Las actualizaciones del martes de parches de Microsoft de junio de 2023 incluían una solución para una importante vulnerabilidad del Kernel de Windows, pero está desactivada por defecto. Aquí tienes todo lo que necesitas saber, además de un script que te ayudará a activar el parche en varias versiones de Windows.
¿Qué es el CVE-2023-32019?
Microsoft califica al CVE-2023-32019 como una vulnerabilidad de divulgación de información del Kernel de Windows, que afecta a varias versiones, incluidas las últimas actualizaciones de Windows 10, Windows Server y Windows 11.
Una explotación exitosa podría permitir al intruso ver la memoria heap de un proceso con privilegios ejecutándose en un servidor, y su activación no requiere privilegios de administrador u otros privilegios elevados. Lo que sí requiere es que el intruso coordine el ataque con otro proceso privilegiado que ejecute otro usuario en el sistema.
A pesar de una puntuación base de CVSS relativamente modesta (4,7/10), Microsoft ha señalado esta vulnerabilidad como de severidad importante. Sin embargo, la corrección incluida en las actualizaciones de junio de 2023 requiere un paso adicional para activarla realmente. ¿Por qué?
¿Por qué la corrección de CVE-2023-32019 está deshabilitada de forma predeterminada?
Aunque la documentación de soporte de Microsoft no es muy detallada, la compañía sí explica que mitigar esta vulnerabilidad introduce un «posible cambio de rotura». Por lo tanto, están dejando que los usuarios activen manualmente la resolución en entornos de prueba y animándoles a que vigilen de cerca si se producen interrupciones antes de extender la solución a un ámbito más amplio.
Microsoft también afirma que «en una versión futura, esta resolución se habilitará de forma predeterminada. Te recomendamos que valides esta resolución en tu entorno. A continuación, tan pronto como se valide, habilita la resolución lo antes posible».
Cómo activar la corrección de CVE-2023-32019 mediante PowerShell
Para mitigar esta vulnerabilidad es necesario que los usuarios establezcan un valor de clave de registro en función de la versión de Windows que estén ejecutando (cada versión requiere un valor de clave diferente). Basta decir que este paso adicional ha suscitado quejas.
Para facilitar las cosas, nuestro Ingeniero de productos de software, Kyle Bohlander, ha creado el siguiente script que comprobará el sistema operativo y aplicará el cambio correcto en el registro, según corresponda.
Nota: Este script no está limitado únicamente a los usuarios de NinjaOne, es de uso público. Sin embargo, tal y como aconseja Microsoft, esta corrección debe aplicarse en máquinas de prueba antes de proceder a un despliegue más amplio y, como siempre, si decides ejecutarla es bajo tu propia responsabilidad.
Autor del script Kyle Bohlander, Ingeniero de productos de software de NinjaOne
#Requires -Version 5.1
<#
.SYNOPSIS
This script will apply the registry fix suggested by microsoft for CVE-2023-32019 for the particular OS the computer is run on. Please note not all OS's have a fix to apply!
https://support.microsoft.com/en-au/topic/kb5028407-how-to-manage-the-vulnerability-associated-with-cve-2023-32019-bd6ed35f-48b1-41f6-bd19-d2d97270f080
.DESCRIPTION
This script will apply the registry fix suggested by microsoft for CVE-2023-32019 for the particular OS the computer is run on. Please note not all OS's have a fix to apply!
https://support.microsoft.com/en-au/topic/kb5028407-how-to-manage-the-vulnerability-associated-with-cve-2023-32019-bd6ed35f-48b1-41f6-bd19-d2d97270f080
.EXAMPLE
(No Parameters)
Checking Windows Version....
Desktop Windows Detected!
Windows 10 identified!
22H2 Detected!
Set Registry::HKEY_LOCAL_MACHINESYSTEMCurrentControlSetPoliciesMicrosoftFeatureManagementOverrides4103588492 to 1
Successfully set registry key!
PARAMETER: -Undo
Removes the registry key set for this fix. Script will error out if that registry key is not present.
.EXAMPLE
-Undo
Checking Windows Version....
Desktop Windows Detected!
Windows 10 identified!
22H2 Detected!
Undoing registry fix...
Successfully removed registry fix!
