Skip to main content

Downloading CVE-2022-41099 Patch and SSU files

· 3 min read

Collaboration with Martin Himken

This post and the WinRE patching script on Martin's blog at https://manima.de are the result of a collaboration between Martin and I to help mutually improve our various efforts towards patching CVE-2022-41099.

security

This article relates to CVE-2022-41099 which is a vulnerability in the Windows Recovery Environment (WinRE) which could allow a successful attacker to bypass the BitLocker Device Encryption feature on the system storage device. An attacker with physical access to the target could exploit this vulnerability to gain access to encrypted data.

If you're running Windows 10 or 11 you might have come across CVE-2022-41099 which is a vulnerability in the Windows Recovery Environment (WinRE) which could allow a successful attacker to bypass BitLocker if they can boot the device to WinRE. This is a pretty serious vulnerability and Microsoft have released a patch for it. However, the patch is not applied automatically and you need to take action to apply it.

Martin Himken has written a script to patch the WinRE drivers and I've written a script to download and stage the patch and servicing stack update files. The link to Martin's blog is at the top of this post and will be repeated at the end.

This script takes a few parameters to control it's behaviour. Parameter documentation follows:

ParameterTypeDescription
PatchFolderDirectoryInfoThe folder to download the patch files to. If not specified, C:\RMM\CVEs\2022-41099\ will be used.
AllSwitchIf specified, the script will download the patch files for all supported versions and available architechtures of Windows 10 and 11. If not specified, the script will only download the patch files for the version of Windows that is running on the device.
-All

Using the -All parameter will download a lot of files and take a long time to complete. It is recommended that you only use this parameter if you are patching a large number of devices or want to prepare a cache to serve files from.

Downloading all files consumes roughly 4.9GB of disk space.

The Script

<#
.SYNOPSIS
Downloads the applicable patch for CVE-2022-41099 from Microsoft Update Catalog.
.DESCRIPTION
This script will download the applicable patch for CVE-2022-41099 from Microsoft Update Catalog. It will detect the OS version and bitness and download the correct patch. This uses the January 2023 Servicing Stack Update (SSU) as the ultimate target.
.PARAMETER PatchFolder
Accepts the path to a folder to download the patch(es) to.
.EXAMPLE
This example will download the applicable patch for CVE-2022-41099 to the folder C:\RMM\CVEs\2022-41099\.

Get-CVE202241099Patches.ps1 -PatchFolder 'C:\RMM\CVEs\2022-41099\'
.EXAMPLE
This example will download all patches for CVE-2022-41099 to the folder C:\RMM\CVEs\2022-41099\. With subfolders for each KB and architecture.

