---

The world of Windows vulnerabilities is vast, but not all of them get the attention they deserve. One such under-the-radar issue is CVE-2022-21985. This vulnerability affects the Remote Access Connection Manager (RasMan) and can lead to information disclosure. In this article, we'll break down what this CVE is, how it affects Windows systems, reference official resources, and even touch on how an attacker might attempt to exploit it with a practical example.

What is Windows Remote Access Connection Manager (RasMan)?

Windows Remote Access Connection Manager, known as RasMan, is a service that manages dial-up and VPN connections from the Windows operating system. It’s a core part of how Windows creates remote access links and can be found in nearly all versions of the OS.

What’s the Problem? (The Vulnerability Explained)

CVE-2022-21985 is categorized as an Information Disclosure Vulnerability. In plain terms, it means there’s a bug that might let a user or malware get access to sensitive information they shouldn’t have.

The flaw exists because RasMan improperly handles memory when processing specific Remote Procedure Calls (RPCs). If an attacker can run code locally and interact with RasMan in a certain way, they can potentially read information from elsewhere in memory—possibly including credentials or other valuable data.

Who’s Affected?

Any supported version of Windows that’s missing the official patch is at risk, especially in enterprise environments where VPN connections are common.

Official References

- Microsoft Security Guide: CVE-2022-21985
- NVD - CVE-2022-21985

Technical Details

The vulnerability revolves around how the RasMan service handles certain RPC requests. When a request is poorly formed or crafted with malicious intent, it can cause the service to leak memory contents back to the caller.

Hypothetical Exploit Scenario

Suppose an attacker already has code execution on the machine (even as a regular user). They could write a small client that connects to the RasMan service via RPC, sends crafted requests, and collects any leaked data.

Example: Interacting with RasMan via RPC in PowerShell

*(This code doesn’t actively exploit the vulnerability, but demonstrates opening a connection to RasMan using PowerShell—a first step in understanding how one might talk to the service)*

# Open a handle to the RasMan service via RPC
Add-Type -TypeDefinition @"
using System;
using System.ServiceProcess;
public class RasManChecker {
    public static bool IsRasManRunning() {
        ServiceController sc = new ServiceController("RasMan");
        return sc.Status == ServiceControllerStatus.Running;
    }
}
"@
 
if ([RasManChecker]::IsRasManRunning()) {
    Write-Host "RasMan service is running."
} else {
    Write-Host "RasMan service is NOT running."
}

If RasMan is running, a more malicious script could try to send malformed RPC requests to it to exploit the vulnerability.

Exploit Concept in Pseudocode

// Pseudocode Only: Demonstrates the logic, not a working exploit

connect_to_rasman_service();
for (int i = ; i < 100; i++) {
    send_malformed_rpc_request();
    leaked_data = get_service_response();
    if (contains_sensitive_info(leaked_data)) {
        print("Sensitive data found:", leaked_data);
    }
}

What To Do: Patch!

If you manage Windows systems, patching is critical. Microsoft released fixes in their monthly updates, so ensure your devices are up-to-date.

Patch Link:  
Download official Microsoft fix for CVE-2022-21985

Final Thoughts

CVE-2022-21985 won’t make headlines like a major RCE or ransomware flaw, but it’s a critical reminder: even “minor” bugs can leak valuable data in the right hands. Make sure your security teams are aware of these underappreciated issues and keep your fleet patched.


*Have you encountered CVE-2022-21985 in the wild? Let us know in the comments or connect with more security updates.*

Timeline

Published on: 02/09/2022 17:15:00 UTC
Last modified on: 05/23/2022 17:29:00 UTC