Windows 10: Update on WinRE patch (fix for Bitlocker bypass vulnerability CVE-2022-41099)

Update[German]One more addendum to the blog post Windows 10: Be aware of WinRE WinRE patch to fix Bitlocker bypass vulnerability CVE-2022-41099. To close the vulnerability (CVE-2022-41099), which allows bypassing Bitlocker encryption in Windows, the clients' Win RE environment (Windows 10) must be updated manually. However, there are issues in doing so, as a blog reader told me. I also came across a script that is supposed to automate the patching of the WinRE environment.


Advertising

What is it about?

I had already addressed it in the blog post Windows 10: Be aware of WinRE WinRE patch to fix Bitlocker bypass vulnerability CVE-2022-41099. It has been known since November 2022 that there is a Bitlocker bypass vulnerability CVE-2022-41099 in the Windows Recovery Environment (WinRE). Microsoft had addressed the issue again in January 2023 in security update KB5022282 with the following text.

Important: For Windows Recovery Environment (WinRE) devices, see the Special instructions for Windows Recovery Environment (WinRE) devices in the How to get this update section to address security vulnerabilities in CVE-2022-41099.

The update in question has to be installed manually – which might be too much for many users. On the other hand, readers report problems with the update.

Readers' comments

Austrian blog reader Markus K. contacted me again by mail, and pointed out that Microsoft has updated its FAQ at BitLocker Security Feature Bypass Vulnerability CVE-2022-41099. The following important addition has been added.

Are there additional steps that I need to take to be protected from this vulnerability?

Yes. You must apply the applicable Windows security update to your Windows Recovery Environment (WinRE). For more information about how to apply the WinRE update, see Add an update package to Windows RE.

IMPORTANT: End users and enterprises who are updating Windows devices which are already deployed in their environment can instead use the latest Windows Safe OS Dynamic Updates to update WinRE when the partition is too small to install the full Windows update. You can download the latest Windows Safe OS Dynamic Update from the Microsoft Update Catalog.

In the supplement marked as important, Microsoft writes that a dynamic update is available for download in the Microsoft Update Catalog. In principle, this only needs to be downloaded and should then be able to be installed. Markus K. noted the following in his last mails:

I've added the product to WSUS, synced, deleted everything that is not needed and approved the rest.

Now I have a Windows 10 21H2 with unpatched WinRE and KB5021043 is reported as "not applicable" to WSUS.

I'm going to say that the whole thing doesn't work that well, unless I did something wrong.

In a supplementary mail Markus K. wrote then still:


Advertising

I still tried to install KB5021043 into a mounted WinRE image yesterday, which supposedly worked. Only little has changed:

Version : 10.0.19041
ServicePack Build : 1
ServicePack Level : 0

Either the Safe OS Dynamic updates don't really work, or I'm doing something wrong. Would be interesting for me if someone has success with this (ideally Windows 10 21H2 so that the comparison also fits).

I'll pass this question on to the readership. Maybe someone has more success. German blog reader MOM20xx pointed out the following hint from Microsoft:

Note: The WinRE version number will only change after you add an LCU. If you add a DU package, use DISM /get-packages as described in the steps above to ensure that the package has been added to the image.

So you need to use DISM to verify, that the patch has been applied.

Some update scripts

Mark Berry left this commentand points out that Susan Bradley AskWoody newsletter from in January 2023 points to the GitHub page Update Windows RE – CVE-2022-4109 by Brandon Halsey. He has published a script to install it and writes:

Update Windows RE – CVE-2022-41099

Script to update Windows Recovery Environment to patch against CVE-2022-41099. The script pulls the January CU for each build, mounts WinRE, updates it, saves WinRE, then verifies the build number matches what the January CU is. Win10-21H1's last CU was Dec 2022 so that version pulls the Dec 22 CU

Supported OS and Builds: Windows 11 (22H2 & 21H2) & Windows 10 (22H2, 21H2, 21H1, & 20H2). Unsure if LTSC will work.

Built with help from comments of reddit users /u/shiz0_ and /u/DrunkMAdmin and u/JoseEspitia_com

No warranty implied. Do your own testing prior to running.

Maybe the script will help people who have problems. Note, however, that the use is at your own risk and the whole thing should be tested beforehand.

And German reader Martin Himken has commented on my German blog and wrote:

Good morning,

I might have something suitable:

WinRE-Customization

In his tweet, Martin refers to his post Modify WinRE (Patches, Drivers and CVE-2022-41099), where he reveals details about his solution. On GitHub he then published the post WinRE-Customization with further hints. But in the comment above Martin still wrote:

I would like to note, however, that currently according to Microsoft ticket _not_ the CU should be applied. We have tested this with dynamic updates (as recommended by MS), but come to the conclusion that the payload is probably not sufficient. It also does not change the version number. Applying the CU also changes the version number appropriately.

So finally the observation of Markus K. above. Currently I interpret the hints of Markus K. and Martin H. so that the dynamic update probably does not work. But on the other hand, Microsoft advises against applying the cumulative update (CU) with the modified PE. Maybe the hints here in the post will help some administrators to sort things out properly.


Cookies helps to fund this blog: Cookie settings
Advertising


##1

This entry was posted in Security, Update, Windows and tagged , , , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *