CVE-2022-35797 Overview
CVE-2022-35797 is a security feature bypass vulnerability affecting Windows Hello, Microsoft's biometric authentication feature for Windows 10 and Windows 11 systems. This vulnerability allows an attacker with physical access to a device to bypass Windows Hello authentication mechanisms, potentially gaining unauthorized access to protected systems and sensitive data.
Critical Impact
An attacker with physical access can bypass Windows Hello authentication, compromising device security and potentially accessing sensitive user data and credentials stored on the system.
Affected Products
- Microsoft Windows 10 versions 1809, 20H2, 21H1, and 21H2 (x86, x64, and ARM64 architectures)
- Microsoft Windows 11 (x64 and ARM64 architectures)
- Devices configured with Windows Hello biometric authentication
Discovery Timeline
- August 9, 2022 - CVE-2022-35797 published to NVD
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2022-35797
Vulnerability Analysis
This vulnerability resides in the Windows Hello security feature, which provides biometric authentication capabilities including facial recognition and fingerprint scanning. The security feature bypass allows an attacker who has physical access to a target device to circumvent the authentication controls that Windows Hello is designed to enforce.
The attack requires physical access to the vulnerable device, meaning remote exploitation is not possible. However, once an attacker has physical access, they can potentially bypass the biometric authentication mechanisms without proper credentials. This is particularly concerning for enterprise environments where devices may contain sensitive corporate data and credentials.
Root Cause
The vulnerability stems from an implementation flaw in Windows Hello's authentication verification process. The security feature fails to properly validate certain aspects of the authentication flow, allowing an attacker to manipulate the authentication process and gain access without presenting valid biometric credentials.
Attack Vector
The attack requires physical access to the target device. An attacker must be in proximity to the system and able to interact with the Windows Hello authentication interface. The exploitation does not require prior user privileges or user interaction beyond accessing the device. Upon successful exploitation, an attacker can achieve high impact to both confidentiality and integrity of the system, potentially accessing user data, credentials, and system resources.
Physical attack scenarios include:
- Stolen or lost laptops and tablets
- Unattended devices in public or shared spaces
- Insider threat scenarios with temporary physical access
- Supply chain attacks during device transit
Detection Methods for CVE-2022-35797
Indicators of Compromise
- Unexpected successful Windows Hello authentication events following device physical access by unauthorized personnel
- Authentication audit logs showing anomalous login patterns or timing inconsistencies
- Security event logs indicating Windows Hello authentication attempts outside normal user behavior patterns
Detection Strategies
- Monitor Windows Security Event logs for authentication events (Event ID 4624) with logon type indicating interactive sessions
- Implement physical security monitoring and access logging for sensitive device locations
- Configure Windows Hello for Business with enhanced audit policies to capture detailed authentication telemetry
Monitoring Recommendations
- Enable advanced auditing for Windows Hello authentication events in Windows Security policy
- Deploy endpoint detection and response (EDR) solutions capable of monitoring authentication subsystem behavior
- Correlate physical access badge logs with Windows authentication events to detect unauthorized physical access
How to Mitigate CVE-2022-35797
Immediate Actions Required
- Apply the Microsoft security update released in August 2022 to all affected Windows 10 and Windows 11 systems
- Review and enhance physical security controls for devices using Windows Hello authentication
- Consider implementing multi-factor authentication requirements beyond Windows Hello for accessing sensitive resources
- Audit devices for Windows Hello configuration and ensure firmware and drivers are updated
Patch Information
Microsoft has released security updates to address this vulnerability. Organizations should apply the patches available through Windows Update or the Microsoft Update Catalog. For detailed patch information and download links, refer to the Microsoft Security Update Guide for CVE-2022-35797.
Workarounds
- Implement additional authentication factors alongside Windows Hello to reduce single-point-of-failure risk
- Enable BitLocker disk encryption with PIN requirements to add a layer of protection for physical access scenarios
- Configure Windows Hello for Business with hardware-bound credentials where supported
- Apply strict physical security policies for devices containing sensitive data
# Verify Windows Hello status and configuration
# Run in elevated PowerShell
# Check Windows Hello configuration
Get-WmiObject -Namespace "root\cimv2\mdm\dmmap" -Class "MDM_PassportForWork"
# Verify BitLocker status as additional protection
manage-bde -status C:
# Review authentication policies
secedit /export /cfg C:\secpol.cfg
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
