is something that should be getting more attention than it is. I have to admit that I was not aware of it and there seems not to be much info or awareness out there.

Have you seen these pages? Lots of interesting detail and debate, and some scripts that may work.

https://www.reddit.com/r/sysadmin/comments/10a1enh/how_are_you_updating_winre_to_address_cve20224109...
https://www.elevenforum.com/t/important-issue-to-be-aware-of-if-you-use-bitlocker-on-your-os-drive.1...

@PeterRising,
Yes Peter - i know them all searching for answers.
There's two issues:
1st - how to patch WinRE - this is something i can handle. There's also a script on github going a different way and copying a patched wim-file to replace the unpatched version directly in the partition. But this all is not a solution as if am able to replace the wim directly everybody can extract the unpatched version out of any iso image in any version.

2nd - if this is the problem i can see, this is a high Risk in my risk table and if i go through all the options i can no longer trust bitlocker!

To say something about this risk i'd need info about the attack itself. Without, i can not make any trustworthy comment. If the issue is build into the wim, there's no way to prevent one to mount this wim on a separate disk, boot the computer and use it to crack bitlocker. So neither disabling the WinRE nor deleting it from the HD will be a solution.

If this becomes true, we have a really big problem with nearly every windows computer.

I hope microsoft will give info about the attack itself. If not we can only "guess" and in this case my reaction as CISO would be to disable any Bitlocker and replace it with a differens solution.

Non encrypted disks on a computer is no way ...

in my understanding, blocking booting from external media and requiring a pin (pre boot auth) would be needed to be on the safe side again - what do you think?
Hello @hipslu,
i do not think this is a solution.
The attacker needs to have physical access to the computer. If so i'd take the "HDD" and put it into a different system.
There i can do whatever needed. So none of you suggestions would be a handicap for me 😉
But - maybe if there's something in the way the attack is working. for example if we need to have access to the machines TPM - it would be a different picture.
At the moment i can only hope that we will become information so it is possible to calculate the risk and find a solution.
hi @GKrembsler,
since the key is stored in tpm, taking out the hdd would not help much - this is no risk imho
Well @hipslu,
as long as i do not understand the attack, everyhting is "speculative".
Here's a link to a different conversation about this issue:
https://www.reddit.com/r/sysadmin/comments/10atdqe/is_bitlocker_forever_compromised/
In the absence of a definitive answer on this, I would recommend logging a ticket with Microsoft to get their guidance on why you can't successfully apply the update to WinRE

Bitlocker is not secure no matter the vulnerability btw. It can easily be decrypted with a small memdump or memory capture. There are tools to just boot that stuff up and decrypt.

 

So if your concern is encryption, then bitlocker is an issue.

Most of my estate does not have WinRE but I have detected a small number. Anyone know how I could deploy a vulnerable WinRE to a test client? To allow us to test the PowerShell script ahead of a limited production deployment?