BlackLotus, CVE-2022-21894, CVE-2023-24932: Does WinRE need to be updated manually?

Question

Hello,

does the WinRE have to be updated manually with the latest Windows Safe OS Dynamic Update to fix the BlackLotus (CVE-2022-21894, CVE-2023-24932) vulnerability as it was the case for the Bitlocker vulnerability (CVE-2022-41099), or is (or was it already?) done automatically by a monthly rollup?

Btw... in my opinion something like this should be patched automatically!
Features like Bitlocker (I just say "automatic encryption on modern devices") and Secure Boot (Windows 11) are practically "forced" on the end customers and then Microsoft expects that the average Joe tracks CVE,KBs... and manually patch stuff like that using Dism or PS scripts... really?

Thanks and greetings,
Martin

Answer 1

Hello

The BlackLotus vulnerability (CVE-2022-21894) and the related vulnerability (CVE-2023-24932) are indeed serious issues that Microsoft has been addressing. These vulnerabilities affect the Unified Extensible Firmware Interface (UEFI) and can be exploited via a bootkit called BlackLotus.

To mitigate these vulnerabilities, Microsoft has released updates and provided guidance on how to investigate attacks using these vulnerabilities. However, it’s important to note that applying these updates to the Windows Recovery Environment (WinRE), also known as “Safe OS”, requires manual steps. This is similar to the process required for the BitLocker vulnerability (CVE-2022-41099).

Microsoft has provided scripts and guidance on how to manually update WinRE to address these vulnerabilities. However, I understand your concern. It would indeed be more user-friendly if such critical updates were applied automatically.

KB5025885: How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932 - Microsoft Support

PowerShell Script To Update WinRE On Windows To Fix Bitlocker Vulnerability  CVE-2022-41099 HTMD Blog (anoopcnair.com)

Answer 2

That recipe to use .\PatchWinREScript_2004plus.ps1 does not work if REAGENTC.EXE has a problem. How to solve this?

02/04/2025 20:27:08 - Use default path from temporary directory
02/04/2025 20:27:08 - Working Dir: C:\Users\xxxx\AppData\Local\Temp\
02/04/2025 20:27:08 - MountDir: C:\Users\xxxx\AppData\Local\Temp\CA551926-299B-27A55276EC22_Mount
02/04/2025 20:27:08 - Create mount directory C:\Users\xxxx\AppData\Local\Temp\CA551926-299B-27A55276EC22_Mount

    Directory: C:\Users\xxxx\AppData\Local\Temp

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d----          04.02.2025    20:27                CA551926-299B-27A55276EC22_Mount
02/04/2025 20:27:08 - Set ACL for mount directory
Bearbeitete Datei: C:\Users\xxxx\AppData\Local\Temp\CA551926-299B-27A55276EC22_Mount
1 Dateien erfolgreich verarbeitet, bei 0 Dateien ist ein Verarbeitungsfehler aufgetreten.
Bearbeitete Datei: C:\Users\xxxx\AppData\Local\Temp\CA551926-299B-27A55276EC22_Mount
1 Dateien erfolgreich verarbeitet, bei 0 Dateien ist ein Verarbeitungsfehler aufgetreten.
Bearbeitete Datei: C:\Users\xxxx\AppData\Local\Temp\CA551926-299B-27A55276EC22_Mount
1 Dateien erfolgreich verarbeitet, bei 0 Dateien ist ein Verarbeitungsfehler aufgetreten.
02/04/2025 20:27:08 - Mount WinRE:
REAGENTC.EXE: Vorgang fehlgeschlagen: 2

REAGENTC.EXE: Fehler.

02/04/2025 20:27:08 - Mount failed: 2
02/04/2025 20:27:08 - Delete mount direcotry