The exploitation of this flaw enables an attacker to install additional programs or modify existing ones. In some cases, the adversary can execute malicious code or obtain access to sensitive information. The vulnerability can be exploited remotely via a network or by exploiting vulnerabilities on a target system.

The majority of the systems that have been tested by CrowdStrike are Windows-based. The Falcon Uninstallation Handler vulnerability is documented in the official document. A technical description of the problem and possible workarounds are also available.

Vulnerability overview

Falcon Uninstallation Handler is a vulnerability in Microsoft's Windows Installer package, which is the installer that allows Windows users to install software from CD or DVD media. If an attacker can exploit this vulnerability, they will have access to the privilege level of the logged-in user and be able to further manipulate systems. If this vulnerability is exploited remotely in a network, it could allow for remote code execution.

Installing the Falcon Uninstallation Handler

The attack vector is a vulnerability in a Windows system file. One of the most common ways to execute this vulnerability is by installing a malicious application that contains the payload. The vulnerability will be exploited automatically if the system user has low privileges on the computer.
There are many ways to install such an application. Some are more reliable than others.

One way is to exploit another Windows flaw, then execute it from remote code execution (RCE) using their privileges:
- Create a new process on the target machine with elevated permissions and impersonate the targeted user account.
- Wait for the targeted user account to log in and make sure its session is active, then drop into it using RCE or modifying an existing session.
- When logged in with RCE, use an existing local administrative privilege escalation flaw to elevate your privileges on that machine as well as other machines in the same domain/forest via Remote Desktop Protocol (RDP).

Falcon Uninstallation Handler Vulnerability

One of the most concerning security flaws in recent years is the Falcon Uninstallation Handler vulnerability. This flaw allows malicious attackers to bypass Windows Defender's application whitelisting and install additional programs or modify existing ones. In some cases, the adversary can execute malicious code or obtain access to sensitive information. The vulnerability can be exploited remotely via a network or by exploiting vulnerabilities on a target system.
The Falcon Uninstallation Handler is a Windows Service that handles some actions related to uninstalling third-party software. If an attacker tricks an uninstalling program into running one of these malicious payloads, it will execute the malicious code and allow for remote code execution on the vulnerable system.
It’s important that you update your systems as soon as possible because this vulnerability has been used in targeted attacks against specific organizations and individuals.

Installing the CrowdStrike Falcon Uninstallation Handler

CrowdStrike provides an installer for the Falcon Uninstallation Handler. The installation of this tool will allow you to:
- Install the CrowdStrike Falcon Uninstallation Handler
- Read about how it works
- Read about common mitigations for the vulnerability
- View a list of all related CVEs
- Set up CrowdStrike's automated update system to ensure that your system is always protected

Falcon Uninstallation Handler (CVE-2022-2841)


The Falcon Uninstallation Handler (CVE-2022-2841) is a Windows system service that handles the uninstallation of programs. This vulnerability enables an attacker to install additional programs or modify existing ones. In some cases, the adversary can execute malicious code or obtain access to sensitive information. The vulnerability can be exploited remotely via a network or by exploiting vulnerabilities on a target system.

Timeline

Published on: 08/22/2022 08:15:00 UTC
Last modified on: 08/23/2022 16:34:00 UTC

References