.OUTPUTS
None
.NOTES
Release: Initial Release (6/15/2023)
General notes
#>
[CmdletBinding()]
param (
[Parameter()]
[switch]$Undo
)
begin {
# Tests that the script is elevated
function Test-IsElevated {
$id = [System.Security.Principal.WindowsIdentity]::GetCurrent()
$p = New-Object System.Security.Principal.WindowsPrincipal($id)
$p.IsInRole([System.Security.Principal.WindowsBuiltInRole]::Administrator)
}
# We want the script to check if its running on a workstation or something else
function Test-IsWorkstation {
$OS = Get-CimInstance -ClassName Win32_OperatingSystem
return $OS.ProductType -eq 1
}
# This will set the registry key and any preceding keys needed
function Set-RegKey {
param (
$Path,
$Name,
$Value,
[ValidateSet("DWord", "QWord", "String", "ExpandedString", "Binary", "MultiString", "Unknown")]
$PropertyType = "DWord"
)
if (-not $(Test-Path -Path $Path)) {
# Check if path does not exist and create the path
New-Item -Path $Path -Force | Out-Null
}
if ((Get-ItemProperty -Path $Path -Name $Name -ErrorAction Ignore)) {
# Update property and print out what it was changed from and changed to
$CurrentValue = (Get-ItemProperty -Path $Path -Name $Name -ErrorAction Ignore).$Name
try {
Set-ItemProperty -Path $Path -Name $Name -Value $Value -Force -Confirm:$false -ErrorAction Stop | Out-Null
}
catch {
Write-Error "[Error] Unable to Set registry key for $Name please see below error!"
Write-Error $_
exit 1
}
Write-Host "$Path$Name changed from $CurrentValue to $($(Get-ItemProperty -Path $Path -Name $Name -ErrorAction Ignore).$Name)"
}
else {
# Create property with value
try {
New-ItemProperty -Path $Path -Name $Name -Value $Value -PropertyType $PropertyType -Force -Confirm:$false -ErrorAction Stop | Out-Null
}
catch {
Write-Error "[Error] Unable to Set registry key for $Name please see below error!"
Write-Error $_
exit 1
}
Write-Host "Set $Path$Name to $($(Get-ItemProperty -Path $Path -Name $Name -ErrorAction Ignore).$Name)"
}
}
# Is it Windows 10 or 11 or something else?
$WindowsVersion = [System.Environment]::OSVersion.Version.Major
# Current Build Number
$BuildNumber = [System.Environment]::OSVersion.Version.Build
# If Script Forms are used grab the input
if($env:Undo){$Undo = $env:Undo}
}
process {
# If not elevated error out. Admin priveledges are required to create HKLM registry keys
if (-not (Test-IsElevated)) {
Write-Error -Message "Access Denied. Please run with Administrator privileges."
exit 1
}
# Keeping the end user updated on the status
Write-Host "Checking Windows Version...."
if (Test-IsWorkstation) {
Write-Host "Desktop Windows Detected!"
# Depending on the version we'll want to check on a different set of build numbers
switch ($WindowsVersion) {
"10" {
switch ($BuildNumber) {
"22621" {
Write-Host "Windows 11 identified!"
Write-Host "22H2 Detected!"
$key = "Registry::HKEY_LOCAL_MACHINESYSTEMCurrentControlSetPoliciesMicrosoftFeatureManagementOverrides"
$name = "4237806220"
$value = "1"
}
"22000" {
Write-Host "Windows 11 identified!"
Write-Host "21H2 Detected!"
$key = "Registry::HKEY_LOCAL_MACHINESYSTEMCurrentControlSetPoliciesMicrosoftFeatureManagementOverrides"
$name = "4204251788"
$value = "1"
}
"19045" {
# This sets us up to set the registry key depending on the current build and version.
Write-Host "Windows 10 identified!"
Write-Host "22H2 Detected!"
$key = "Registry::HKEY_LOCAL_MACHINESYSTEMCurrentControlSetPoliciesMicrosoftFeatureManagementOverrides"
$name = "4103588492"
$value = "1"
}
"19044" {
Write-Host "Windows 10 identified!"
Write-Host "21H2 Detected!"
