Summary Summary

Today, Microsoft is releasing CVE-2023-24932, and associated configuration guidance, to address a Secure Boot bypass vulnerability used by the BlackLotus bootkit to exploit CVE-2022-21894. Customers will need to closely follow the configuration guidance to fully protect against this vulnerability.

This vulnerability allows an attacker to execute self-signed code at the Unified Extensible Firmware Interface (UEFI) level while Secure Boot is enabled. This is used by threat actors primarily as a persistence and defense evasion mechanism. Successful exploitation relies on the attacker having physical access or local admin privileges on the targeted device.

To protect against this attack, a fix for the Windows boot manager (CVE-2023-24932) is included in the May 9, 2023, security update release, but disabled by default and will not provide protections. Customers will need to carefully follow manual steps to update bootable media and apply revocations before enabling this update.

We will be enforcing the protections in three phases to reduce customer and industry partner impact with existing Secure Boot while applying this change.

• May 9, 2023: The initial fix for CVE-2023-24932 is released. In this release, this fix requires the May 9, 2023, Windows Security Update and additional customer action to fully implement the protections.

• July 11, 2023: A second release will provide additional update options to simplify the deployment of the protections.

• First quarter 2024: This final release will enable the fix for CVE-2023-24932 by default and enforce bootmanager revocations on all Windows devices.

If these timelines change for any reason, this blog will be updated.

Why is Microsoft taking a phased approach to address this vulnerability? Why is Microsoft taking a phased approach to address this vulnerability?

The Secure Boot feature precisely controls the boot media that is allowed to load when an operating system is initiated, and if this fix is not properly enabled there is a potential to cause disruption and prevent a system from starting up. The technical documentation referenced below provides implementation and testing guidance to limit potential impact at this time, and future release plans will allow Microsoft to simplify deployment without disruption.

Please follow the Microsoft Windows Secure Boot Guidance to implement the fix for CVE-2023-24932.

How do customers know if they are using Secure Boot? How do customers know if they are using Secure Boot?

From a Windows command prompt, enter msinfo32. If it shows Secure Boot State is ON, the system.

Note: The publicly known vulnerability does not present any additional risk if secure boot is not enabled, and no additional steps are required. We recommend that customers use Secure Boot to protect systems from tampering and bootkit class exploits and to keep their systems up to date with the latest Windows Updates.  For more information about the benefits of Secure Boot, see: Secure Boot and Trusted Boot.

Acknowledgement   Acknowledgement  

• We appreciate the opportunity to investigate the findings reported by Tomer Sne-or with SentinelOne and Martin Smolár from ESET which helped us harden the service, and thank them for practicing safe security research under the terms of the Microsoft Bug Bounty Program. We encourage all researchers to work with vendors under Coordinated Vulnerability Disclosure (CVD) and abide by the rules of engagement for penetration testing to avoid impacting customer data while conducting security research.

References References

• For more information, review the Windows Secure Boot Guidance for CVE-2023-24932

• Microsoft IR Guidance for investigating attacks using CVE-2022-21894: The BlackLotus Campaign

• Visit the Security Update Guide for information about CVE-2022-21894 and CVE-2023-24932

• Customers with any product support related needs should file a Microsoft Support case at https://support.microsoft.com/contactus