Rewterz Threat Advisory – CVE-2022-21882 – Windows Vulnerability Exploited in the Wild

January 31, 2022

Severity

High

Analysis Summary

CVE-2022-21882

Microsoft Windows could allow a local authenticated attacker to gain elevated privileges on the system, caused by a flaw in the Win32k component. By executing a specially-crafted program, an authenticated attacker could exploit this vulnerability to execute arbitrary code with higher privileges.

The January 2022 patches in the patch Tuesdays by Microsoft fixed this win32k vulnerability. However, the vulnerability is being exploited in the wild by threat actors after PoC of the vulnberability was published online by a security researcher – RyeLv

Successful exploitation of this vulnerability will let the attackers elevate privileges, spreading laterally, and create new administrative users.

The vulnerability is similar to the Windows Win32k Elevation of Privilege Vulnerability released last year.

CVE-2021-1732

Impact

Elevation of Privilege

Affected Vendors

Microsoft

Affected Products

Windows 10 Version 20H2 for all systems
Windows 10 Version 1909
Windows 10 Version 21H2
Windows 11 for all systems
Microsoft Windows Server 2022
Microsoft Windows Server 2019
Windows 10 Version 1809 for all systems

Remediation

According to the Security Researcher, here’s a method to check the CVE-2021-1732 & CVE-2022-21882:

After the xxxClientAllocWindowClassExtraBytes callback is completed, determine whether the window object contains the 0x800 flag before the function return.
when flag has been set,it can be identified according to the calling path of xxxClientAllocWindowClassExtraBytes.
When the stack path is xxxCreateWindowEx -> xxxClientallocxxxxExtraBytes (CVE-2021-1732).
In other cases it is (CVE-2022-21882).
For patches and security updates visit:

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21882