Microsoft Guidance for blocking vulnerable Windows boot managers



 Microsoft Support:

KB5027455: Guidance for blocking vulnerable Windows boot managers​


Introduction

Microsoft was made aware of a vulnerability with the Windows boot manager that allows an attacker to bypass Secure Boot. The issue in the boot manager was fixed and released as a security update. The remaining vulnerability is that an attacker with administrative privileges or physical access to the device can roll back the boot manager to a version without the security fix. This roll-back vulnerability is being used by the BlackLotus malware to bypass Secure Boot described by CVE-2023-24932. To resolve this issue, we will revoke the vulnerable boot managers.

Because of the large number of boot managers that must be blocked, we are using an alternative way of blocking the boot managers. This affects non-Windows operating systems in that a fix will have to be provided on those systems to block the Windows boot managers from being used as an attack vector on non-Windows operating systems.

More information

One method of blocking vulnerable EFI application binaries from being loaded by the firmware is to add hashes of the vulnerable applications to the UEFI Forbidden List (DBX). The DBX list is stored in the devices firmware managed flash. The limitation of this blocking method is the limited firmware flash memory available to store the DBX. Because of this limitation and the large number of boot managers that must be blocked (Windows boot managers from the past 10+ years), relying entirely on the DBX for this issue is not possible.

For this issue, we have chosen a hybrid method of blocking the vulnerable boot managers. Only a few boot managers that released in earlier versions of Windows will be added to the DBX. For Windows 10 and later versions, a Windows Defender Application Control (WDAC) policy will be used that blocks vulnerable Windows boot managers. When the policy is applied to a Windows system, the boot manager will “lock” the policy to the system by adding a variable to the UEFI firmware. Windows boot managers will honor the policy and the UEFI lock. If the UEFI lock is in place and the policy has been removed, the Windows boot manager will not start. If the policy is in place, the boot manager will not start if it has been blocked by the policy.


 Read more:

How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932 - Microsoft Support

support.microsoft.com support.microsoft.com
 
Last edited:
Click to expand...
This flurry of related 'guidances' is NOT a good sign, my biggest worry is that I might break something else, like (parts of) my backup system, see parallel threads (n)

I'll wait until a safe solution is available, one that is suitable for the masses (y)

In the mean time :( 🤷‍♂️
 

My Computer

System One

  • OS
    Windows 10 Pro
Haydon said:
This flurry of related 'guidances' is NOT a good sign, my biggest worry is that I might break something else, like (parts of) my backup system, see parallel threads (n)

I'll wait until a safe solution is available, one that is suitable for the masses (y)

In the mean time :( 🤷‍♂️
Click to expand...



Same here.
I worry that MS is getting frustrated and as you mentioned... in their hurry to fix things they will end up breaking something else.
 

