Skip to main content

2 posts tagged with "Vulnerability"

View All Tags

· 3 min read

Collaboration with Martin Himken

This post and the WinRE patching script on Martin's blog at https://manima.de are the result of a collaboration between Martin and I to help mutually improve our various efforts towards patching CVE-2022-41099.

security

This article relates to CVE-2022-41099 which is a vulnerability in the Windows Recovery Environment (WinRE) which could allow a successful attacker to bypass the BitLocker Device Encryption feature on the system storage device. An attacker with physical access to the target could exploit this vulnerability to gain access to encrypted data.

If you're running Windows 10 or 11 you might have come across CVE-2022-41099 which is a vulnerability in the Windows Recovery Environment (WinRE) which could allow a successful attacker to bypass BitLocker if they can boot the device to WinRE. This is a pretty serious vulnerability and Microsoft have released a patch for it. However, the patch is not applied automatically and you need to take action to apply it.

Martin Himken has written a script to patch the WinRE drivers and I've written a script to download and stage the patch and servicing stack update files. The link to Martin's blog is at the top of this post and will be repeated at the end.

· 2 min read

This post will hold detection scripts for any serious CVE vulnerability that we write detection scripts for in the future. It will be updated and added to as new vulnerability detection scripts are written.

CVE-2022-41099

security

This article relates to CVE-2022-41099 which is a vulnerability in the Windows Recovery Environment (WinRE) which could allow a successful attacker to bypass the BitLocker Device Encryption feature on the system storage device. An attacker with physical access to the target could exploit this vulnerability to gain access to encrypted data.

Fixed a Bug

Thanks to DTGBilly from the NinjaOne Users Discord for pointing out that in altogether far too many places I had typo'd the CVE as CVE-4022-41099 instead of CVE-2022-41099 🤦‍♂️ this included field names and labels so please check yours are correct as now shown in the post.

Creating Fields

Creating custom fields in NinjaOne

To create a custom field at the device level in NinjaOne go to Administration > Devices and select either Role Custom Fields or Global Custom Fields then select Add.

  • Role Custom Fields are custom fields that are specific to a device role.
  • Global Custom Fields are custom fields that are applicable to all devices.

Make sure you add the fields to the roles you want to use them in at Administration > Devices > Roles.

To create a custom field at the organisation level in NinjaOne go to Administration > Apps > Documentation, enable the Documentation feature if you haven't already. If you have then select Add.

We're adding one role custom field for devices with the Windows Desktop or Laptop role, note that we've customised slightly the autogenerated machine name here, if you use the default adjust the field name in the script appropriately.

Field LabelField NameField TypeDescription
CVE-2022-41099CVE202241099CheckboxWhether the device has a WinRE image vulnerable to CVE-2022-41099

The Script

This Script Was Updated

This script was updated after being published, if you're using it please compare the version you have with the version available here.

This script was last updated on 2023/01/17.

$WinREImagePath = (reagentc /info | findstr '\\?\GLOBALROOT\device').Replace('Windows RE location: ', '').Trim() + '\winre.wim'
$WinREBuild = (Get-WindowsImage -ImagePath $WinREImagePath -Index 1).SPBuild
# $WinREModified = (Get-WindowsImage -ImagePath $WinREImagePath -Index 1).ModifiedTime
$WinOSBuild = [System.Environment]::OSVersion.Version.Build

if (($WinOSBuild -in @(22623, 22621)) -and ($WinREBuild -lt 1105)) {
$Vulnerable = $true
} elseif (($WinOSBuild -eq 22000) -and ($WinREBuild -lt 1455)) {
$Vulnerable = $true
} elseif (($WinOSBuild -in @(19045, 19044, 19042)) -and ($WinREBuild -lt 2486)) {
$Vulnerable = $true
} elseif (($WinOSBuild -eq 19043) -and ($WinREBuild -lt 2364)) {
$Vulnerable = $true
}
if ($Vulnerable) {
Write-Warning 'Vulnerable to CVE-2022-41099'
Ninja-Property-Set CVE202241099 1
} else {
Write-Warning 'Not vulnerable to CVE-2022-41099'
Ninja-Property-Set CVE202241099 0
}

The Results

CVE-2022-41099 Related Custom Fields

We run this script daily and have a corresponding monitor setup to check CVE fields with a value of "Yes" and alert us if any are found. You'll find information on remediating this vulnerability in this followup post.