CISA orders federal agencies to patch actively exploited Windows bug

CISA orders federal agencies to patch actively exploited Windows bug

The Cybersecurity and Infrastructure Security Agency (CISA) has ordered federal agencies to patch their systems against an actively exploited Windows vulnerability that enables attackers to gain SYSTEM privileges.

Per a binding operational directive (BOD 22-01) issued in November and today’s announcement, all Federal Civilian Executive Branch Agencies (FCEB) agencies are now required to patch all systems against this vulnerability, tracked as CVE-2022-21882 within two weeks, until February 18th.

While BOD 22-01 only applies to FCEB agencies, CISA strongly urges all private and public sector organizations to reduce their exposure to ongoing cyberattacks by adopting this Directive and prioritizing mitigation of vulnerabilities included in its catalog of actively exploited security flaws.

“CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence that threat actors are actively exploiting the vulnerabilities listed in the table below,” the cybersecurity agency said today.

“These types of vulnerabilities are a frequent attack vector for malicious cyber actors of all types and pose significant risk to the federal enterprise.”

After exploiting the Win32k local privilege elevation flaw, threat actors with limited access to compromised devices can use the newly obtained user rights to spread laterally within the network, create new admin users, or execute privileged commands.

According to Microsoft’s advisory, “a local, authenticated attacker could gain elevated local system or administrator privileges through a vulnerability in the Win32k.sys driver.”

This vulnerability affects systems running Windows 10 1909 or later, Windows 11, and Windows Server 2019 and later without the January 2022 Patch Tuesday updates.

The bug is also a bypass of another Windows Win32k privilege escalation bug (CVE-2021-1732), a zero-day flaw patched in February 2021 and actively exploited in attacks since at least the summer of 2020.

BleepingComputer also tested an exploit targeting this vulnerability and encountered no problems compiling the exploit and using it to open Notepad with SYSTEM privileges on a Windows 10 system (the exploit didn’t work on Windows 11).

CISA’s warning is well-timed, seeing that many administrators skipped the January 2022 updates due to critical bugs introduced by last month’s Patch Tuesday security updates.

These known issues include reboots, L2TP VPN problems, inaccessible ReFS volumes, and Hyper-V issues addressed in emergency out-of-band (OOB) updates issued on January 17th.

By not deploying these patches, those who skipped the update are leaving devices on their networks unprotected and vulnerable to attacks exploiting this flaw, tagged by Microsoft as an important severity vulnerability.