My Computers

System One System Two

  • OS
    Win 11 Home ♦♦♦26100.3775 ♦♦♦♦♦♦♦24H2 ♦♦♦non-Insider
    Computer type
    PC/Desktop
    Manufacturer/Model
    Built by Ghot® [May 2020]
    CPU
    AMD Ryzen 7 3700X
    Motherboard
    Asus Pro WS X570-ACE (BIOS 5002)
    Memory
    G.Skill (F4-3200C14D-16GTZKW)
    Graphics Card(s)
    EVGA RTX 2070 (08G-P4-2171-KR)
    Sound Card
    Realtek ALC1220P / ALC S1220A
    Monitor(s) Displays
    Dell U3011 30"
    Screen Resolution
    2560 x 1600
    Hard Drives
    2x Samsung 860 EVO 500GB,
    WD 4TB Black FZBX - SATA III,
    WD 8TB Black FZBX - SATA III,
    DRW-24B1ST CD/DVD Burner
    PSU
    PC Power & Cooling 750W Quad EPS12V
    Case
    Cooler Master ATCS 840 Tower
    Cooling
    CM Hyper 212 EVO (push/pull)
    Keyboard
    Ducky DK9008 Shine II Blue LED
    Mouse
    Logitech Optical M-100
    Internet Speed
    300/300
    Browser
    Firefox (latest)
    Antivirus
    Bitdefender Internet Security
    Other Info
    Speakers: Klipsch Pro Media 2.1
  • Operating System
    Windows XP Pro 32bit w/SP3
    Computer type
    PC/Desktop
    Manufacturer/Model
    Built by Ghot® (not in use)
    CPU
    AMD Athlon 64 X2 5000+ (OC'd @ 3.2Ghz)
    Motherboard
    ASUS M2N32-SLI Deluxe Wireless Edition
    Memory
    TWIN2X2048-6400C4DHX (2 x 1GB, DDR2 800)
    Graphics card(s)
    EVGA 256-P2-N758-TR GeForce 8600GT SSC
    Sound Card
    Onboard
    Monitor(s) Displays
    ViewSonic G90FB Black 19" Professional (CRT)
    Screen Resolution
    up to 2048 x 1536
    Hard Drives
    WD 36GB 10,000rpm Raptor SATA
    Seagate 80GB 7200rpm SATA
    Lite-On LTR-52246S CD/RW
    Lite-On LH-18A1P CD/DVD Burner
    PSU
    PC Power & Cooling Silencer 750 Quad EPS12V
    Case
    Generic Beige case, 80mm fans
    Cooling
    ZALMAN 9500A 92mm CPU Cooler
    Mouse
    Logitech Optical M-BT96a
    Keyboard
    Logitech Classic Keybooard 200
    Internet Speed
    300/300
    Browser
    Firefox 3.x ??
    Antivirus
    Symantec (Norton)
    Other Info
    Still assembled, still runs. Haven't turned it on for 15 years?
Hey y'all, If I have secure boot turned off now and forever, what will happen in Jan (or sooner) when MS forces their revocations on everyone. Won't this damned DBX list affect a dual boot with Linux? Won't it also affect VMs or at least the application running the VM? Sorry, but I do not want MS putting anything into my firmware. Period. Will disabling secure boot stop this?
 

My Computers

System One System Two

  • OS
    Windows 11 Pro 24H2 26100.3775
    Computer type
    PC/Desktop
    Manufacturer/Model
    Dell Optiplex 7080
    CPU
    i9-10900 10 core 20 threads
    Motherboard
    DELL 0J37VM
    Memory
    32 gb
    Graphics Card(s)
    none-Intel UHD Graphics 630
    Sound Card
    Integrated Realtek
    Monitor(s) Displays
    Benq 27
    Screen Resolution
    2560x1440
    Hard Drives
    1tb Solidigm m.2 nvme+256gb SKHynix m.2 nvme /External drives 512gb Samsung m.2 sata+1tb Kingston m2.nvme+ 4gb Solidigm nvme
    PSU
    500w
    Case
    MT
    Cooling
    Dell Premium
    Keyboard
    Logitech wired
    Mouse
    Logitech wireless
    Internet Speed
    so slow I'm too embarrassed to tell
    Browser
    #1 Edge #2 Firefox
    Antivirus
    Defender+MWB Premium
  • Operating System
    Windows 10 Pro 22H2 19045.3930
    Computer type
    PC/Desktop
    Manufacturer/Model
    Dell Optiplex 9020
    CPU
    i7-4770
    Memory
    24 gb
    Monitor(s) Displays
    Benq 27
    Screen Resolution
    2560x1440
    Hard Drives
    256 gb Toshiba BG4 M.2 NVE SSB and 1 tb hdd
    PSU
    500w
    Case
    MT
    Cooling
    Dell factory
    Mouse
    Logitech wireless
    Keyboard
    Logitech wired
    Internet Speed
    still not telling
    Browser
    Firefox
    Antivirus
    Defender+MWB Premium
You must log in or register to reply here.

Similar threads

  • Article Article
KB5042562 Guidance for blocking rollback of Virtualization-based Security (VBS) related security updates
2
Replies
23
Views
5K
Almighty1
Almighty1
  • Article Article
Revoking vulnerable Windows boot managers
2
Replies
24
Views
6K
Warre1
Warre1
  • Article Article
Midnight Blizzard: Microsoft Guidance for responders on nation-state attack
Replies
4
Views
5K
Steve C
Steve C
  • Article Article
Win Update KB5012170 Security update for Secure Boot DBX
Replies
0
Views
1K
Brink
Brink

Latest Support Threads

Latest Tutorials

Back
Top Bottom