[German]Another addendum to the patchday (June 13, 2023), in which Microsoft also addressed a vulnerability in the Windows kernel. Information can be accessed via the vulnerability CVE-2023-32019. Redmond has released updates for the affected Windows systems. However, to seal the vulnerability, administrators must actively set a registry entry under Windows.
Advertising
The vulnerability CVE-2023-32019
The vulnerability CVE-2023-32019 was reported to Microsoft by Mateusz Jurczyk of Google Project Zero and affects the Windows kernel. An attacker could exploit this vulnerability to read heap memory from a privileged process running on the server. The attacker does not need admin or other elevated privileges to do this, but must be authenticated.
However, for successful exploitation of this vulnerability, an attacker must coordinate the attack with another privileged process run by another user on the system. As a result, Microsoft rates the vulnerability as "important" but considers the practical exploitability to be low.
Registry entry required for mitigation
As of June 13, 2023, Microsoft has addressed this vulnerability in the updates rolled out for the various versions of Windows, as can be seen on Microsoft's CVE-2023-32019 vulnerability page. The following note can be found in the support articles for these updates:
This update resolves an issue that affects the Windows kernel. This problem is related to CVE-2023-32019. For more information, see KB5028407.
The relevant support article KB5028407 then states that the patch is ineffective because this fix is disabled by default. The text in question reads:
To mitigate the vulnerability associated with CVE-2023-32019, install the June 2023 Windows update or a later Windows update. By default, the fix for this vulnerability is disabled. To enable the fix, you must set a registry key value based on your Windows operating system.
Microsoft then states in the support article that an operating system-specific 32-bit DWORD name with the value 1 different registry key must be set to enable the fix. For subsequent Windows versions, the key is:
Advertising
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\Microsoft\FeatureManagement\Overrides
while the following 32-Bit-DWORD values set to 1 need to be added:
- Windows Server 2022: DWORD-Wert 4137142924 = 1
- Windows 11 22H2: DWORD-Wert 4237806220 = 1
- Windows 11 21H2: DWORD-Wert 4204251788 = 1
- Windows 10 20H2 – 22H2: DWORD-Wert 4103588492 = 1
For Windows 10 version 1607 (I believe, has to be applied also to Server 2016) and Windows 10 version 1809 (and to Server 2019), in the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Configuration Manager
Add the 32-bit DWROD value LazyRetryOnCommitFailure = 0 to enable the fix. Why Microsoft does not mention Windows Server 2016 and 2019 (are affected according to the CVE article) and why the fix is not activated via the registry entry during the update installation, however, remains in the dark – based on the KB article.
Similar articles:
Microsoft Security Update Summary (June 13, 2023)
Patchday: Windows 10-Updates (June 13, 2023)
Patchday: Windows 11/Server 2022-Updates (June 13, 2023)
Windows 7/Server 2008 R2; Server 2012 R2: Updates (June 13, 2023)
Microsoft Office Updates (June 6, 2023)
Microsoft Office Updates (June 13, 2023)
Exchange Server Security Updates (June 13, 2023)
Advertising
from Neowin:
https://www.neowin.net/news/microsoft-makes-potentially-breaking-windows-kernel-patch-default-after-an-earlier-warning/
MS support KB article 5028407 was updated this August to reflect the following:
"IMPORTANT The resolution described in this article has been released enabled by default. To apply the enabled by default resolution, install the Windows update that is dated on or after August 8, 2023. No further user action is required."