Collaboration with Martin Himken
This post and the WinRE patching script on Martin's blog at https://manima.de are the result of a collaboration between Martin and I to help mutually improve our various efforts towards patching CVE-2022-41099.
This article relates to CVE-2022-41099 which is a vulnerability in the Windows Recovery Environment (WinRE) which could allow a successful attacker to bypass the BitLocker Device Encryption feature on the system storage device. An attacker with physical access to the target could exploit this vulnerability to gain access to encrypted data.
If you're running Windows 10 or 11 you might have come across CVE-2022-41099 which is a vulnerability in the Windows Recovery Environment (WinRE) which could allow a successful attacker to bypass BitLocker if they can boot the device to WinRE. This is a pretty serious vulnerability and Microsoft have released a patch for it. However, the patch is not applied automatically and you need to take action to apply it.
Martin Himken has written a script to patch the WinRE drivers and I've written a script to download and stage the patch and servicing stack update files. The link to Martin's blog is at the top of this post and will be repeated at the end.
This script takes a few parameters to control it's behaviour. Parameter documentation follows:
| Parameter | Type | Description |
|---|---|---|
| PatchFolder | DirectoryInfo | The folder to download the patch files to. If not specified, C:\RMM\CVEs\2022-41099\ will be used. |
| All | Switch | If specified, the script will download the patch files for all supported versions and available architechtures of Windows 10 and 11. If not specified, the script will only download the patch files for the version of Windows that is running on the device. |
Using the -All parameter will download a lot of files and take a long time to complete. It is recommended that you only use this parameter if you are patching a large number of devices or want to prepare a cache to serve files from.
Downloading all files consumes roughly 4.9GB of disk space.
The Script
This new version of the script downloads the Safe OS Dynamic Update (SODU) files - these are tiny and designed only to patch the vulnerable components.
Safe OS Dynamic Update (SODU) version.
This script was updated after being published, if you're using it please compare the version you have with the version available here.
This script was last updated on 2023/03/22.
loading...
Version: 1.5
Fixes incorrectly switched URLs for 19042 to 19045 for the x86 and x64 downloads. Thanks to Wisecompany for helping find this.
Version: 1.4
Update to use the Safe OS Dynamic Update packages which are considerably smaller.
Version: 1.3
Use $ProgressPreference to speed up execution. Thanks to https://github.com/CodyRWhite for the suggestion.
Version: 1.2
Fix a bug on line 82 where a hashtable of architectures was attempted to be accessed using the Windows build number. Thanks to Sir Loin of House WinAdmins for spotting this. (Yes, it's a Game of Thrones reference. So original.)
Version: 1.1
Adds handling for 19044.
Version: 1.0
Initial release.
This version of the script downloads the SSU and Dynamic Cumulative Update files - these are large and designed to update WinRE completely not just patch the vulnerability.
Servicing Stack Update (SSU) and Dynamic Cumulative Update (DCU) version.
This script downloads the SSU and Dynamic Cumulative Update files - these are large and designed to update WinRE completely not just patch the vulnerability. This will require a lot of space both to download them (especially if using -All) and to apply them to WinRE.
This script was updated after being published, if you're using it please compare the version you have with the version available here.
This script was last updated on 2023/03/22.
loading...
Version: 1.4
Empty the patch folder if it's not empty. Thanks to Wisecompany for the suggestion.
Version: 1.3
Use $ProgressPreference to speed up execution. Thanks to https://github.com/CodyRWhite for the suggestion.
Version: 1.2
Fix a bug on line 82 where a hashtable of architectures was attempted to be accessed using the Windows build number. Thanks to Sir Loin of House WinAdmins for spotting this. (Yes, it's a Game of Thrones reference. So original.)
Version: 1.1
Adds handling for 19044.
Version: 1.0
Initial release.
Examples
This example will download the applicable patch and SSU (if applicable) for CVE-2022-41099 to the folder C:\RMM\CVEs\2022-41099.
Get-CVE202241099Patches.ps1 -PatchFolder 'C:\RMM\CVEs\2022-41099\'
This example will download all patches for CVE-2022-41099 to the folder C:\RMM\CVEs\2022-41099. With subfolders for each KB and architecture.
Get-CVE202241099Patches.ps1 -PatchFolder 'C:\RMM\CVEs\2022-41099\' -All
Validating the Fix
By popular request you can validate the fix using the principles in the script used for CVE detection.
Collaboration with Martin Himken
This post and the WinRE patching script on Martin's blog at https://manima.de are the result of a collaboration between Martin and I to help mutually improve our various efforts towards patching CVE-2022-41099.