Headline
Guidance related to Secure Boot Manager changes associated with CVE-2023-24932
Summary Summary Today, Microsoft is releasing CVE-2023-24932, and associated configuration guidance, to address a Secure Boot bypass vulnerability used by the BlackLotus bootkit to exploit CVE-2022-21894. Customers will need to closely follow the configuration guidance to fully protect against this vulnerability. This vulnerability allows an attacker to execute self-signed code at the Unified Extensible Firmware Interface (UEFI) level while Secure Boot is enabled.
Summary Summary
Today, Microsoft is releasing CVE-2023-24932, and associated configuration guidance, to address a Secure Boot bypass vulnerability used by the BlackLotus bootkit to exploit CVE-2022-21894. Customers will need to closely follow the configuration guidance to fully protect against this vulnerability.
This vulnerability allows an attacker to execute self-signed code at the Unified Extensible Firmware Interface (UEFI) level while Secure Boot is enabled. This is used by threat actors primarily as a persistence and defense evasion mechanism. Successful exploitation relies on the attacker having physical access or local admin privileges on the targeted device.
To protect against this attack, a fix for the Windows boot manager (CVE-2023-24932) is included in the May 9, 2023, security update release, but disabled by default and will not provide protections. Customers will need to carefully follow manual steps to update bootable media and apply revocations before enabling this update.
We will be enforcing the protections in three phases to reduce customer and industry partner impact with existing Secure Boot while applying this change.
May 9, 2023: The initial fix for CVE-2023-24932 is released. In this release, this fix requires the May 9, 2023, Windows Security Update and additional customer action to fully implement the protections.
July 11, 2023: A second release will provide additional update options to simplify the deployment of the protections.
First quarter 2024: This final release will enable the fix for CVE-2023-24932 by default and enforce bootmanager revocations on all Windows devices.
If these timelines change for any reason, this blog will be updated.
Why is Microsoft taking a phased approach to address this vulnerability? Why is Microsoft taking a phased approach to address this vulnerability?
The Secure Boot feature precisely controls the boot media that is allowed to load when an operating system is initiated, and if this fix is not properly enabled there is a potential to cause disruption and prevent a system from starting up. The technical documentation referenced below provides implementation and testing guidance to limit potential impact at this time, and future release plans will allow Microsoft to simplify deployment without disruption.
Please follow the Microsoft Windows Secure Boot Guidance to implement the fix for CVE-2023-24932.
How do customers know if they are using Secure Boot? How do customers know if they are using Secure Boot?
From a Windows command prompt, enter msinfo32. If it shows Secure Boot State is ON, the system.
Note: The publicly known vulnerability does not present any additional risk if secure boot is not enabled, and no additional steps are required. We recommend that customers use Secure Boot to protect systems from tampering and bootkit class exploits and to keep their systems up to date with the latest Windows Updates. For more information about the benefits of Secure Boot, see: Secure Boot and Trusted Boot.
**Acknowledgement Acknowledgement **
- We appreciate the opportunity to investigate the findings reported by Tomer Sne-or with SentinelOne and Martin Smolár from ESET which helped us harden the service, and thank them for practicing safe security research under the terms of the Microsoft Bug Bounty Program. We encourage all researchers to work with vendors under Coordinated Vulnerability Disclosure (CVD) and abide by the rules of engagement for penetration testing to avoid impacting customer data while conducting security research.
References References
For more information, review the Windows Secure Boot Guidance for CVE-2023-24932
Microsoft IR Guidance for investigating attacks using CVE-2022-21894: The BlackLotus Campaign
Visit the Security Update Guide for information about CVE-2022-21894 and CVE-2023-24932
Customers with any product support related needs should file a Microsoft Support case at https://support.microsoft.com/contactus
Related news
Microsoft patched a record number of 147 new CVEs this month, though only three are rated "Critical."
