[German]Just an addendum and a reminder to January 2023 Patchday for Windows. There is a vulnerability (CVE-2022-41099) in the WinRE environment of Windows 10 that allows Bitlocker encryption bypass. To fix it, the clients' Win RE environment must be manually updated. The issue, which has been known since November 2022, was addressed again by Microsoft in January 2023.
Readers' comments on WinRE
This issue has been on my radar for a few days, but haven't gotten around to addressing it on the blog yet. It also seems to have come to the attention of only a few people so far, blog reader Martin had left the following comment under the Windows 10 post on the January 2023 patchday.
Hi all, how do you handle the WinRE update, which must be applied manually?
Important: For Windows Recovery Environment (WinRE) devices, see the Special instructions for Windows Recovery Environment (WinRE) devices in the How to get this update section to address security vulnerabilities in CVE-2022-41099.
Microsoft briefly touched on the topic in security update KB5022282 with the above text (see also the following screenshot). I missed that somehow, but some German blog reader addressed it in comments.
Also Austrian blog reader Markus K. has asked twice, whether I could address it within the blog, because he considers the topic justified for a stumbling block.
I'm curious how much joy the fact that you are allowed to patch the WinRE via self-made script or similar on every computer, because Microsoft doesn't do that (CVE-2022-41099).
And in another post he said
unfortunately still nothing about this in your blog, I was probably too "tight".
All are affected who do not patch their WinRE, or better disable it!
Even boot from an unpatched WinRE device, yes some set no BIOS PW , or are just not managed, ie private.
I think it's just bad that Bitlocker can be so levered out!
Please perhaps still take a look at the topic, it will pay off!
So today I decided to take a quick look at this topic as a reminder.
Bitlocker Bypassing Vulnerability CVE-2022-41099
Bitlocker bypassing vulnerability CVE-2022-41099 was probably first patched by Microsoft on November 8, 2022 – but on January 10, 2023, they updated the article to point out the issue in the support posts of Windows 10 updates. The following should be highlighted about the vulnerability:
- In all affected Windows 10 systems, a successful attacker can bypass the BitLocker Device Encryption feature on the system storage device.
- However, the attacker needs physical access to the target device to exploit the vulnerability to gain access to encrypted data.
Because of the required physical access to the target device, the vulnerability has received a CVSSv3.1 index of 4.6 / 4.0. According to CVE-2022-41099, all Windows 10 versions are affected.
Special patching is required
Administrators could disable Win RE on the machines. Alternatively, administrators and users need to apply the appropriate Windows security update either manually or by script to their Windows Recovery Environment (WinRE). The steps required to do this are described in the support article Add an update package to Windows RE.
I guess that on unmanaged systems of consumers and small companies the capabilities are not sufficient. And in the administrative environment of companies, etc., this is likely to require quite a bit of effort. Is this topic on your radar? Or has it long since been shelved? You can leave a comment below.
Microsoft uses WinRE and WinPE in Windows. The WinPE (Preinstall Environment, install.wim) is used during installation, and WinRE (Windows Recovery Environment, Winre.wim) is used when booting into the recovery environment. So check, whether the fixed Win RE is on the November 2022 patch level when installing a new Windows 10 image. Currently I have no information whether Microsoft already provides an updated image as a media refresh variant.
Microsoft Office Updates (January 3, 2022)
Microsoft Security Update Summary (January 10, 2023)
Patchday: Windows 10 Updates (January 10, 2023)
Patchday: Windows 11/Server 2022 Updates (January 10, 2023)
Windows 7/Server 2008 R2; Windows 8.1/Server 2012 R2: Updates (January 10, 2023)
Patchday: Microsoft Office Updates (January 10, 2023)
Exchange Server Security Updates (January 10, 2023)
Microsoft Exchange January 2023 patchday issues
Windows: November 2022 updates cause ODBC connection problems with SQL databases
Windows: Microsoft Workaround for ODBC SQL connection issues (Jan. 5, 2023)
Windows January 2023 patchday issues
Cookies helps to fund this blog: Cookie settings