This Blog Post intends to highlight a “proceed with caution” towards implementation of Microsoft KB5025885 associated with CVE-2023-24932 introduced in April 2024. KB5025885 is not routine and must be acted upon with convincing knowledge of its content and with caution.
Included are baseline KB5025885 Microsoft Article information with personal annotations. The link to the complete KB5025885 article for a full read is provided below.
A note regarding my edits within this Blog Post:
- To distinguish my personalized comments from the source material, authentic Microsoft KB, CVE, etc…, my write-ups are boxed in by the pound sign (#). In no way do I wish to suggest that I alter the true message delivered in source documentation but merely add my commentary to the subject matter.
I hope that I have reached and achieved my goal in writing this Blog Post.
Steve LaBeau
Impacted Microsoft Operating Systems:
IMPORTANT: You should apply the Windows security update released on or after April 9, 2024, as part of your regular monthly update process.
This article applies to those organizations who should begin evaluating mitigations for a publicly disclosed Secure Boot bypass leveraged by the BlackLotus UEFI bootkit. Additionally, you might want to take a proactive security stance or to start to prepare for the rollout. Note that this malware requires physical or administrative access to the device.
################################################################
Steve LaBeau Comment #1
More About BlackLotus: Embedding “The Hacker News” article “BlackLotus Becomes First UEFI Bootkit Malware to Bypass Secure Boot on Windows 11”
I have captured contributions immediately below from “The Hacker News” article titled, “BlackLotus Becomes First UEFI Bootkit Malware to Bypass Secure Boot on Windows 11 below dated March 1, 2023. Full credit is acknowledged to “The Hacker News” for the provided information. The link to the complete article is below.
“Offered for sale at $5,000 (and $200 per new subsequent version), the powerful and persistent toolkit is programmed in Assembly and C and is 80 kilobytes in size. It also features geofencing capabilities to avoid infecting computers in Armenia, Belarus, Kazakhstan, Moldova, Romania, Russia, and Ukraine.”
“BlackLotus, in a nutshell, exploits a security flaw tracked as CVE-2022-21894 (aka Baton Drop) to get around UEFI Secure Boot protections and set up persistence. The vulnerability was addressed by Microsoft as part of its January 2022 Patch Tuesday update.”
“A successful exploitation of the vulnerability, according to ESET, allows arbitrary code execution during early boot phases, permitting a threat actor to carry out malicious actions on a system with UEFI Secure Boot enabled *without having physical access to it.”
################################################################
*Steve LaBeau Comment #2:
Note: At the time of this writing the literal information from Microsoft KB5025885 and the “The Hacker News” articles appear to be different with their message. The Microsoft KB5025885 states, “Note that this malware requires physical or administrative access to the device.” The Hacker News article reads, “permitting a threat actor to carry out malicious actions on a system with UEFI Secure Boot enabled *without having physical access to it.”
<End of “The Hacker News” article “BlackLotus Becomes First UEFI Bootkit Malware to Bypass Secure Boot on Windows 11“> excerpts.
################################################################
CAUTION: After the mitigation for this issue is enabled on a device, meaning the mitigations have been applied, it cannot be reverted if you continue to use Secure Boot on that device. Even reformatting of the disk will not remove the revocations if they have already been applied. Please be aware of all the possible implications and test thoroughly before you apply the revocations that are outlined in this article to your device.
Summary
This article describes the protection against the publicly disclosed Secure Boot security feature bypass that uses the BlackLotus UEFI bootkit tracked by CVE-2023-24932, how to enable the mitigations, and guidance on bootable media. A bootkit is a malicious program that is designed to load as early as possible in a devices boot sequence to control the operating system start.
Secure Boot is recommended by Microsoft to make a safe and trusted path from the Unified Extensible Firmware Interface (UEFI) through the Windows kernel Trusted Boot sequence. Secure Boot helps prevent bootkit malware in the boot sequence. Disabling Secure Boot puts a device at risk of being infected by bootkit malware. Fixing the Secure Boot bypass described in CVE-2023-24932 requires revoking boot managers. This could cause issues for some device boot configurations.
Mitigations against the Secure Boot bypass detailed in CVE-2023-24932 are included in the Windows security updates that were released on or after April 9, 2024. However, these mitigations are not enabled by default. With these updates, we recommend that you begin evaluating these changes within your environment. The complete schedule is described in the Timing of updates section.
Take Action
For this release, the following steps should be followed:
Step 1: Install the Windows security update released on or after April 9, 2024, on all supported versions.
Step 2: Evaluate the changes and how they affect your environment.
Step 3: Enforce the changes.
Firmware Issues: When Windows applies the mitigations described in this article, it must rely on the UEFI firmware of the device to update the Secure Boot values (the updates are applied to the Database Key (DB) and the Forbidden Signature Key (DBX)). In some cases, we have experience with devices that fail the updates. We are working with device manufacturers to test these key updates in as many devices as possible.
|
NOTE Please first test these mitigations on a single device per device class in your environment to detect possible firmware issues. Do not deploy broadly before confirming all the device classes in your environment have been evaluated.
BitLocker: |
BitLocker Recovery: Some devices may go into BitLocker recovery. Be sure to retain a copy of BitLocker recovery key Finding your BitLocker recovery key in Windows – Microsoft Support before enabling the mitigations. |
Known Issues
Firmware Issues: Not all device firmware will successfully update the Secure Boot DB or DBX. In the cases that we are aware of, we have reported the issue to the device manufacturer. See KB5016061: Secure Boot DB and DBX variable update events for details on logged events. Please contact the device manufacturer for firmware updates. If the device is not in support, Microsoft recommends upgrading the device.
Guidelines for this release
For this release, follow these two steps.
Step 1: Install the Windows security update
Install the Windows monthly security update released on or after April 9, 2024, on supported Windows devices. These updates include mitigations for CVE-2023-24932 but are not enabled by default. All Windows devices should complete this step whether or not you plan to deploy the mitigations.
Step 2: Evaluate the changes
We encourage you to do the following:
- Understand the first two mitigations that allow updating the Secure Boot DB and updating the boot manager.
- Review the updated schedule.
- Begin testing the first two mitigations against representative devices from your environment.
- Begin planning for the deployment phase coming July 9, 2024.
Step 3: Enforce the changes
We encourage you to understand the risks called out in the Understanding the Risks section.
- Understand the impact to recovery and other bootable media.
- Begin testing the third mitigation that untrusts the signing certificate used for all previous Windows boot managers.
Timing of updates
Updates are released as follows:
- Initial Deployment This phase started with updates released on May 9, 2023, and provided basic mitigations with manual steps to enable those mitigations.
- Second Deployment This phase started with updates released on July 11, 2023, which added simplified steps to enable the mitigations for the issue.
- Evaluation Phase This phase will start April 9, 2024, and will add additional boot manager mitigations.
- Final Deployment Phase This is when we will encourage all customers to begin deploying the mitigations and updating media.
- Enforcement Phase The Enforcement Phase that will make the mitigations permanent. The date for this phase will be announced at a later date.
Note The release schedule may be revised as needed.