Lucene search

K
malwarebytesMalwarebytes LabsMALWAREBYTES:6A30A2B661E06D2D7D26479F27BB0EF3
HistoryFeb 01, 2022 - 11:07 a.m.

Apply those updates now: CVE bypass offers up admin privileges for Windows 10

2022-02-0111:07:29
Malwarebytes Labs
blog.malwarebytes.com
178

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

7.2 High

CVSS2

Access Vector

LOCAL

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:C/I:C/A:C

If you’re running Windows 10, it’s time to stop delaying those patches and bring your systems up to date as soon as possible.

Bleeping Computer reports that a researcher has come up with a bypass for an older bug, which could serve up some major headaches if left to fester. Those headaches will take the form of unauthorised admin privileges in Windows 10, alongside creating new admin accounts and more besides.

What happened the first time round?

Back in 2021, Microsoft patched an exploit which had been in use since mid-2020. Classed as “high-severity”, “CVE-2021-1732 - Windows Win32k Elevation of Privilege Vulnerability” allowed attackers to elevate privileges to admin level.

Fooling potential victims by having them open bogus email attachments is all it would take to get one foot in the door via code execution. It popped up in a targeted attack related to the Bitter APT campaign. According to the report, numbers were “very limited” and struck victims in China.

What’s happening now?

Multiple exploits have dropped for another elevation of privilege vulnerability known as CVE-2022-21882. This is a bypass for the previously mentioned CVE-2021-1732 which was fixed back in February 2021. CVE-2022-21882 was fixed by Microsoft via updates from January 2022. However, sys admins out there may well have skipped the updates due to various bugs which came along for the update ride.

Time to get fixing things?

It is absolutely time to get fixing things. The exploit is now out there in the wild, and as Bleeping Computer notes, it “affects all supported support versions of Windows 10 before the January 2022 Patch Tuesday updates”.

Writers at Bleeping Computer were able to get it to work in testing, and others have confirmed it for themselves:

> Interestingly, #MDE detects this PoC as CVE-2021-1732.
This is understandable since this #CVE-2022-21882 is a bypass of #CVE-2021-1732.
Generic #LPE detection #KQL query works in this case too.#BlueTeam #ThreatHunting<https://t.co/01El9wPjk0&gt;
/1 <https://t.co/vM2apKJsI6&gt;
>
> – Bhabesh (@bh4b3sh) January 29, 2022

Is there any reason to wait for February’s Patch Tuesday?

If you’re one of the hold-outs who ran into errors last time around, waiting isn’t advisable. Microsoft already issued an OOB (out of band) update to address the multiple errors caused by the January patch. As per Microsoft’s January 17th notification about the release:

> "Microsoft is releasing Out-of-band (OOB) updates today, January 17, 2022, for some versions of Windows. This update addresses issues related to VPN connectivity, Windows Server Domain Controllers restarting, Virtual Machines start failures, and ReFS-formatted removable media failing to mount."

Things being what they are, it’s likely time to get in there and apply the OOB update (if you haven’t already) and put this one to rest.

Microsoft is putting a fair bit of work into figuring out where weak points lie in the patching process, making use of its Update Connectivity data. The current estimate is a device needs a minimum of two continuous connected hours, and six total connected hours after an update is released to reliably make it through the updating process.

If this sounds like your network, and if you’re still waiting to take the plunge, you’ve hopefully got little to lose by making that big update splash as soon as you possibly can.

The post Apply those updates now: CVE bypass offers up admin privileges for Windows 10 appeared first on Malwarebytes Labs.

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

7.2 High

CVSS2

Access Vector

LOCAL

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:C/I:C/A:C