Microsoft has released an optional fix to address a Kernel information disclosure vulnerability affecting systems running multiple Windows versions, including the latest Windows 10, Windows Server, and Windows 11 releases.
While it has a medium severity range CVSS base score of 4.7/10, Redmond has tagged this security flaw (CVE-2023-32019) as important severity.
Reported by Google Project Zero security researcher Mateusz Jurczyk, the bug lets authenticated attackers access the heap memory of privileged processes running on unpatched devices.
While successful exploitation doesn't require threat actors to have administrator or other elevated privileges, it does depend on their ability to coordinate their attacks with another privileged process run by another user on the targeted system.
What makes the CVE-2023-32019 patch stand out from other security updates issued as part of the June 2023 Patch Tuesday is that it's disabled by default, even after applying this week's updates.
As Microsoft explains in a support document, you must make a registry change on vulnerable Windows systems to enable the fix.
"To mitigate the vulnerability associated with CVE-2023-32019, install the June 2023 Windows update or a later Windows update," Microsoft says.
"By default, the fix for this vulnerability is disabled. To enable the fix, you must set a registry key value based on your Windows operating system."
While Microsoft didn't provide additional details on why this fix is turned off by default, a spokesperson told BleepingComputer that "the update should be enabled by default in a future release."
However, it's unclear if enabling the fix may cause issues in the operating system, so it may be safer to test it on a few machines before performing a wide deployment.
How to enable the CVE-2023-32019 fix
Depending on the Windows version running on your device, you will have to add the following under the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\Microsoft\FeatureManagement\Overrides registry key:
- Windows 10 20H2, 21H2, 22H2: Add a new DWORD registry value named 4103588492 with a value data of 1
- Windows 11 21H2: Add a new DWORD registry value named 4204251788 with a value data of 1
- Windows 11 22H2: Add a new DWORD registry value named 4237806220 with a value data of 1
- Windows Server 2022: Add a new DWORD registry value named 4137142924 with a value data of 1
On Windows 10 1607 and Windows 10 1809, you will have to add a new DWORD registry value named 'LazyRetryOnCommitFailure' with a valued data of 0 under the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Configuration Manager registry key.
This is not the first time the company has issued an optional fix for a Windows security vulnerability.
Just last month, Microsoft said that a patch addressing the CVE-2023-24932 Secure Boot bug exploited by BlackLotus UEFI malware as a zero-day required additional manual steps besides installing the security update to remove the attack vector.
As explained at the time, Redmond is taking a phased approach to enforce the CVE-2023-24932 protections to reduce customer impact.
However, it's unclear if enabling the feature may cause issues in the operating system, so it may be safest to test it on a few machines before performing a wide deployment.
Microsoft also warned that there is no way to revert the changes once CVE-2023-24932 mitigations are fully deployed and enabled on a system.
Update June 16, 10:30 EDT: Microsoft says in an update to the CVE-2023-24932 guidance that the fix requires manual activation because it introduces a “potential breaking change.” However, they did not share any information on what it breaks.
"The resolution described in this article introduces a potential breaking change. Therefore, we are releasing the change disabled by default with the option to enable it," Microsoft says.
"In a future release, this resolution will be enabled by default. We recommend that you validate this resolution in your environment. Then, as soon as it is validated, enable the resolution as soon as possible."
Comments
NoneRain - 1 year ago
Microsoft not giving us proper info is nothing new.
The fact it's disabled for no apparent reason, is reason enough to be considered risky.
wpontius - 1 year ago
I don't have the ...\Microsoft\FeatureManagement\Overrides registry key, under Policies is Hardware\Bluetooth. Windows 11 Enterprise 22H2, Build 22621.1848. There is no way I am trying to add those without more information about what this does.
redwolfe_98 - 1 year ago
i applied the reg-tweak to my "windows 10 home" computer. the vulnerability seemed important so i wanted it to be addressed.
noelprg4 - 10 months ago
hi Sergiu.
Windows Kernel CVE-2023-32019 fix is now ENABLED by default starting with the release of the August 2023 updates as reported by Neowin:
https://www.neowin.net/news/microsoft-makes-potentially-breaking-windows-kernel-patch-default-after-an-earlier-warning/
Microsoft's support article mentioning CVE-2023-32019 has been updated to say the following:
"IMPORTANT The resolution described in this article has been released enabled by default. To apply the enabled by default resolution, install the Windows update that is dated on or after August 8, 2023. No further user action is required."