Get-CVE202241099Patches.ps1 -PatchFolder 'C:\RMM\CVEs\2022-41099\' -All
.NOTES
Version: 1.3
Description: Use `$ProgressPreference` to speed up execution. Thanks to https://github.com/CodyRWhite for the suggestion.
-----------------------
Version: 1.2
Description: Fix a bug on line 82 where a hashtable of architectures was attempted to be accessed using the Windows build number. Thanks to Sir Loin of House WinAdmins for spotting this. (Yes, it's a Game of Thrones reference. So original.)
-----------------------
Version: 1.1
Description: Adds handling for 19044.
-----------------------
Version: 1.0
Description: Initial release.
Intial creation date: 16.01.2023
.LINK
https://homotechsual.dev
#>
# We're targetting the January 2023 CU as our version to patch to. The CVE page links to the November 2022 CU, but the January 2023 CU is the latest version and refers again to the vulnerability so it seems safer to patch to that version. ARM links are included but the script does not handle ARM detection yet. We also download, where applicable the latest SSU.
[CmdletBinding()]
param (
# The path to the folder to download the patch(es) to.
[System.IO.DirectoryInfo]$PatchFolder = 'C:\RMM\CVEs\2022-41099\',
# Download all patches including SSUs useful if you want to populate a staging folder. Will create a subfolder for each.
[Switch]$All
)
$OriginalProgressPreference = $ProgressPreference
$ProgressPreference = 'SilentlyContinue'
$BuildtoKBMap = @{
22623 = 5022303
22621 = 5022303
22000 = 5022287
19045 = 5022282
19044 = 5022282
19043 = 5022282
19042 = 5021233
}
$KBtoMSUMap = @{
# KB5022303 - January 2023
5022303 = @{
'x64' = 'https://catalog.s.download.windowsupdate.com/d/msdownload/update/software/secu/2023/01/windows11.0-kb5022303-x64_87d49704f3f7312cddfe27e45ba493048fdd1517.msu'
'ARM64' = 'https://catalog.s.download.windowsupdate.com/d/msdownload/update/software/secu/2023/01/windows11.0-kb5022303-arm64_4c207b992ed272bbdbfb35d77f0458548a7b86d1.msu'
}
# KB5022287 - January 2023
5022287 = @{
'x64' = 'https://catalog.s.download.windowsupdate.com/d/msdownload/update/software/secu/2023/01/windows10.0-kb5022287-x64_55641f1989bae2c2d0f540504fb07400a0f187b3.msu'
'ARM64' = 'https://catalog.s.download.windowsupdate.com/c/msdownload/update/software/secu/2023/01/windows10.0-kb5022287-arm64_7d26e9ef2c00ce384e19d4ca234052e378747a05.msu'
}
# KB5022282 - January 2023
5022282 = @{
'x86' = 'https://catalog.s.download.windowsupdate.com/d/msdownload/update/software/secu/2023/01/windows10.0-kb5022282-x86_5fb142aca9e3f8c7ed37df9e7806b7f7f56d9599.msu'
'x64' = 'https://catalog.s.download.windowsupdate.com/d/msdownload/update/software/secu/2023/01/windows10.0-kb5022282-x64_fdb2ea85e921869f0abe1750ac7cee34876a760c.msu'
'ARM64' = 'https://catalog.s.download.windowsupdate.com/d/msdownload/update/software/secu/2023/01/windows10.0-kb5022282-arm64_9ccaddc4356ab1db614881e08635bd8959ff97f3.msu'
}
# KB5021233 - December 2022
5021233 = @{
'x86' = 'https://catalog.s.download.windowsupdate.com/d/msdownload/update/software/secu/2022/12/windows10.0-kb5021233-x86_e21531f654715af20b2aa329d6786080bd798963.msu'
'x64' = 'https://catalog.s.download.windowsupdate.com/d/msdownload/update/software/secu/2022/12/windows10.0-kb5021233-x64_00bbf75a829a2cb4f37e4a2b876ea9503acfaf4d.msu'
'ARM64' = 'https://catalog.s.download.windowsupdate.com/c/msdownload/update/software/secu/2022/12/windows10.0-kb5021233-arm64_4bac0de318c939e54fa6a9f537e892272446ae09.msu'
}
}
$ArchtoSSUMap = @{
'x86' = 'https://catalog.s.download.windowsupdate.com/c/msdownload/update/software/secu/2022/05/ssu-19041.1704-x86_3cec66c3891a613e6656f141547e573f9d700d35.msu'
'x64' = 'https://catalog.s.download.windowsupdate.com/c/msdownload/update/software/secu/2022/05/ssu-19041.1704-x64_70e350118b85fdae082ab7fde8165a947341ba1a.msu'
'ARM64' = 'https://catalog.s.download.windowsupdate.com/c/msdownload/update/software/secu/2022/05/ssu-19041.1704-arm64_dac34c98382f951bd654fe3affe0b3e7100b3745.msu'
}
$SSUKB = '5013942'
$WinOSBuild = [System.Environment]::OSVersion.Version.Build
$WinOSArch = if ([System.Environment]::Is64BitOperatingSystem) { 'x64' } else { 'x86' }
if (-not (Test-Path -Path $PatchFolder)) {
New-Item -Path $PatchFolder -ItemType Directory | Out-Null
}
if (-not $All) {
try {
if ($WinOSBuild -lt 22000 -and $WinOSBuild -ge 19042) {
