Microsoft has released a script to make it easier to patch a BitLocker bypass security vulnerability in the Windows Recovery Environment (WinRE).
This PowerShell script (KB5025175) simplifies the process of securing WinRE images against attempts to exploit the CVE-2022-41099 flaw that enables attackers to bypass the BitLocker Device Encryption feature system storage devices.
Successful exploitation of this enables threat actors with physical access to access encrypted data in low-complexity attacks.
According to Microsoft, the vulnerability cannot be exploited if the user has enabled BitLocker TPM+PIN protection.
"The sample PowerShell script was developed by the Microsoft product team to help automate the updating of WinRE images on Windows 10 and Windows 11 devices," Microsoft says in a support document published on Thursday.
"Run the script with Administrator credentials in PowerShell on the affected devices. There are two scripts available—which script you should use depends on the version of Windows you are running."
The recommended script version is PatchWinREScript_2004plus.ps1 which helps apply the security updates on systems running Windows 10 2004 and later (including Windows 11).
The other PowerShell script (PatchWinREScript_General.ps1) is less robust and should be used on Windows 10 1909 and earlier versions (although it will run on all Windows 10 and Windows 11 systems).
How to use the WinRE patch script
The CVE-2022-41099 patch scripts can be run from a Windows PowerShell and allow admins to specify the path and name of the Safe OS Dynamic update package that should be used to update the WinRE image.
These update packages are OS-version-specific and processor architecture-specific and have to be downloaded from the Microsoft Update Catalog beforehand.
The scrips also allow passing a workDir parameter to select the scratch space to be used during the patching process (if not specified, the script will use the default Windows temp folder).
Once started, the script will go through the following steps:
- Mount the existing WinRE image (WINRE.WIM).
- Update the WinRE image with the specified Safe OS Dynamic Update (Compatibility Update) package available from the Windows Update Catalog (the latest update available for the version of Windows installed on the device is recommended)
- Unmount the WinRE image.
- If the BitLocker TPM protector is present, it reconfigures WinRE for BitLocker service.
After running the script, you will not be required to reboot the system to complete the WinRE image patching process.
Top 10 MITRE ATT&CK© Techniques Behind 93% of Attacks
Based on an analysis of 14M malicious actions, discover the top 10 MITRE ATT&CK techniques behind 93% of attacks and how to defend against them.
Comments
BrechtMo - 2 years ago
Maybe I'm overlooking it but I can't find the link to the actual support article. here it is:
https://support.microsoft.com/en-us/topic/kb5025175-updating-the-winre-partition-on-deployed-devices-to-address-security-vulnerabilities-in-cve-2022-41099-ba6621fa-5a9f-48f1-9ca3-e13eb56fb589
KyleAyle - 2 years ago
Does this also affect systems where TPM was not used for BitLocker?
dr3amer - 1 year ago
MS patch has a flow: you can't re-enable WinRE when the volume is encrypted with BitLocker:
REAGENTC.EXE: Windows RE cannot be enabled on a volume with BitLocker Drive Encryption enabled.
Windows Recovery Environment (Windows RE) and system reset configuration
Information:
Windows RE status: Disabled
Windows RE location:
Boot Configuration Data (BCD) identifier: 00000000-0000-0000-0000-000000000000
Recovery image location:
Recovery image index: 0
Custom image location:
Custom image index: 0
REAGENTC.EXE: Operation Successful.
tested it on two different devices.
Also script has 2 typos: line 527 and line 665
Is this the new standard for Microsoft quality?