[German]Microsoft has also released support post KB5025885 for the May 2023 patchday. This post explains how administrators and users need to secure Secure Boot in Windows against the Black Lotous boot kit vulnerability CVE-2023-24932. This vulnerability is exploited by the Black Lotus gang to bypass Secure Boot and compromise systems.
Advertising
Vulnerability CVE-2023-24932
Vulnerability CVE-2023-24932 relates to a vulnerability in Secure Boot in Windows operating systems that allows untrusted software to execute during startup. The vulnerability is publicly known and was previously exploited as a zero-day vulnerability before a patch was available.
This is because security researchers from ESET have discovered a malware called BlackLotus in the wild that hijacks the UEFI (see the blog post BlackLotus UEFI bootkit bypasses Secure Boot in Windows 11). The UEFI bootkit uch disables Defender or Bitlocker and HVCI in Windows.
To exploit this vulnerability, an attacker must have administrative privileges or physical access to the vulnerable device, which is why Microsoft has rated this vulnerability as "less likely" according to the Microsoft Exploitability Index (see Microsoft Security Update Summary (May 9, 2023)). However, the vulnerability has received a CVEv3 score of 6.7.
Mitigation CVE-2023-24932
As of May 9, 2023, Microsoft then released security updates to close the CVE-2023-24932 vulnerability for supported Windows systems. The updates are listed in Microsoft's CVE post as well as in the Patchday posts linked at the end of the article.
In support post KB5025885: How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932, Microsoft advises all customers to install the May 9, 2023 Windows security updates. However, installing the update in question is not enough, users must take additional steps to implement the vulnerability for the publicly disclosed Secure Boot bypass used by the BlackLotus UEFI bootkit that requires physical or administrative access to the device.
Advertising
Support article KB5025885 contains the appropriate instructions to secure systems against BlackLotos with subsequent steps.
- INSTALL the May 9, 2023, updates on all supported versions and then restart the device before applying the revocations.
- UPDATE your bootable media with Windows updates released on or after May 9, 2023. If you do not create your own media, you will need to get the updated official media from Microsoft or your device manufacturer (OEM).
- APPLY revocations to protect against the vulnerability in CVE-2023-24932.
However, caution is advised. This is because once the workarounds for this problem are enabled on a device, that is, the revocations for the Secure Boot entries have been applied, this cannot be undone if Secure Boot continues to be used on that device. Even reformatting the medium cannot remove the revocations of the performed Secure Boot entries. Anyone going down this road should be aware of the possible implications and test thoroughly before applying the revocations described in the Microsoft article to systems.
Microsoft has since made several additions to the support post – and there is a second post KB5027455: Guidance for blocking vulnerable Windows boot managers, that addresses blocking entries in the dbx. Via Twitter I came across the blog post PS Script to Update Boot images with CU-CVE-2023-24932 by MVP Jörgen Nilsson, which gives some more hints on how the boot image could be changed via script.
Similar articles:
Microsoft Security Update Summary (May 9, 2023)
Patchday: Windows 10-Updates (May 9, 2023)
Patchday: Windows 11/Server 2022-Updates (May 9, 2023)
Windows 7/Server 2008 R2; Server 2012 R2: Updates (May 9, 2023)
BlackLotus UEFI bootkit bypasses Secure Boot in Windows 11
Advertising
Do you are anyone have an insight as to what this update will do to a Windows 10 22h2 installation to a machine that does not have UEFI and does not support Secure Boot? We have some Intel iMacs and don't want to apply the update and find that it bricks them.
If UEFI and Secure Boot is not active, this update will not affect the system. But in the other hand, your devices are fully exposed to not only the BlackLotus Rootkits, but any Rootkit that might come in your way.
Apologies for what may seem a simple question, but there seems to be a lot of "noise" on forums surrounding this issue, yet I'm struggling to establish whether anything is required on an established Windows 11 installation. In short, does this issue only apply to bootable media (e.g. USB etc) or is action required on a fully patched Windows 11 Machine (using Secure Boot). If nothing is performed on these devices, then will these machines start failing to boot (or similar) in future? Thanks.
It should not fail to boot in future in my opinion – machines only are not hardened against Black Lotus.
Thanks very much 👍