Monday, March 21, 2022

A Bug That Doesn't Want To Die (CVE-2021-34484, CVE-2022-21919, CVE-2022-26904)

Twice Bypassed and Twice Micropatched, Will Third Time be a Charm?

 

 

by Mitja Kolsek, the 0patch Team


Update 8/10/2022: April 2022 Windows Updates brought an official fix for this vulnerability with assigned CVE-2022-26904. Our users were therefore protected from this issue whole 22 days before an official fix got available, and remained protected until they installed Windows Updates. These micropatches from now on require a PRO or Enterprise license.


In November we issued a micropatch for a local privilege escalation in User Profile Service .This vulnerability was found and reported to Microsoft by security researcher Abdelhamid Naceri and assigned CVE-2021-34484 when initially fixed. Abdelhamid subsequently noticed that Microsoft's patch was incomplete and wrote a POC to bypass it. Based on that information, we were able to create a micropatch for what was then considered a 0day (a known vulnerability without an official vendor fix).

Microsoft then provided a fix for Abdelhamid's bypass with January 2022 Windows Updates (assigning the "new" vulnerability CVE-2022-21919), but Abdelhamid took a closer look and found another way around it (the linked article is not available at the time of this writing).

We could easily reproduce this second bypass on fully updated Windows computers, except on Windows Server 2016. While our own micropatch was not bypassable using Abdelhamid's new trick, Microsoft modified the DLL we wrote the micropatch for (profext.dll), which meant we had to port our patch to the new version of this DLL to protect users who diligently apply Windows updates.

In short, CVE-2021-34484 is again a 0day on supported Windows versions. Somewhat ironically, affected Windows computers whose official support had already ended (Windows 10 v1803, v1809,  and v2004) and have 0patch, did not have this vulnerability reopened.

We ported our micropatch to the latest profext.dll on the following Windows versions: 
  1. Windows 10 v21H2 (32 & 64 bit) updated with March 2022 Updates
  2. Windows 10 v21H1 (32 & 64 bit) updated with March 2022 Updates
  3. Windows 10 v20H2 (32 & 64 bit) updated with March 2022 Updates
  4. Windows 10 v1909 (32 & 64 bit) updated with March 2022 Updates
  5. Windows Server 2019 64 bit updated with March 2022 Updates
 
Since this vulnerability is again a 0day, our micropatches for it became free again and will remain free until Microsoft has issued a correct official fix. To use these micropatches, create a free account in 0patch Central, then install and register 0patch Agent from 0patch.com. Everything else will happen automatically. No computer reboots will be needed. 

Users who already have 0patch installed do not have to do anything: new micropatches will get applied automatically.


We'd like to thank Abdelhamid Naceri for finding this issue and sharing details, which allowed us to create a micropatch and protect our users.

To learn more about 0patch, please visit our Help Center.

6 comments:

  1. This is great, but how is it free? When I signed up for an account, it says it is only free for 10 computers, and only for limited businesses like education? Thanks.

    ReplyDelete
    Replies
    1. Hi there, apologies for the delay. According to our license agreement (https://0patch.com/files/License_agreement.rtf), 0patch FREE can be used on up to 10 computers for personal use or not-for-profit educational use - but for testing purposes, any organization (not only education) can use 0patch FREE for up to 60 days. It is likely that within 60 days, Microsoft will have delivered an official fix with Windows Updates.

      Delete
  2. Hi, I am running Win10 v21H2. Which of these patches should I use?

    ReplyDelete
    Replies
    1. Hi Matteo, if you just install 0patch Agent and register it to your 0patch account, the relevant patches will get applied automatically.

      Delete
  3. I signed up, downloaded & installed the 0patch agent, but after I run it, it doesn't show this patch!

    ReplyDelete
    Replies
    1. Hi there, can you please report your issue to support@0patch.com and state which Windows version you're using? Thanks!

      Delete