Comment activer le correctif pour CVE-2023-32019 avec PowerShell

Les « mises à jour du mardi » de Juin 2023 de Microsoft comprennent un correctif (CVE-2023-32019) pour une vulnérabilité importante du noyau de Windows (Kernel), mais il est désactivé par défaut. Découvrez ici tout ce que vous devez savoir, ainsi qu’un script qui vous aidera à activer le correctif dans les différentes versions de Windows.

Qu’est-ce que CVE-2023-32019 ?

Microsoft décrit la CVE-2023-32019 comme une vulnérabilité de divulgation d’informations du noyau Windows ayant un impact sur plusieurs versions de Windows, y compris les dernières versions de Windows 10, Windows Server et Windows 11. Son exploitation pourrait permettre à un attaquant de voir la mémoire vive d’un processus privilégié s’exécutant sur un serveur, et il ne nécessite pas de privilèges d’administrateur ou d’autres privilèges élevés pour se déclencher. Elle exige toutefois que l’attaquant coordonne son attaque avec un autre processus privilégié exécuté par un autre utilisateur sur le système. Malgré un score CVSS de base relativement modeste de 4,7/10, Microsoft a signalé la vulnérabilité comme étant d’une grande sévérité. Cependant, le correctif inclus dans les mises à jour de Juin 2023 nécessite une étape supplémentaire pour l’activer.

Pourquoi le correctif pour CVE-2023-32019 est-il désactivé par défaut ?

Bien que la documentation d’assistance de Microsoft soit peu détaillée, l’entreprise explique que la mitigation de cette vulnérabilité  entraîne une « rupture potentielle ». C’est pourquoi elle laisse aux utilisateurs le soin d’activer manuellement la résolution dans des environnements de test et les encourage à surveiller de près les perturbations avant de déployer le correctif à plus grande échelle. Microsoft ajoute également que « dans une prochaine version, cette résolution  sera activée par défaut. Nous vous recommandons de valider cette résolution dans votre environnement. Ensuite, dès qu’elle est validée, il faut activer la résolution le plus rapidement possible. »

Comment activer le correctif pour CVE-2023-32019 à l’aide de PowerShell ?

Pour atténuer la vulnérabilité, les utilisateurs doivent définir une valeur de clé de registre en fonction de la version de Windows qu’ils utilisent (chaque version nécessite une valeur de clé différente). Inutile de dire que cette étape supplémentaire a suscité des plaintes. Pour faciliter les choses, notre ingénieur produit logiciel Kyle Bohlander a créé le script suivant qui vérifiera le système d’exploitation et appliquera le changement de registre correct, selon le cas. Remarque : Ce script n’est pas réservé aux utilisateurs de NinjaOne. Il peut être utilisé par tout le monde. Toutefois, comme le conseille Microsoft, ce correctif doit être déployé sur des machines de test avant d’être déployé de façon générale et, comme d’habitude, si vous décidez de l’exécuter, c’est à vos risques et périls.

Auteur du script : Kyle Bohlander, Ingénieur produit logiciel chez NinjaOne

#Requires -Version 5.1

<#
.SYNOPSIS
    This script will apply the registry fix suggested by microsoft for CVE-2023-32019 for the particular OS the computer is run on. Please note not all OS's have a fix to apply!
    https://support.microsoft.com/en-au/topic/kb5028407-how-to-manage-the-vulnerability-associated-with-cve-2023-32019-bd6ed35f-48b1-41f6-bd19-d2d97270f080
.DESCRIPTION
    This script will apply the registry fix suggested by microsoft for CVE-2023-32019 for the particular OS the computer is run on. Please note not all OS's have a fix to apply!
    https://support.microsoft.com/en-au/topic/kb5028407-how-to-manage-the-vulnerability-associated-with-cve-2023-32019-bd6ed35f-48b1-41f6-bd19-d2d97270f080
.EXAMPLE
    (No Parameters)

    Checking Windows Version....
    Desktop Windows Detected!
    Windows 10 identified!
    22H2 Detected!
    Set Registry::HKEY_LOCAL_MACHINESYSTEMCurrentControlSetPoliciesMicrosoftFeatureManagementOverrides4103588492 to 1
    Successfully set registry key!

PARAMETER: -Undo
    Removes the registry key set for this fix. Script will error out if that registry key is not present.
.EXAMPLE
    -Undo
    
    Checking Windows Version....
    Desktop Windows Detected!
    Windows 10 identified!
    22H2 Detected!
    Undoing registry fix...
    Successfully removed registry fix!

