Microsoft has released security updates to address a Secure Boot zero-day vulnerability exploited by BlackLotus UEFI malware to infect fully patched Windows systems.
Secure Boot is a security feature that blocks bootloaders untrusted by the OEM on computers with Unified Extensible Firmware Interface (UEFI) firmware and a Trusted Platform Module (TPM) chip to prevent rootkits from loading during the startup process.
According to a Microsoft Security Response Center blog post, the security flaw (tracked as CVE-2023-24932) was used to bypass patches released for CVE-2022-21894, another Secure Boot bug abused in BlackLotus attacks last year.
“Microsoft is releasing CVE-2023-24932, and associated configuration guidance, to address a Secure Boot bypass vulnerability used by the BlackLotus bootkit to exploit CVE-2022-21894,” the company said.
“This vulnerability allows an attacker to execute self-signed code at the Unified Extensible Firmware Interface (UEFI) level while Secure Boot is enabled.
“This is used by threat actors primarily as a persistence and defense evasion mechanism. Successful exploitation relies on the attacker having physical access or local admin privileges on the targeted device.”
All Windows systems where Secure Boot protections are enabled are affected by this flaw, including on-premises, virtual machines, and cloud-based devices.
However, the CVE-2023-24932 security patches released today are only available for supported versions of Windows 10, Windows 11, and Windows Server.
To determine if Secure Boot protections are enabled on your system, you can run the msinfo32 command from a Windows command prompt to open the System Information app.
Secure Boot is toggled on if you see a “Secure Boot State ON” message on the left side of the window after selecting “System Summary.”
​Manual steps required to mitigate CVE-2023-24932
While the security updates released today by Redmond contain a Windows boot manager fix, they are disabled by default and will not remove the attack vector exploited in BlackLotus attacks.
To defend their Windows devices, customers must undergo a procedure requiring multiple manual steps “to update bootable media and apply revocations before enabling this update.”
To manually enable protections for the Secure Boot CVE-2023-24932 bypass bug, you have to go through the following steps in this exact order (otherwise, the system will no longer boot):
- INSTALL the May 9, 2023, updates on all affected systems.
- UPDATE your bootable media with Windows updates released on or after May 9, 2023. If you do not create your own media, you will need to get the updated official media from Microsoft or your device manufacturer (OEM).
- APPLY revocations to protect against the vulnerability in CVE-2023-24932.
Microsoft is also taking a phased approach to enforcing the protections addressing this security flaw to reduce customer impact due to enabling CVE-2023-24932 protections.
The rollout timeline includes three phases:
- May 9, 2023: The initial fix for CVE-2023-24932 is released. In this release, this fix requires the May 9, 2023, Windows Security Update and additional customer action to fully implement the protections.
- July 11, 2023: A second release will provide additional update options to simplify the deployment of the protections.
- First quarter 2024: This final release will enable the fix for CVE-2023-24932 by default and enforce bootmanager revocations on all Windows devices.
Microsoft also warned customers there is no way to revert the changes once CVE-2023-24932 mitigations are fully deployed.
“Once the mitigation for this issue is enabled on a device, meaning the revocations have been applied, it cannot be reverted if you continue to use Secure Boot on that device,” Microsoft said.
“Even reformatting of the disk will not remove the revocations if they have already been applied.”