{"id":28451,"date":"2023-01-19T18:19:39","date_gmt":"2023-01-19T17:19:39","guid":{"rendered":"http:\/\/159.69.82.204\/win\/?p=28451"},"modified":"2023-01-20T00:40:57","modified_gmt":"2023-01-19T23:40:57","slug":"windows-10-be-aware-of-winre-winre-patch-to-fix-bitlocker-bypass-vulnerability-cve-2022-41099","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2023\/01\/19\/windows-10-be-aware-of-winre-winre-patch-to-fix-bitlocker-bypass-vulnerability-cve-2022-41099\/","title":{"rendered":"Windows 10: Be aware of WinRE WinRE patch to fix Bitlocker bypass vulnerability CVE-2022-41099"},"content":{"rendered":"

\"Update\"[German<\/a>]Just an addendum and a reminder to January 2023 Patchday for Windows. There is a vulnerability (CVE-2022-41099) in the WinRE environment of Windows 10 that allows Bitlocker encryption bypass. To fix it, the clients' Win RE environment must be manually updated. The issue, which has been known since November 2022, was addressed again by Microsoft in January 2023.<\/p>\n

<\/p>\n

Readers' comments on WinRE<\/h2>\n

\"\"This issue has been on my radar for a few days, but haven't gotten around to addressing it on the blog yet. It also seems to have come to the attention of only a few people so far, blog reader Martin had left the following comment<\/a> under the Windows 10 post on the January 2023 patchday.<\/p>\n

Hi all, how do you handle the WinRE update, which must be applied manually?<\/p>\n

Important: For Windows Recovery Environment (WinRE) devices, see the Special instructions for Windows Recovery Environment (WinRE) devices in the How to get this update section to address security vulnerabilities in CVE-2022-41099.<\/p><\/blockquote>\n

Microsoft briefly touched on the topic in security update KB5022282<\/a> with the above text (see also the following screenshot). I missed that somehow, but some German blog reader addressed it in comments.<\/p>\n

\"Windows<\/p>\n

Also Austrian blog reader Markus K. has asked twice, whether I could address it within the blog, because he considers the topic justified for a stumbling block.<\/p>\n

I'm curious how much joy the fact that you are allowed to patch the WinRE via self-made script or similar on every computer, because Microsoft doesn't do that (CVE-2022-41099).<\/p><\/blockquote>\n

And in another post he said<\/p>\n

Dear G\u00fcnter,<\/p>\n

unfortunately still nothing about this in your blog, I was probably too \"tight\".<\/p>\n

All are affected who do not patch their WinRE, or better disable it!<\/p>\n

Even boot from an unpatched WinRE device, yes some set no BIOS PW , or are just not managed, ie private.<\/p>\n

I think it's just bad that Bitlocker can be so levered out!<\/p>\n

Please perhaps still take a look at the topic, it will pay off!<\/p><\/blockquote>\n

So today I decided to take a quick look at this topic as a reminder.<\/p>\n

Bitlocker Bypassing Vulnerability CVE-2022-41099<\/h2>\n

Bitlocker bypassing vulnerability CVE-2022-41099<\/a> was probably first patched by Microsoft on November 8, 2022 – but on January 10, 2023, they updated the article to point out the issue in the support posts of Windows 10 updates. The following should be highlighted about the vulnerability:<\/p>\n