$key = "Registry::HKEY_LOCAL_MACHINESYSTEMCurrentControlSetPoliciesMicrosoftFeatureManagementOverrides"
$name = "4103588492"
$value = "1"
}
"19042" {
Write-Host "Windows 10 identified!"
Write-Host "20H2 Detected!"
$key = "Registry::HKEY_LOCAL_MACHINESYSTEMCurrentControlSetPoliciesMicrosoftFeatureManagementOverrides"
$name = "4103588492"
$value = "1"
}
"17763" {
Write-Host "Windows 10 identified!"
Write-Host "1809 Detected!"
$key = "Registry::HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSession ManagerConfiguration Manager"
$name = "LazyRetryOnCommitFailure"
$value = "0"
}
"14393" {
Write-Host "Windows 10 identified!"
Write-Host "1607 Detected!"
$key = "Registry::HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSession ManagerConfiguration Manager"
$name = "LazyRetryOnCommitFailure"
$value = "0"
}
default {
Write-Warning "Looks like you're either on an unsupported windows build or one not supported by this script? (Only Win 11 22H2 and 21H1 and Win 10 22H2,21H2,21H1,20H2,1809 and 1607 has a fix out!)"
Write-Warning "https://en.wikipedia.org/wiki/Windows_10_version_history"
Write-Warning "https://en.wikipedia.org/wiki/Windows_11_version_history"
Write-Error "[Error] This version of windows cannot be remediated by this script? Please verify this https://support.microsoft.com/en-au/topic/kb5028407-how-to-manage-the-vulnerability-associated-with-cve-2023-32019-bd6ed35f-48b1-41f6-bd19-d2d97270f080"
exit 1
}
}
}
default {
Write-Warning "Looks like you're on a version of windows not supported by this script? (Only Windows 10 and 11 have a fix out!)"
Write-Error "[Error] This version of windows appears to not be applicable or cannot be remediated by this script? Please verify this https://support.microsoft.com/en-au/topic/kb5028407-how-to-manage-the-vulnerability-associated-with-cve-2023-32019-bd6ed35f-48b1-41f6-bd19-d2d97270f080"
exit 1
}
}
}
else {
Write-Host "Windows Server Detected!"
if (Get-ComputerInfo | Select-Object OSName | Where-Object { $_.OSName -like "*2022*" }) {
$key = "Registry::HKEY_LOCAL_MACHINESYSTEMCurrentControlSetPoliciesMicrosoftFeatureManagementOverrides"
$name = "4137142924"
$value = "1"
}
else {
Write-Warning "Looks like you're on a version of windows not supported by this script? (Only Server 2022 has a fix out!)"
Write-Error "[Error] This version of windows appears to not be applicable or cannot be remediated by this script? Please verify this https://support.microsoft.com/en-au/topic/kb5028407-how-to-manage-the-vulnerability-associated-with-cve-2023-32019-bd6ed35f-48b1-41f6-bd19-d2d97270f080"
exit 1
}
}
if ($key -and -not $Undo) {
Set-RegKey -Path $key -Name $name -Value $value -PropertyType DWord
if ((Get-ItemPropertyValue -Path $key -Name $name -ErrorAction Ignore) -ne $value) {
Write-Error "[Error] Unable to set registry key? Is something blocking the script?"
exit 1
}
else {
Write-Host "Successfully set registry key!"
exit 0
}
}
elseif ($Undo) {
if (Get-ItemProperty -Path $key -ErrorAction Ignore) {
Write-Host "Undoing registry fix..."
Remove-ItemProperty -Path $key -Name $name
if (Get-ItemProperty -Path $key -ErrorAction Ignore) {
Write-Error "[Error] Unable to undo registry fix!"
exit 1
}
else {
Write-Host "Successfully removed registry fix!"
exit 0
}
}
else {
Write-Error "[Error] Registry Key not found? Did you already undo it?"
exit 1
}
}else{
Write-Error "[Error] Unable to find registry key to set!"
exit 1
}
}
end {
$ScriptName = "CVE-2023-32019 Remediation"
$ScriptVariables = @(
[PSCustomObject]@{
name = "Undo"
calculatedName = "undo"
required = $false
defaultValue = $false
valueType = "CHECKBOX"
valueList = $null
description = "Whether or not to undo the registry fix."
}
)
}