Improper Access Control in SMI handler vulnerability in Phoenix SecureCore™ Technology™ 4 allows SPI flash modification. This issue affects SecureCore™ Technology™ 4: * from 4.3.0.0 before 4.3.0.203 * from 4.3.1.0 before 4.3.1.163 * from 4.4.0.0 before 4.4.0.217 * from 4.5.0.0 before 4.5.0.138
It's unclear why the NSA issued in-depth mitigation guidance for the software boot threat now, but orgs should take steps to harden their environments.
The U.S. National Security Agency (NSA) on Thursday released guidance to help organizations detect and prevent infections of a Unified Extensible Firmware Interface (UEFI) bootkit called BlackLotus. To that end, the agency is recommending that "infrastructure owners take action by hardening user executable policies and monitoring the integrity of the boot partition." BlackLotus is an advanced
Plus: Microsoft patches two zero-day flaws, Google’s Android and Chrome get some much-needed updates, and more.
Hello everyone! This episode will be about Microsoft Patch Tuesday for May 2023, including vulnerabilities that were added between April and May Patch Tuesdays. As usual, I use my open source Vulristics project to analyse and prioritize vulnerabilities. I took the comments about the vulnerabilities from the Qualys, Tenable, Rapid7, ZDI Patch Tuesday reviews. It’s been a […]
A ransomware attack on the city of Dallas, Texas is still disrupting many social services as of Wednesday, including hampering police communications and operations and potentially putting personal information at risk.
Microsoft has rolled out Patch Tuesday updates for May 2023 to address 38 security flaws, including one zero-day bug that it said is being actively exploited in the wild. Trend Micro's Zero Day Initiative (ZDI) said the volume is the lowest since August 2021, although it pointed out that "this number is expected to rise in the coming months." Of the 38 vulnerabilities, six are rated Critical and
Microsoft has rolled out Patch Tuesday updates for May 2023 to address 38 security flaws, including one zero-day bug that it said is being actively exploited in the wild. Trend Micro's Zero Day Initiative (ZDI) said the volume is the lowest since August 2021, although it pointed out that "this number is expected to rise in the coming months." Of the 38 vulnerabilities, six are rated Critical and
Categories: Exploits and vulnerabilities Categories: News Tags: Microsoft Tags: CVE-2023-29336 Tags: CVE-2023-24932 Tags: bootkit Tags: CVE-2023-29325 Tags: Outlook Tags: preview Tags: CVE-2023-24941 Tags: Apple Tags: Cisco Tags: Google Tags: Android Tags: VMWare Tags: SAP Tags: Mozilla Microsoft's Patch Tuesday round up for May 2023 includes patches for three zero-day vulnerabilities and one critical remote code execution vulnerability (Read more...) The post Update now! May 2023 Patch Tuesday tackles three zero-days appeared first on Malwarebytes Labs.
Microsoft today released software updates to fix at least four dozen security holes in its Windows operating systems and other software, including patches for two zero-day vulnerabilities that are already being exploited in active attacks.
**What kind of security feature could be bypassed by successfully exploiting this vulnerability?** An attacker who successfully exploited this vulnerability could bypass Secure Boot.
BlackLotus is the first in-the-wild malware to exploit a vulnerability in the Secure Boot process on Windows, and experts expect copycats and imminent increased activity.
By Deeba Ahmed Security firm ESET’s cybersecurity researchers have shared their analysis of the world’s first UEFI bootkit being used in… This is a post from HackRead.com Read the original post: BlackLotus UEFI bootkit Can Bypass Secure Boot on Windows
A stealthy Unified Extensible Firmware Interface (UEFI) bootkit called BlackLotus has become the first publicly known malware capable of bypassing Secure Boot, making it a potent threat in the cyber landscape. "This bootkit can run even on fully up-to-date Windows 11 systems with UEFI Secure Boot enabled," Slovak cybersecurity company ESET said in a report shared with The Hacker News. UEFI