[German]Just an addendum and a reminder to January 2023 Patchday for Windows. There is a vulnerability (CVE-2022-41099) in the WinRE environment of Windows 10 that allows Bitlocker encryption bypass. To fix it, the clients' Win RE environment must be manually updated. The issue, which has been known since November 2022, was addressed again by Microsoft in January 2023.
Advertising
Readers' comments on WinRE
This issue has been on my radar for a few days, but haven't gotten around to addressing it on the blog yet. It also seems to have come to the attention of only a few people so far, blog reader Martin had left the following comment under the Windows 10 post on the January 2023 patchday.
Hi all, how do you handle the WinRE update, which must be applied manually?
Important: For Windows Recovery Environment (WinRE) devices, see the Special instructions for Windows Recovery Environment (WinRE) devices in the How to get this update section to address security vulnerabilities in CVE-2022-41099.
Microsoft briefly touched on the topic in security update KB5022282 with the above text (see also the following screenshot). I missed that somehow, but some German blog reader addressed it in comments.
Also Austrian blog reader Markus K. has asked twice, whether I could address it within the blog, because he considers the topic justified for a stumbling block.
I'm curious how much joy the fact that you are allowed to patch the WinRE via self-made script or similar on every computer, because Microsoft doesn't do that (CVE-2022-41099).
And in another post he said
Advertising
Dear Günter,
unfortunately still nothing about this in your blog, I was probably too "tight".
All are affected who do not patch their WinRE, or better disable it!
Even boot from an unpatched WinRE device, yes some set no BIOS PW , or are just not managed, ie private.
I think it's just bad that Bitlocker can be so levered out!
Please perhaps still take a look at the topic, it will pay off!
So today I decided to take a quick look at this topic as a reminder.
Bitlocker Bypassing Vulnerability CVE-2022-41099
Bitlocker bypassing vulnerability CVE-2022-41099 was probably first patched by Microsoft on November 8, 2022 – but on January 10, 2023, they updated the article to point out the issue in the support posts of Windows 10 updates. The following should be highlighted about the vulnerability:
- In all affected Windows 10 systems, a successful attacker can bypass the BitLocker Device Encryption feature on the system storage device.
- However, the attacker needs physical access to the target device to exploit the vulnerability to gain access to encrypted data.
Because of the required physical access to the target device, the vulnerability has received a CVSSv3.1 index of 4.6 / 4.0. According to CVE-2022-41099, all Windows 10 versions are affected.
Special patching is required
Administrators could disable Win RE on the machines. Alternatively, administrators and users need to apply the appropriate Windows security update either manually or by script to their Windows Recovery Environment (WinRE). The steps required to do this are described in the support article Add an update package to Windows RE.
I guess that on unmanaged systems of consumers and small companies the capabilities are not sufficient. And in the administrative environment of companies, etc., this is likely to require quite a bit of effort. Is this topic on your radar? Or has it long since been shelved? You can leave a comment below.
Microsoft uses WinRE and WinPE in Windows. The WinPE (Preinstall Environment, install.wim) is used during installation, and WinRE (Windows Recovery Environment, Winre.wim) is used when booting into the recovery environment. So check, whether the fixed Win RE is on the November 2022 patch level when installing a new Windows 10 image. Currently I have no information whether Microsoft already provides an updated image as a media refresh variant.
Similar articles:
Microsoft Office Updates (January 3, 2022)
Microsoft Security Update Summary (January 10, 2023)
Patchday: Windows 10 Updates (January 10, 2023)
Patchday: Windows 11/Server 2022 Updates (January 10, 2023)
Windows 7/Server 2008 R2; Windows 8.1/Server 2012 R2: Updates (January 10, 2023)
Patchday: Microsoft Office Updates (January 10, 2023)
Exchange Server Security Updates (January 10, 2023)
Microsoft Exchange January 2023 patchday issues
Windows: November 2022 updates cause ODBC connection problems with SQL databases
Windows: Microsoft Workaround for ODBC SQL connection issues (Jan. 5, 2023)
Windows January 2023 patchday issues
Advertising
Susan Bradley's newsletter today over on AskWoody shared a link to this script on Github:
https://github.com/halsey51013/UpdateWindowsRE-CVE-2022-41099
Haven't tried it and am reluctant to spend a lot of time on it. Maybe for encrypted laptops where physical access (theft/loss) is more likely…
Thanks for the link – I received the newsletter – but don't read it – it's no more the old thing from Woody Leonhard – miss the time, where I was frequently in contact with him (although Susan make a good job on patchmanagement.org).
Crazy and unacceptable how Microsoft expects everyone to figure out a complex update procedure like this for themselves.
I'm having a hard time finding details about the exploit as well so it's hard to assess the risk for our environment.