Federal entities have been ordered by the Cybersecurity and Infrastructure Security Agency (CISA) to patch their systems against an actively exploited Windows vulnerability that allows attackers to gain SYSTEM rights.
All Federal Civilian Executive Branch Agencies (FCEB) agencies are now required to patch all systems against this vulnerability, tracked as CVE-2022-21882, within two weeks, until February 18th, according to a binding operational directive (BOD 22-01) published in November and today’s notification.
While BOD 22-01 only applies to FCEB agencies, CISA strongly advises all private and public sector entities to follow this Directive and prioritise mitigation of vulnerabilities in its database of actively exploited security weaknesses to limit their susceptibility to continuing cyberattacks.
“Based on indications that threat actors are actively exploiting the vulnerabilities described in the table below, CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog,” the cybersecurity agency announced today.
“These types of vulnerabilities are a common attack vector for all types of malicious cyber actors and constitute a major danger to the federal organisation,” says the report.
Threat actors with limited access to compromised devices can leverage the newly acquired user rights to spread laterally inside the network, establish new admin users, and execute privileged commands after exploiting the Win32k local privilege elevation bug.
“A local, authenticated attacker might gain elevated local system or administrator rights through a vulnerability in the Win32k.sys driver,” according to Microsoft’s advisory.
Without the January 2022 Patch Tuesday upgrades, this vulnerability affects systems running Windows 10 1909 or later, Windows 11, and Windows Server 2019 and later.
Another Windows Win32k privilege escalation weakness (CVE-2021-1732), a zero-day flaw patched in February 2021 and frequently exploited in attacks since at least the summer of 2020, is also bypassed by this defect.
BleepingComputer also tested an exploit for this vulnerability, and had no issues compiling it and running it on a Windows 10 system with SYSTEM rights (the exploit didn’t work on Windows 11).
Many administrators delayed the January 2022 upgrades due to major issues introduced by last month’s Patch Tuesday security fixes, so CISA’s warning is timely.
Reboots, L2TP VPN issues, inaccessible ReFS volumes, and Hyper-V issues are among the known issues fixed in emergency out-of-band (OOB) upgrades released on January 17th.
Those who do not apply these fixes risk leaving devices on their networks open to assaults exploiting this issue, which Microsoft has classified as a critical severity vulnerability.