April 29, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
Rewterz Threat Alert – Lazarus APT Group – Active IOCs
January 31, 2022Rewterz Threat Alert – APT32 Ocean Lotus – Active IOCs
January 31, 2022Rewterz Threat Alert – Lazarus APT Group – Active IOCs
January 31, 2022Rewterz Threat Alert – APT32 Ocean Lotus – Active IOCs
January 31, 2022
Severity
High
Analysis Summary
CVE-2022-21882
Microsoft Windows could allow a local authenticated attacker to gain elevated privileges on the system, caused by a flaw in the Win32k component. By executing a specially-crafted program, an authenticated attacker could exploit this vulnerability to execute arbitrary code with higher privileges.
The January 2022 patches in the patch Tuesdays by Microsoft fixed this win32k vulnerability. However, the vulnerability is being exploited in the wild by threat actors after PoC of the vulnberability was published online by a security researcher – RyeLv
Successful exploitation of this vulnerability will let the attackers elevate privileges, spreading laterally, and create new administrative users.
The vulnerability is similar to the Windows Win32k Elevation of Privilege Vulnerability released last year.
Microsoft Windows could allow a local authenticated attacker to gain elevated privileges on the system, caused by a flaw in the Win32k component. By executing a specially-crafted program, an authenticated attacker could exploit this vulnerability to execute arbitrary code with higher privileges.
Impact
- Elevation of Privilege
Affected Vendors
Microsoft
Affected Products
- Windows 10 Version 20H2 for all systems
- Windows 10 Version 1909
- Windows 10 Version 21H2
- Windows 11 for all systems
- Microsoft Windows Server 2022
- Microsoft Windows Server 2019
- Windows 10 Version 1809 for all systems
Remediation
According to the Security Researcher, here’s a method to check the CVE-2021-1732 & CVE-2022-21882:
After the xxxClientAllocWindowClassExtraBytes callback is completed, determine whether the window object contains the 0x800 flag before the function return.
when flag has been set,it can be identified according to the calling path of xxxClientAllocWindowClassExtraBytes.
When the stack path is xxxCreateWindowEx -> xxxClientallocxxxxExtraBytes (CVE-2021-1732).
In other cases it is (CVE-2022-21882).
For patches and security updates visit:
