Federal entities have been ordered by the Cybersecurity and Infrastructure Security Agency (CISA) to update their systems against an intensively exploited Windows vulnerability that allows hackers to bypass SYSTEM rights. All Federal Civilian Executive Branch Agencies (FCEB) are now obligated to update all systems against this weakness, identified as CVE-2022–21882, within two weeks, until February 18th, according to a binding operational directive (BOD 22–01) published in November and today’s notification.
Although BOD 22–01 primarily applies to FCEB agencies, CISA strongly advises all private and public sector entities to follow this Directive and concentrate remediation of vulnerabilities in its database of widely exploited security weaknesses to limit their susceptibility to current cyberattacks.
“Based on indications that threat actors are actively exploiting the vulnerabilities described in the table below, CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog,” the cybersecurity agency announced today. “These types of vulnerabilities are a common attack vector for all types of malicious cyber actors and constitute a major danger to the federal organization,” says the report.
Malicious hackers with limited access to compromised devices can leverage the newly acquired access privileges to propagate laterally inside the network, establish new admin users, and run elevated commands after exploiting the Win32k local privilege elevation bug.
“A local, authenticated attacker might gain elevated local system or administrator rights through a vulnerability in the Win32k.sys driver,” according to Microsoft’s advisory. Without the January 2022 Patch Tuesday upgrades, this vulnerability affects systems running Windows 10 1909 or later, Windows 11, and Windows Server 2019 and later.
Another Windows Win32k privilege escalation weakness (CVE-2021–1732), a zero-day flaw patched in February 2021 and frequently exploited in attacks since at least the summer of 2020, is also bypassed by this defect. Many administrators delayed the January 2022 upgrades due to major issues introduced by last month’s Patch Tuesday security fixes, so CISA’s warning is timely.
Reboots, L2TP VPN issues, inaccessible ReFS volumes, and Hyper-V issues are among the known issues fixed in emergency out-of-band (OOB) upgrades released on January 17th. Those who do not apply these fixes risk leaving devices on their networks open to assaults exploiting this issue, which Microsoft has classified as a critical severity vulnerability.