Skip to main content

KB5025885: How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932

By

This article outlines the protection against the publicly disclosed Secure Boot security feature bypass involving the BlackLotus UEFI bootkit (CVE-2023-24932). It includes steps to enable the necessary mitigations and provides guidance on creating bootable media.

I will provide:


  1. - An overview of the CVE issue.
  2. - Pre-requisite actions within ADK.
  3. - Detection and remediation scripts for CVE-2023-24932.
  4. - Instructions for creating a WinPE Boot.wim file to support systems that have undergone remediation.
  5. - A breakdown of the files changed and how to boot WinPE to support systems before remediation.


1. Secure Boot Security Feature Bypass Vulnerability CVE-2023-24932 see MSRC

CVE-2023-24932 is a security vulnerability involving the BlackLotus UEFI bootkit, which allows attackers to bypass Secure Boot protections. This vulnerability enables the execution of malicious code at the UEFI level, potentially leading to persistent and evasive threats. Mitigations for this issue include updates to the Windows Boot Manager and Secure Boot configurations. These updates are crucial for preventing unauthorized code from running during the boot process

All Windows devices with Secure Boot protections enabled are affected by the BlackLotus bootkit.

2. Install the latest version of ADK 
To create Windows UEFI 2023 CA signed Windows PE boot media you need to mount the WinPE.wim and extract the Bootx64.efi that is Windows UEFI 2023 CA signed. See Microsoft here to run the step manually.

Alternatively I have scripted the process to quickly apply all steps see UpdateADK.PS1 

3. Microsoft have provide a guide to apply the mitigation here. NOTE: once applied the computer will only be able to use USB boot media with Bootx64.efi that is Windows UEFI 2023 CA signed.

GaryTown has detailed the Remediation and produced a Task Sequence zip see here

I suggest downloading this Task Sequence and testing in your environment. Once applied your computer will be protected from this CVE.

4. Now that your system is protected from the CVE with Secure Boot Enabled, you will need to use USB Boot Media with Bootx64.efi that is Windows UEFI 2023 CA signed.  I have produced a script that used David Segura's OSD Module to quickly create a ConfigMgr ready Boot.wim. 

After applying the UpdateADK.ps1 in step 2 the New-OSDCloudWorkspace function will build a directory with Bootx64.efi that is Windows UEFI 2023 CA signed. 

 I have scripted the process to quickly build a USB Boot image see Create_WinPE_WindowsUEFI2023CA signed.ps1

5. ADK Files Changed


You can quickly change the Bootx64.efi back to the original that was Windows UEFI 2011 CA signed (See lines  42/43)


References:
KB5025885: How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932 - Microsoft Support

CVE-2023-24932 - Security Update Guide - Microsoft - Secure Boot Security Feature Bypass Vulnerability

https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/winpe-create-usb-bootable-drive?view=windows-11 

Local Setup | OSDCloud.com




Comments

Post a Comment

Popular posts from this blog

SCCM Unknown computer not able to see Task Sequences after installing Current Branch 1702

By
Soon after installing SCCM CB 1702 we were unable to see Task Sequences deployed to the unknown collection. This issue was identified as a random system taking the GUID of the 'x64 Unknown Computer (x64 Unknown Computer)' record. As a result it was now a known GUID; as we were only deploying Task Sequences to the Unknown collection none were made available. 'x64 Unknown Computer (x64 Unknown Computer)' record 'x86 Unknown Computer (x86 Unknown Computer)' record To get the GUID of your unknown systems open SQL management studio and run the following command: --Sql Command to list the name and GUID for UnknownSystems record data select ItemKey, Name0,SMS_Unique_Identifier0 from UnknownSystem_DISC Using the returned GUID (SMS_Unique_Identifier0) we can find the hostname that has been assigned the 'x64 Unknown Computer (x64 Unknown Computer)' GUID by running the query below. --x64 Unknown Computers select Name0,SMS_Unique_Identifier0,Decommissioned0 from Sys...
167 comments
Read more

Blackberry How to factory reset your device.

By
Here's how to FACTORY RESET the device. Install Blackberry Desktop Manager on a PC.  Connect the Blackberry to the PC with a USB cable. From a DOS prompt (command) window on the users PC (from Start - Run  type cmd <OK>  then change directory path to: C:\Program Files\Common Files\Research In Motion\Apploader     by typing cd\ (enter)  followed by cd Program Files (enter) then cd Common Files (enter)  etc etc Run the command:   Loader.exe /resettofactory That will bring the Blackberry back to the state it should be in when you get a brand new one out of the box.
Post a Comment
Read more