Patching CVE-2022-41099

Microsoft released a fix for CVE-2022-41099 (a BitLocker Security Feature Bypass Vulnerability) back in November 2022 and published on March 16, 2023 a sample script to help automate updating WinRE.

It helped understand how to find out if the WinRE is patched. It mounts the Winre.wim image and checks the version of bootmenuux.dll file under the $mountDir + “\Windows\System32\bootmenuux.dll”

Do you know that you can check the version of the file without mounting the WinRE.wim image ?

The first step is to get the WinRE.wim location from the running Windows OS using these 2 lines:

$null,$RELoc = ((& (Get-Command "$($env:systemroot)\system32\ReAgentC.exe") @('/info')) | 
Where-Object { $_ -match 'Windows\sRE\slocation:' } ) -split ':'
$RELoc = $RELoc.Trim()

The 2nd step consists in listing the content of the image using the built-in Get-WindowsImageContent cmdlet

The basic idea is the following:

Get-WindowsImageContent -ImagePath "$($RELoc)\winre.wim" -Index 1 | Where { $_ -match 'BootMenuUX' } |
Out-GridView -PassThru

Now, how do I extract the correct latest version from this list of file names.

Well, with the following oneliner:

	$null,$RELoc = ((& (Get-Command "$($env:systemroot)\system32\ReAgentC.exe") @('/info')) \| Where-Object { $_ -match 'Windows\sRE\slocation:' } ) -split ':'
	$RELoc = $RELoc.Trim()
	Get-WindowsImageContent -ImagePath "$($RELoc)\winre.wim" -Index 1 \|
	Where-Object { $_ -match 'Windows\\WinSxS\\amd64_microsoft-windows-bootmenuux_.+_(?<Version>(\d{1,5}\.)+\d{1,5})_.+\\BootMenuUX\.dll'} \|
	ForEach-Object { ([regex]'Windows\\WinSxS\\amd64_microsoft-windows-bootmenuux_.+_(?<Version>(\d{1,5}\.)+\d{1,5})_.+\\BootMenuUX\.dll').Matches($_) \|
	Select-Object -Expand Groups \| Where-Object Name -eq 'Version' \| Select-Object -ExpandProperty Value}\| ForEach-Object { try {[version]$_}catch{ 'Failed'}} \|
	Sort-Object -Descending \| Select-Object -First 1 \| ForEach-Object ToString

view raw CVE-2022-41099.ps1 hosted with ❤ by GitHub

I’ve got 10.0.19041.2247 version installed and it means my WinRE.wim is patched 😎

	$null,$RELoc = ((& (Get-Command "$($env:systemroot)\system32\ReAgentC.exe") @('/info')) \| Where-Object { $_ -match 'Windows\sRE\slocation:' } ) -split ':'
	$RELoc = $RELoc.Trim()
	Get-WindowsImageContent -ImagePath "$($RELoc)\winre.wim" -Index 1 \|
	Where-Object { $_ -match 'Windows\\WinSxS\\amd64_microsoft-windows-bootmenuux_.+_(?<Version>(\d{1,5}\.)+\d{1,5})_.+\\BootMenuUX\.dll'} \|
	ForEach-Object { ([regex]'Windows\\WinSxS\\amd64_microsoft-windows-bootmenuux_.+_(?<Version>(\d{1,5}\.)+\d{1,5})_.+\\BootMenuUX\.dll').Matches($_) \|
	Select-Object -Expand Groups \| Where-Object Name -eq 'Version' \| Select-Object -ExpandProperty Value}\| ForEach-Object { try {[version]$_}catch{ 'Failed'}} \|
	Sort-Object -Descending \| Select-Object -First 1 \| ForEach-Object ToString

>_

de parvis grandis acervus erit

Patching CVE-2022-41099

Leave a comment Cancel reply

Share this:

Related

Leave a comment Cancel reply