Jan 12 2023 07:16 PM - edited Jan 12 2023 07:17 PM
Hi,
As a CISO and security consultant, I want to know the extent of the impact of this vulnerability.
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41099
My current understanding is that it affects all current versions of Windows. Defender for Endpoint, on the other hand, shows me very few affected systems. Also, the problem does not appear to be resolvable. After I applied the update in WinRE, re-enabling it with ReAgentc.exe /enable was simply blocked.
This is an indication that the problem persists?
There is currently no indication of how the attack is carried out but this is certainly not a problem for the relevant attacker groups
The impact is rated "high" in terms of confidentiality, even by Microsoft.
I see a huge problem here!
Almost all computers come with WinRE on the market. Thus, any stolen computer can easily become a victim. All data stored encrypted on it becomes accessible.
From a CISO's point of view, this is a horror scenario and demands appropriate reactions.
What do you think about this - am I just panicking unnecessarily or is this actually a huge problem?
Jan 15 2023 02:40 AM
Jan 15 2023 02:52 AM
Hi, here's what i did:
ReAgentc.exe /disable
Dism /Get-ImageInfo /ImageFile:c:\windows\system32\recovery\winre.wim /index:1
dism /mount-Wim /wimfile:c:\windows\system32\recovery\winre.wim /index:1 /MountDir:c:\temp\winre-mount
dism /Add-Package /image:”c:\temp\Winre-mount” /packagepath:”c:\temp\windows10.0-kb5019961-x64_bc5dc8a94f416fbcc5a85709ad09f1741f395b40.msu”
dism /image:c:\temp\winre-mount /Get-Packages >c:\temp\get-packages.txt
dism /image:c:\temp\winre-mount /cleanup-image /StartComponentCleanup /ResetBase
dism /Unmount-Image /MountDir:c:\temp\winre-mount /commit
ReAgentc.exe /enable
This brought up the info:
REAGENTC.EXE: Windows RE kann auf einem Volume mit aktivierter BitLocker-Laufwerkverschlüsselung nicht aktiviert werden.
In english this means that WinRE can not be activated on a computer with activated bitlocker.
I also checked the size of the resulting wim and shrinked it with an additional dism command. same result.
Even writing back the original wim (i saved a backup) is not possible.
On a second computer i just used the /disable and directly after this the /enable - same error.
What would be very helpfull is an information about the attack itself to be able to calculate the risk.
What is happening if one is writing back a "unpatched" wim directly to the partition by mounting it first. Will this meam that an attacker can replay the wim with an unpatched version an will be alobe to disable Bitlocker after that?
Thanks for any answer or reaction...
Jan 15 2023 03:10 AM
Jan 15 2023 04:11 AM - edited Jan 15 2023 04:13 AM
@PeterRising,
Yes Peter - i know them all searching for answers.
There's two issues:
1st - how to patch WinRE - this is something i can handle. There's also a script on github going a different way and copying a patched wim-file to replace the unpatched version directly in the partition. But this all is not a solution as if am able to replace the wim directly everybody can extract the unpatched version out of any iso image in any version.
2nd - if this is the problem i can see, this is a high Risk in my risk table and if i go through all the options i can no longer trust bitlocker!
To say something about this risk i'd need info about the attack itself. Without, i can not make any trustworthy comment. If the issue is build into the wim, there's no way to prevent one to mount this wim on a separate disk, boot the computer and use it to crack bitlocker. So neither disabling the WinRE nor deleting it from the HD will be a solution.
If this becomes true, we have a really big problem with nearly every windows computer.
I hope microsoft will give info about the attack itself. If not we can only "guess" and in this case my reaction as CISO would be to disable any Bitlocker and replace it with a differens solution.
Non encrypted disks on a computer is no way ...
Jan 17 2023 01:33 AM
Jan 17 2023 06:17 AM
Jan 17 2023 06:25 AM
Jan 17 2023 06:41 AM
Jan 24 2023 11:56 AM
Jan 24 2023 01:54 PM
Bitlocker is not secure no matter the vulnerability btw. It can easily be decrypted with a small memdump or memory capture. There are tools to just boot that stuff up and decrypt.
So if your concern is encryption, then bitlocker is an issue.
Mar 20 2023 03:26 AM