Skip to main content

KB5025885: How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932

By

This article outlines the protection against the publicly disclosed Secure Boot security feature bypass involving the BlackLotus UEFI bootkit (CVE-2023-24932). It includes steps to enable the necessary mitigations and provides guidance on creating bootable media.

I will provide:


  1. - An overview of the CVE issue.
  2. - Pre-requisite actions within ADK.
  3. - Detection and remediation scripts for CVE-2023-24932.
  4. - Instructions for creating a WinPE Boot.wim file to support systems that have undergone remediation.
  5. - A breakdown of the files changed and how to boot WinPE to support systems before remediation.


1. Secure Boot Security Feature Bypass Vulnerability CVE-2023-24932 see MSRC

CVE-2023-24932 is a security vulnerability involving the BlackLotus UEFI bootkit, which allows attackers to bypass Secure Boot protections. This vulnerability enables the execution of malicious code at the UEFI level, potentially leading to persistent and evasive threats. Mitigations for this issue include updates to the Windows Boot Manager and Secure Boot configurations. These updates are crucial for preventing unauthorized code from running during the boot process

All Windows devices with Secure Boot protections enabled are affected by the BlackLotus bootkit.

2. Install the latest version of ADK 
To create Windows UEFI 2023 CA signed Windows PE boot media you need to mount the WinPE.wim and extract the Bootx64.efi that is Windows UEFI 2023 CA signed. See Microsoft here to run the step manually.

Alternatively I have scripted the process to quickly apply all steps see UpdateADK.PS1 

3. Microsoft have provide a guide to apply the mitigation here. NOTE: once applied the computer will only be able to use USB boot media with Bootx64.efi that is Windows UEFI 2023 CA signed.

GaryTown has detailed the Remediation and produced a Task Sequence zip see here

I suggest downloading this Task Sequence and testing in your environment. Once applied your computer will be protected from this CVE.

4. Now that your system is protected from the CVE with Secure Boot Enabled, you will need to use USB Boot Media with Bootx64.efi that is Windows UEFI 2023 CA signed.  I have produced a script that used David Segura's OSD Module to quickly create a ConfigMgr ready Boot.wim. 

After applying the UpdateADK.ps1 in step 2 the New-OSDCloudWorkspace function will build a directory with Bootx64.efi that is Windows UEFI 2023 CA signed. 

 I have scripted the process to quickly build a USB Boot image see Create_WinPE_WindowsUEFI2023CA signed.ps1

5. ADK Files Changed


You can quickly change the Bootx64.efi back to the original that was Windows UEFI 2011 CA signed (See lines  42/43)


References:
KB5025885: How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932 - Microsoft Support

CVE-2023-24932 - Security Update Guide - Microsoft - Secure Boot Security Feature Bypass Vulnerability

https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/winpe-create-usb-bootable-drive?view=windows-11 

Local Setup | OSDCloud.com




Comments

Post a Comment

Popular posts from this blog

SCCM Unknown computer not able to see Task Sequences after installing Current Branch 1702

By
Soon after installing SCCM CB 1702 we were unable to see Task Sequences deployed to the unknown collection. This issue was identified as a random system taking the GUID of the 'x64 Unknown Computer (x64 Unknown Computer)' record. As a result it was now a known GUID; as we were only deploying Task Sequences to the Unknown collection none were made available. 'x64 Unknown Computer (x64 Unknown Computer)' record 'x86 Unknown Computer (x86 Unknown Computer)' record To get the GUID of your unknown systems open SQL management studio and run the following command: --Sql Command to list the name and GUID for UnknownSystems record data select ItemKey, Name0,SMS_Unique_Identifier0 from UnknownSystem_DISC Using the returned GUID (SMS_Unique_Identifier0) we can find the hostname that has been assigned the 'x64 Unknown Computer (x64 Unknown Computer)' GUID by running the query below. --x64 Unknown Computers select Name0,SMS_Unique_Identifier0,Decommissioned0 from Sys...
161 comments
Read more

Windows 7 Offline files will not go Online when connected to network

By
Issue Several laptop users move between networks, domain, home, etc and when they attempt to access DFS shares explorer status is working offline.  The issue only resolves it self after a reboot. Connecting directly to the share works and i am able to ping network resources.  This behavior occurs for VPN users as well. Possible Causes "slow-link mode". In win7 (with default settings) a client will enter slow-link mode if the latency to the server is above 80ms. In slow-link mode all writes are made to the local cache and a background sync only happens every 6 hours.  Depending on your connection the default slow link detection speed is 64,000 bps On client computers running Windows 7 or Windows Server 2008 R2, a shared folder automatically transitions to the slow-link mode if the round-trip latency of the network is greater than 80 milliseconds, or as configured by the "Configure slow-link mode" policy. After transitioning a folder to the slow-link mode, Offline Fil...
151 comments
Read more

SCCM Software Update - Job error 0x80004005 Failed to Add Update Source for WUAgent

By
SCCM Software Updates - Failed to Add Update Source for WUAgent  Today I have been looking at a range of servers (Server 2008 /R2 2012 /R2) that were failing to communicate with the Software Update Point (SUP) in SCCM and retrieve deployment policy. The UpdateDeployment.log was reporting the Job error 0x80004005 Job error (0x80004005) received for assignment ({af7a48e6-d550-4070-dd9b-ecc234567584}) action UpdatesDeploymentAgent 12/6/2017 10:32:27 AM 2096 (0x0830) The WUAHandler.log  was reporting "Unable to read existing WUA Group Policy object" and "Failed to Add Update Source for WUAgent " Unable to read existing WUA Group Policy object. Error = 0x80004005. WUAHandler 12/6/2017 3:41:00 AM 2828 (0x0B0C) Failed to Add Update Source for WUAgent of type (2) and id ({3AAB6A76-CE2D-4E8A-9F11-123AE69612A1}). Error = 0x80004005. WUAHandler 12/6/2017 11:03:31 AM 2276 (0x08E4) Until the agent can report back to the SUP, SCCM will not be able to summarize Software Update sta...
4 comments
Read more