if ($ArchtoSSUMap.ContainsKey($WinOSArch)) {
$DownloadUrl = $ArchtoSSUMap[$WinOSArch]
$FileName = ([URI]$DownloadUrl).Segments[-1]
$TargetPath = Join-Path -Path $PatchFolder -ChildPath ("1_$FileName")
if (-not (Test-Path -Path $TargetPath)) {
Write-Verbose "Downloading $FileName"
Invoke-WebRequest -Uri $DownloadUrl -OutFile $TargetPath
}
}
}
if (-not $BuildtoKBMap.ContainsKey($WinOSBuild)) {
Write-Error "Unsupported Windows version $WinOSBuild"
exit 1
} else {
$KB = $BuildtoKBMap[$WinOSBuild]
if (-not $KBtoMSUMap.ContainsKey($KB)) {
Write-Error "Did not find patches for KB $KB"
exit 1
} else {
$DownloadUrl = $KBtoMSUMap[$KB][$WinOSArch]
$FileName = ([URI]$DownloadUrl).Segments[-1]
$TargetPath = Join-Path -Path $PatchFolder -ChildPath $FileName
if (-not (Test-Path -Path $TargetPath)) {
Write-Verbose "Downloading $FileName"
Invoke-WebRequest -Uri $DownloadUrl -OutFile $TargetPath
}
}
}
} catch [System.Net.WebException] {
Write-Error "Failed to download one or more MSU files for $WinOSBuild $WinOSArch"
Write-Error $_.Exception.Message
exit 1
} catch [System.IO.IOException] {
Write-Error "Could not write to $PatchFolder"
Write-Error $_.Exception.Message
}
} else {
try {
$SSUSubFolder = Join-Path -Path $PatchFolder -ChildPath $SSUKB
Write-Warning "Downloading SSU MSU files to: $SSUSubFolder."
if (-not (Test-Path -Path $SSUSubFolder)) {
New-Item -Path $SSUSubFolder -ItemType Directory | Out-Null
}
$ArchtoSSUMap.GetEnumerator() | ForEach-Object {
$ArchSubFolder = Join-Path -Path $SSUSubFolder -ChildPath $_.Name
if (-not (Test-Path -Path $ArchSubFolder)) {
New-Item -Path $ArchSubFolder -ItemType Directory | Out-Null
}
$DownloadUrl = $_.Value
$FileName = ([URI]$DownloadUrl).Segments[-1]
$TargetPath = Join-Path -Path $ArchSubFolder -ChildPath $FileName
if (-not (Test-Path -Path $TargetPath)) {
Write-Verbose "Downloading $FileName"
Invoke-WebRequest -Uri $DownloadUrl -OutFile $TargetPath
} else {
Write-Verbose "Skipping $FileName as it already exists"
}
}
$KBtoMSUMap.GetEnumerator() | ForEach-Object {
$PatchSubFolder = Join-Path -Path $PatchFolder -ChildPath $_.Name
Write-Warning "Downloading Patch MSU files to: $PatchSubFolder."
if (-not (Test-Path -Path $PatchSubFolder)) {
New-Item -Path $PatchSubFolder -ItemType Directory | Out-Null
}
foreach ($Arch in $_.Value.GetEnumerator()) {
$ArchSubFolder = Join-Path -Path $PatchSubFolder -ChildPath $Arch.Name
if (-not (Test-Path -Path $ArchSubFolder)) {
New-Item -Path $ArchSubFolder -ItemType Directory | Out-Null
}
$DownloadUrl = $Arch.Value
$FileName = ([URI]$DownloadUrl).Segments[-1]
$TargetPath = Join-Path -Path $ArchSubFolder -ChildPath $FileName
if (-not (Test-Path -Path $TargetPath)) {
Write-Verbose "Downloading $FileName"
Invoke-WebRequest -Uri $DownloadUrl -OutFile $TargetPath
} else {
Write-Verbose "Skipping $FileName as it already exists"
}
}
}
} catch [System.Net.WebException] {
Write-Error "Failed to download one or more MSU files for $WinOSBuild $WinOSArch"
Write-Error $_.Exception.Message
exit 1
} catch [System.IO.IOException] {
Write-Error "Could not write to $PatchFolder"
Write-Error $_.Exception.Message
}
}
$ProgressPreference = $OriginalProgressPreference
Change Logs

Version: 1.3

Use $ProgressPreference to speed up execution. Thanks to https://github.com/CodyRWhite for the suggestion.

Version: 1.2

Fix a bug on line 82 where a hashtable of architectures was attempted to be accessed using the Windows build number. Thanks to Sir Loin of House WinAdmins for spotting this. (Yes, it's a Game of Thrones reference. So original.)

Version: 1.1

Adds handling for 19044.

Version: 1.0

Initial release.

Examples

This example will download the applicable patch and SSU (if applicable) for CVE-2022-41099 to the folder C:\RMM\CVEs\2022-41099.

Get-CVE202241099Patches.ps1 -PatchFolder 'C:\RMM\CVEs\2022-41099\'

This example will download all patches for CVE-2022-41099 to the folder C:\RMM\CVEs\2022-41099. With subfolders for each KB and architecture.

Get-CVE202241099Patches.ps1 -PatchFolder 'C:\RMM\CVEs\2022-41099\' -All

Collaboration with Martin Himken

This post and the WinRE patching script on Martin's blog at https://manima.de are the result of a collaboration between Martin and I to help mutually improve our various efforts towards patching CVE-2022-41099.