.OUTPUTS
    None
.NOTES
    Release: Initial Release (6/15/2023)
    General notes
#>

[CmdletBinding()]
param (
    [Parameter()]
    [switch]$Undo
)

begin {
    # Tests that the script is elevated
    function Test-IsElevated {
        $id = [System.Security.Principal.WindowsIdentity]::GetCurrent()
        $p = New-Object System.Security.Principal.WindowsPrincipal($id)
        $p.IsInRole([System.Security.Principal.WindowsBuiltInRole]::Administrator)
    }

    # We want the script to check if its running on a workstation or something else
    function Test-IsWorkstation {
        $OS = Get-CimInstance -ClassName Win32_OperatingSystem
        return $OS.ProductType -eq 1
    }

    # This will set the registry key and any preceding keys needed
    function Set-RegKey {
        param (
            $Path,
            $Name,
            $Value,
            [ValidateSet("DWord", "QWord", "String", "ExpandedString", "Binary", "MultiString", "Unknown")]
            $PropertyType = "DWord"
        )
        if (-not $(Test-Path -Path $Path)) {
            # Check if path does not exist and create the path
            New-Item -Path $Path -Force | Out-Null
        }
        if ((Get-ItemProperty -Path $Path -Name $Name -ErrorAction Ignore)) {
            # Update property and print out what it was changed from and changed to
            $CurrentValue = (Get-ItemProperty -Path $Path -Name $Name -ErrorAction Ignore).$Name
            try {
                Set-ItemProperty -Path $Path -Name $Name -Value $Value -Force -Confirm:$false -ErrorAction Stop | Out-Null
            }
            catch {
                Write-Error "[Error] Unable to Set registry key for $Name please see below error!"
                Write-Error $_
                exit 1
            }
            Write-Host "$Path$Name changed from $CurrentValue to $($(Get-ItemProperty -Path $Path -Name $Name -ErrorAction Ignore).$Name)"
        }
        else {
            # Create property with value
            try {
                New-ItemProperty -Path $Path -Name $Name -Value $Value -PropertyType $PropertyType -Force -Confirm:$false -ErrorAction Stop | Out-Null
            }
            catch {
                Write-Error "[Error] Unable to Set registry key for $Name please see below error!"
                Write-Error $_
                exit 1
            }
            Write-Host "Set $Path$Name to $($(Get-ItemProperty -Path $Path -Name $Name -ErrorAction Ignore).$Name)"
        }
    }

    # Is it Windows 10 or 11 or something else?
    $WindowsVersion = [System.Environment]::OSVersion.Version.Major

    # Current Build Number
    $BuildNumber = [System.Environment]::OSVersion.Version.Build

    # If Script Forms are used grab the input
    if($env:Undo){$Undo = $env:Undo}
}
process {

    # If not elevated error out. Admin priveledges are required to create HKLM registry keys
    if (-not (Test-IsElevated)) {
        Write-Error -Message "Access Denied. Please run with Administrator privileges."
        exit 1
    }

