Skip to main content

KB5025885: How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932

By

This article outlines the protection against the publicly disclosed Secure Boot security feature bypass involving the BlackLotus UEFI bootkit (CVE-2023-24932). It includes steps to enable the necessary mitigations and provides guidance on creating bootable media.

I will provide:


  1. - An overview of the CVE issue.
  2. - Pre-requisite actions within ADK.
  3. - Detection and remediation scripts for CVE-2023-24932.
  4. - Instructions for creating a WinPE Boot.wim file to support systems that have undergone remediation.
  5. - A breakdown of the files changed and how to boot WinPE to support systems before remediation.


1. Secure Boot Security Feature Bypass Vulnerability CVE-2023-24932 see MSRC

CVE-2023-24932 is a security vulnerability involving the BlackLotus UEFI bootkit, which allows attackers to bypass Secure Boot protections. This vulnerability enables the execution of malicious code at the UEFI level, potentially leading to persistent and evasive threats. Mitigations for this issue include updates to the Windows Boot Manager and Secure Boot configurations. These updates are crucial for preventing unauthorized code from running during the boot process

All Windows devices with Secure Boot protections enabled are affected by the BlackLotus bootkit.

2. Install the latest version of ADK 
To create Windows UEFI 2023 CA signed Windows PE boot media you need to mount the WinPE.wim and extract the Bootx64.efi that is Windows UEFI 2023 CA signed. See Microsoft here to run the step manually.

Alternatively I have scripted the process to quickly apply all steps see UpdateADK.PS1 

3. Microsoft have provide a guide to apply the mitigation here. NOTE: once applied the computer will only be able to use USB boot media with Bootx64.efi that is Windows UEFI 2023 CA signed.

GaryTown has detailed the Remediation and produced a Task Sequence zip see here

I suggest downloading this Task Sequence and testing in your environment. Once applied your computer will be protected from this CVE.

4. Now that your system is protected from the CVE with Secure Boot Enabled, you will need to use USB Boot Media with Bootx64.efi that is Windows UEFI 2023 CA signed.  I have produced a script that used David Segura's OSD Module to quickly create a ConfigMgr ready Boot.wim. 

After applying the UpdateADK.ps1 in step 2 the New-OSDCloudWorkspace function will build a directory with Bootx64.efi that is Windows UEFI 2023 CA signed. 

 I have scripted the process to quickly build a USB Boot image see Create_WinPE_WindowsUEFI2023CA signed.ps1

5. ADK Files Changed


You can quickly change the Bootx64.efi back to the original that was Windows UEFI 2011 CA signed (See lines  42/43)


References:
KB5025885: How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932 - Microsoft Support

CVE-2023-24932 - Security Update Guide - Microsoft - Secure Boot Security Feature Bypass Vulnerability

https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/winpe-create-usb-bootable-drive?view=windows-11 

Local Setup | OSDCloud.com




Comments

Post a Comment