KB5025885: Secure boot hardening against vulnerability CVE-2023-24932 (Black Lotus)

[German]Microsoft has also released support post KB5025885 for the May 2023 patchday. This post explains how administrators and users need to secure Secure Boot in Windows against the Black Lotous boot kit vulnerability CVE-2023-24932. This vulnerability is exploited by the Black Lotus gang to bypass Secure Boot and compromise systems.

Vulnerability CVE-2023-24932

Vulnerability CVE-2023-24932 relates to a vulnerability in Secure Boot in Windows operating systems that allows untrusted software to execute during startup. The vulnerability is publicly known and was previously exploited as a zero-day vulnerability before a patch was available.

This is because security researchers from ESET have discovered a malware called BlackLotus in the wild that hijacks the UEFI (see the blog post BlackLotus UEFI bootkit bypasses Secure Boot in Windows 11). The UEFI bootkit uch disables Defender or Bitlocker and HVCI in Windows.

To exploit this vulnerability, an attacker must have administrative privileges or physical access to the vulnerable device, which is why Microsoft has rated this vulnerability as "less likely" according to the Microsoft Exploitability Index (see Microsoft Security Update Summary (May 9, 2023)). However, the vulnerability has received a CVEv3 score of 6.7.

Mitigation CVE-2023-24932

As of May 9, 2023, Microsoft then released security updates to close the CVE-2023-24932 vulnerability for supported Windows systems. The updates are listed in Microsoft's CVE post as well as in the Patchday posts linked at the end of the article.

In support post KB5025885: How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932, Microsoft advises all customers to install the May 9, 2023 Windows security updates. However, installing the update in question is not enough, users must take additional steps to implement the vulnerability for the publicly disclosed Secure Boot bypass used by the BlackLotus UEFI bootkit that requires physical or administrative access to the device.

Support article KB5025885 contains the appropriate instructions to secure systems against BlackLotos with subsequent steps.

1. INSTALL the May 9, 2023, updates on all supported versions and then restart the device before applying the revocations.
2. UPDATE your bootable media with Windows updates released on or after May 9, 2023. If you do not create your own media, you will need to get the updated official media from Microsoft or your device manufacturer (OEM).
3. APPLY revocations to protect against the vulnerability in CVE-2023-24932.

However, caution is advised. This is because once the workarounds for this problem are enabled on a device, that is, the revocations for the Secure Boot entries have been applied, this cannot be undone if Secure Boot continues to be used on that device. Even reformatting the medium cannot remove the revocations of the performed Secure Boot entries. Anyone going down this road should be aware of the possible implications and test thoroughly before applying the revocations described in the Microsoft article to systems.

Microsoft has since made several additions to the support post – and there is a second post KB5027455: Guidance for blocking vulnerable Windows boot managers, that addresses blocking entries in the dbx. Via Twitter I came across the blog post PS Script to Update Boot images with CU-CVE-2023-24932 by MVP Jörgen Nilsson, which gives some more hints on how the boot image could be changed via script.

Similar articles:
Microsoft Security Update Summary (May 9, 2023)
Patchday: Windows 10-Updates (May 9, 2023)
Patchday: Windows 11/Server 2022-Updates (May 9, 2023)
Windows 7/Server 2008 R2; Server 2012 R2: Updates (May 9, 2023)
BlackLotus UEFI bootkit bypasses Secure Boot in Windows 11