    # Keeping the end user updated on the status
    Write-Host "Checking Windows Version...."
    if (Test-IsWorkstation) {
        Write-Host "Desktop Windows Detected!"
        # Depending on the version we'll want to check on a different set of build numbers
        switch ($WindowsVersion) {
            "10" {
                switch ($BuildNumber) {
                    "22621" {
                        Write-Host "Windows 11 identified!"
                        Write-Host "22H2 Detected!"
                        $key = "Registry::HKEY_LOCAL_MACHINESYSTEMCurrentControlSetPoliciesMicrosoftFeatureManagementOverrides"
                        $name = "4237806220"
                        $value = "1"
                    }
                    "22000" {
                        Write-Host "Windows 11 identified!"
                        Write-Host "21H2 Detected!"
                        $key = "Registry::HKEY_LOCAL_MACHINESYSTEMCurrentControlSetPoliciesMicrosoftFeatureManagementOverrides"
                        $name = "4204251788"
                        $value = "1"
                    }
                    "19045" {
                        # This sets us up to set the registry key depending on the current build and version.
                        Write-Host "Windows 10 identified!"
                        Write-Host "22H2 Detected!"
                        $key = "Registry::HKEY_LOCAL_MACHINESYSTEMCurrentControlSetPoliciesMicrosoftFeatureManagementOverrides"
                        $name = "4103588492"
                        $value = "1"
                    }
                    "19044" {
                        Write-Host "Windows 10 identified!"
                        Write-Host "21H2 Detected!"
                        $key = "Registry::HKEY_LOCAL_MACHINESYSTEMCurrentControlSetPoliciesMicrosoftFeatureManagementOverrides"
                        $name = "4103588492"
                        $value = "1"
                    }
                    "19042" {
                        Write-Host "Windows 10 identified!"
                        Write-Host "20H2 Detected!"
                        $key = "Registry::HKEY_LOCAL_MACHINESYSTEMCurrentControlSetPoliciesMicrosoftFeatureManagementOverrides"
                        $name = "4103588492"
                        $value = "1"
                    }
                    "17763" {
                        Write-Host "Windows 10 identified!"
                        Write-Host "1809 Detected!"
                        $key = "Registry::HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSession ManagerConfiguration Manager"
                        $name = "LazyRetryOnCommitFailure"
                        $value = "0"
                    }
                    "14393" {
                        Write-Host "Windows 10 identified!"
                        Write-Host "1607 Detected!"
                        $key = "Registry::HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSession ManagerConfiguration Manager"
                        $name = "LazyRetryOnCommitFailure"
                        $value = "0"
                    }
                    default {
                        Write-Warning "Looks like you're either on an unsupported windows build or one not supported by this script? (Only Win 11 22H2 and 21H1 and Win 10 22H2,21H2,21H1,20H2,1809 and 1607 has a fix out!)" 
                        Write-Warning "https://en.wikipedia.org/wiki/Windows_10_version_history"
                        Write-Warning "https://en.wikipedia.org/wiki/Windows_11_version_history"
                        Write-Error "[Error] This version of windows cannot be remediated by this script? Please verify this https://support.microsoft.com/en-au/topic/kb5028407-how-to-manage-the-vulnerability-associated-with-cve-2023-32019-bd6ed35f-48b1-41f6-bd19-d2d97270f080"
                        exit 1
                    }
                }
            }
            default {
                Write-Warning "Looks like you're on a version of windows not supported by this script? (Only Windows 10 and 11 have a fix out!)"
                Write-Error "[Error] This version of windows appears to not be applicable or cannot be remediated by this script? Please verify this https://support.microsoft.com/en-au/topic/kb5028407-how-to-manage-the-vulnerability-associated-with-cve-2023-32019-bd6ed35f-48b1-41f6-bd19-d2d97270f080"
                exit 1
            }
        }
    }
    else {
        Write-Host "Windows Server Detected!"
        if (Get-ComputerInfo | Select-Object OSName | Where-Object { $_.OSName -like "*2022*" }) {
            $key = "Registry::HKEY_LOCAL_MACHINESYSTEMCurrentControlSetPoliciesMicrosoftFeatureManagementOverrides"
            $name = "4137142924"
            $value = "1"
        }
        else {
            Write-Warning "Looks like you're on a version of windows not supported by this script? (Only Server 2022 has a fix out!)"
            Write-Error "[Error] This version of windows appears to not be applicable or cannot be remediated by this script? Please verify this https://support.microsoft.com/en-au/topic/kb5028407-how-to-manage-the-vulnerability-associated-with-cve-2023-32019-bd6ed35f-48b1-41f6-bd19-d2d97270f080"
            exit 1
        }
    }

    if ($key -and -not $Undo) {
        Set-RegKey -Path $key -Name $name -Value $value -PropertyType DWord
        if ((Get-ItemPropertyValue -Path $key -Name $name -ErrorAction Ignore) -ne $value) {
            Write-Error "[Error] Unable to set registry key? Is something blocking the script?"
            exit 1
        }
        else {
            Write-Host "Successfully set registry key!"
            exit 0
        }
    }
    elseif ($Undo) {
        if (Get-ItemProperty -Path $key -ErrorAction Ignore) {
            Write-Host "Undoing registry fix..."
            Remove-ItemProperty -Path $key -Name $name
            if (Get-ItemProperty -Path $key -ErrorAction Ignore) {
                Write-Error "[Error] Unable to undo registry fix!"
                exit 1
            }
            else {
                Write-Host "Successfully removed registry fix!"
                exit 0
            }
        }
        else {
            Write-Error "[Error] Registry Key not found? Did you already undo it?"
            exit 1
        }
    }else{
        Write-Error "[Error] Unable to find registry key to set!"
        exit 1
    }
}
end {
    $ScriptName = "CVE-2023-32019 Remediation"
    $ScriptVariables = @(
        [PSCustomObject]@{
            name           = "Undo"
            calculatedName = "undo"
            required       = $false
            defaultValue   = $false
            valueType      = "CHECKBOX"
            valueList      = $null
            description    = "Whether or not to undo the registry fix."
        }
    )
}