The Cybersecurity and Infrastructure Security Agency most commonly known as ‘CISA’ has instructed federal agencies to patch and fix their systems against an actively exploited Windows vulnerability that enables attackers to gain ‘SYSTEM’ privileges.

Per a binding operational directive (BOD 22-01) issued in November and the announcement made on the 4th February 2022,  all Federal Civilian Executive Branch Agencies (FCEB) agencies are now required to fix all systems against this unfortunate vulnerability, tracked as CVE-2022-21882 within two weeks, until February 18th.

However while BOD 22-01 only applies to FCEB agencies, CISA strongly urges all private and public sector organizations that are caught to such mishaps, to reduce their exposure to ongoing cyberattacks by adopting this Directive thereby prioritizing mitigation of vulnerabilities included in its catalog of actively exploited security flaws.

“CISA has added one new vulnerability to its ‘Known Exploited Vulnerabilities Catalog’, based on evidence that threat actors are assiduously exploiting the vulnerabilities listed in the table below,” the cybersecurity agency said on February 4th 2022.

The Agency also stated that, “These types of vulnerabilities are a frequent attack vector for malicious cyber actors of all types and pose significant risk to the federal enterprise.”

After exploitation of the Win32k local privilege elevation flaw, threat actors with limited access to compromised devices can use the newly obtained user rights to spread laterally within the network, create new admin users, or  even execute privileged commands.

As per, Microsoft’s advisory, “a local, authenticated attacker could gain elevated local system or administrator privileges through a vulnerability in the Win32k.sys driver.”

This vulnerability crashes systems running Windows 10 1909 or later, Windows 11, and Windows Server 2019 and later without the January 2022 Patch Tuesday updates.

This unfortunate bug is also a bypass of another Windows Win32k privilege escalation bug (CVE-2021-1732), a zero-day flaw patched in February 2021 and actively exploited in attacks since at least the summer of 2020.

‘BleepingComputer’ also tested a threat that is targeting this vulnerability and encountered no problems compiling the exploit and using it to open Notepad with SYSTEM privileges on a Windows 10 system (this exploit didn’t work on Windows 11).

Fortunately, the agency’s warning is well-timed, seeing that many administrators skipped the January 2022 updates due to critical bugs introduced by last month’s Patch Tuesday security updates.

Additionally an important thing to keep in mind would be, by not establishing or installing these patches, those who skipped or skips the update are unknowingly leaving devices on their networks unprotected, vulnerable and gives easy access to these attacks exploiting this flaw, tagged also by Microsoft as an essential severity vulnerability.

Sources

• https://www.cisa.gov/uscert/ncas/current-activity/2022/02/04/cisa-adds-one-known-exploited-vulnerability-catalog
• https://www.bleepingcomputer.com/news/security/cisa-orders-federal-agencies-to-patch-actively-exploited-windows-bug/