DecryptedTech

Monday08 August 2022

CISA Sends “Patch Now” Notice on MS Vulnerability Patched in January


Reading time is around minutes.

A vulnerability disclosed and patched in January is rearing its ugly head. Identified as CVE-2022-21882, this vulnerability affects Windows 10, 11 and Windows Server. On its own it is a significant threat since is allows for a privilege escalation that can turn into a complete compromise of the targeted device. Not exactly what you want to leave open. The good news is that Microsoft released a patch for it in January.

The bad news is that the patch itself caused problems on Windows server installations. This meant that many organizations either rolled back the patch or pushed its installation out. This is not an unusual thing to happen in a large (and even small) environment. If a patch or updated brings down critical servers or causes unwanted performance impacts to those systems you will either see a delay, roll back, or an outright blocking of the update in question.

In the case of this patch Tuesday, it was reported that installing it could lead to broken Domain Controllers and Hyper-V systems. The list of reported impacts was as impressive as the side effects for a major pharmaceutical. Including LSASS using 100% CPU and then terminating causing a boot loop, the Hyper-V service just failing to start leaving all virtual machines and services offline, ReFS volumes showing as RAW or unformatted after installation. Rolling back the associated KBs fixed the issues so the problems were directly related to the patch.

The patch for CVE-2022-21882 was part of the patch Tuesday release but did not appear one of the KBs that had significant impact. Microsoft also states that they have since released an Out-of-Band fix for the KBs that did cause issue. That did not mean that systems administrators did not chose to skip all or most of the KBs that were patch of that cycle. This was of great interest to attackers who saw an opportunity. They have since targeted the specific vulnerability identified in CVE-2022-21882 and it is being exploited in the wild.

The bug resides in the Win32k.sys driver and allows an authenticated user to gain local system or admin privileges on a target device. This bug is a work around for a previously patched bug in the same driver which now makes us wonder how deep the vulnerability goes in this mechanism. Will this latest patch fix the issue, or is it just going to be a band-aid that can be easily bypassed later? If it is the latter, then we could be looking at a major flaw in Windows 10 and 11 as well as Windows Server 2019 and 2022.

Regardless of what the patch does, the risk level is enough that CISA (the Cybersecurity and Infrastructure Security Agency) has issued a patch now (another one!) notice to all Federal Civilian Executive Branch Agencies. It is on their list of known exploited vulnerabilities as well. So now systems admins at the federal and commercial level will need to cross their fingers that Microsoft has indeed fixed the issues with their January KBs, or specifically target CVE-2022-21882 in their remediation efforts.

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.