Skip to content
  • Why Deepwatch?
    • Squad Delivery Model
    • Deepwatch Platform
    • Deepwatch Secure Score
    • Deepwatch Labs
  • Solutions
    • Managed Detection and Response (MDR)
      • MDR Enterprise
      • MDR Essentials
    • Managed Extended Detection Response (MXDR)
    • Endpoint Detection and Response (EDR)
    • Vulnerability Management (VM)
    • Firewall Management Solution
  • Company
    • About
    • Leadership
    • Careers
    • Contact
  • Partners
    • Channel Partners
    • Technology Alliance Partners
  • Resources
    • Resource Library
    • Blog
    • Case Studies
    • eBooks
    • Whitepapers
    • Datasheets
    • Video
    • Newsroom
    • Events
  • Search
  • Ready to Talk?
×

New Research Report: Security Leaders' Top Challenges & Priorities for 2023

Read Now
02.02.22

Customer Advisory | Exploit Code Released for Windows 10 Vulnerability: CVE-2022-21882

By Deepwatch, 

February 02, 2022
Prepared by Deepwatch Threat Intel Team

Key Points:

  • Proof-of-concept code was publicly disclosed for a Local Privilege Escalation (LPE) vulnerability in Windows 10, tracked as CVE-2022-21882, and affects the Win32k.sys driver.
  • Threat actors with limited access to a compromised device can utilize this vulnerability to quickly elevate privileges, allowing them to spread laterally inside the network, create new administrator users, and run privileged commands.
  • According to the security researcher credited with disclosing the vulnerability to Microsoft, the vulnerability has already been exploited by advanced persistent threat (APT) actors.
  • Deepwatch Threat Intel Teams assess with high confidence that threat actors are likely to use the publicly available exploit code for CVE-2022-21882 to escalate privileges on systems in which they have already initially compromised. Given the vulnerability affects Windows 10, the Deepwatch Threat Intel Team advises customers to install updates as soon as possible, prioritizing vulnerable internet-exposed systems.
  • The Deepwatch Vulnerability Management team is currently aware of and monitoring the vulnerability mentioned above. We will continue to provide guidance and remediation recommendations to our customers.

Summary

According to Microsoft, a recently patched vulnerability in Windows 10 had proof-of-concept (PoC) code publicly disclosed. Tracked as CVE-2002-21882 CVSS score 7.0, the vulnerability means that a “local, authenticated attacker could gain elevated local system or administrator privileges through a vulnerability in the Win32k.sys driver.” The author of the exploit code, Gil Dabah, claims that he found the vulnerability two years ago but decided not to disclose it to Microsoft due to difficulties in how Microsoft handles bug bounty awards.

Numerous security experts, including Will Dormann, a vulnerability analyst with the CERT/CC, confirmed that the exploits function as intended. 

What is the Impact of this Vulnerability?

Microsoft states in their advisory that “A local, authenticated attacker could gain elevated local system or administrator privileges through a vulnerability in the Win32k.sys driver.” 

Microsoft accredits security researcher RyeLv with the find. According to RyeLv’s disclosure, the win32k elevation of privilege vulnerability enables a threat actor to “call the relevant GUI API at the user_mode to make the kernel call like xxxMenuWindowProc, xxxSBWndProc, xxxSwitchWndProc, xxxTooltipWndProc, etc.” 

RyeLv further states that “These kernel functions will trigger a callback xxxClientAllocWindowClassExtraBytes. Attacker can intercept this callback through hook xxxClientAllocWindowClassExtraBytes in KernelCallbackTable,and use the NtUserConsoleControl method to set the ConsoleWindow flag of the tagWND object, which will modify the window type.”

According to RyeLv, advanced persistent threat (APT) actors have already exploited this vulnerability. 

Customers should keep in mind that while this exploit requires a local authenticated user to perform this attack, that does not mean it should not be prioritized. Threat Actors could use this vulnerability to quickly escalate privileges for lateral movement purposes. Therefore, remediation of this vulnerability should definitely be near the top of the list of priorities. ~ Rob Hundley, Manager, Deepwatch Vulnerability Management

What Versions are Affected?

  • Microsoft Windows 10 versions: 1809, 1909, 20H2, 21H1, and 21H2.
  • Microsoft Windows 11.
  • Microsoft Windows Server 2019.
  • Microsoft Windows Server 2022.

What Do I Need to Do?

Given the vulnerability affects Windows 10, the Deepwatch Threat Intel Team advises customers to install updates as soon as possible, prioritizing vulnerable internet-exposed systems.

Deepwatch Threat Intelligence Outlook

Deepwatch Threat Intel Teams assess with high confidence that less sophisticated threat actors are likely to use the publicly available exploit code for CVE-2022-21882 to escalate privileges on systems in which they have already initially compromised. However, given the vulnerability affects Windows 10, the Deepwatch Threat Intel Team advises customers to install updates as soon as possible, prioritizing vulnerable internet-exposed systems.

The vulnerability management team is currently aware of and monitoring the vulnerability mentioned above. We will continue to provide guidance to our customers and remediation recommendations.

Subscribe to the Deepwatch Insights Blog

Post navigation

Previous post

Customer Advisory | PwnKit: Exploit Released for Polkit’s pkexec Component

Next post

Customer Advisory | Critical 0-Day Vulnerability in Adobe Commerce and Magento Open Source Platforms Under Active Exploitation

Deepwatch

DENVER
OFFICE & SOC

7800 East Union Avenue
Suite 900
Denver, CO 80237 USA
855.303.3033

TAMPA
OFFICE & SOC

4030 W Boy Scout Blvd.
Suite 550
Tampa, FL 33607 USA
855.303.3033

[email protected]

Why Deepwatch

  • Squad Delivery Model
  • Deepwatch Platform
  • Deepwatch Secure Score
  • Deepwatch Labs

Solutions

  • Managed Detection and Response (MDR)
  • MDR Essentials
  • MDR Enterprise
  • Managed Extended Detection Response (MXDR)
  • Endpoint Detection and Response (EDR)
  • Vulnerability Management (VM)
  • Firewall Management Solution

Company

  • About Us
  • Leadership
  • Careers
  • Contact

Resources

  • Resource Library
  • Insights Blog
  • News
  • Events

Partners

  • Channel Partners
  • Technology Alliance Partners

Contact

  • Let's Talk
  • Customer Login
  • Partner Login
GDPR Badge PCI Badge SOC2 Badge TRUSTe
LinkedIn Twitter YouTube YouTube

© Copyright 2023 Deepwatch incorporated

Trust | Sitemap | Privacy Policy