Applying the fix for a security bypass zero-day affecting the Windows Secure Boot feature will be a long process that will drag into 2024, but for good reason, says Microsoft
Published: 10 May 2023 14:43
On a significantly lighter Patch Tuesday than of late, a publicly disclosed and actively exploited zero-day vulnerability in the Windows Secure Boot security feature looks set to cause an ongoing headache for administrators and security teams.
Tracked as CVE-2023-24932 – and one of two exploited zero-days in Microsoft’s May Patch Tuesday drop – successful exploitation of this security feature bypass vulnerability, credited to ESET’s Martin Smolár and SentinelOne’s Tomer Sne-or, is considered particularly dangerous.
This is because if used in conjunction with a bootkit known as BlackLotus to run code signed by the malicious actor at the unified extensible firmware interface (UEFI) level, it will run before the operating system (OS), so the attacker can then deactivate security protections to do even more damage.
“The CVE is rated as ‘important’ by Microsoft’s assessment algorithms, but with the confirmed exploits you can ignore that severity rating and respond to the real-world risk indicators,” explained Ivanti security product management vice-president Chris Goettl.
“The vulnerability does require the attacker to have either physical access or administrative permissions on the target system, with which they can install an affected boot policy that will be able to bypass Secure Boot to further compromise the system. The vulnerability affects all currently supported versions of the Windows OS,” he said.
Microsoft said that while the fix for CVE-2023-24932 is provided in the current release, it is disabled by default and will not yet provide full protection, meaning customers will have to follow a manual sequence to update bootable media and apply revocations prior to enabling the update.
To this end, it is taking a three-phased approach, of which the initial release is the first. The 11 July Patch Tuesday drop will see a second release containing additional update options to simplify deployment. Finally, sometime between January and March 2024, a final release will enable the fix by default, and enforce Boot Manager revocations on all Windows devices.
According to Microsoft, this is necessary because Secure Boot very precisely controls the boot media that can load when the system OS is first initiated, so if the update is improperly applied it can cause more disruption and stop the system from even starting up.
Speaking to TechTarget in the US, Goettl said this could be a painful process, with some facing the prospect of becoming “bogged down for a very long time”.
The other exploited zero-day vulnerability resolved this month is CVE-2023-29336, an elevation of privilege (EoP) vulnerability in Win32k, credited to Avast’s Jan Vojtěšek, Milánek, and Luigino Camastra, but also high on the docket will be CVE-2023-29325, a critically rated remote code execution (RCE) vulnerability in Windows OLE which is disclosed but not yet exploited, credited to Vul Labs’ Will Dormann.
CVE-2023-29936 requires no user interaction and can be used to achieve system-level privileges if successfully exploited. It impacts Windows 10 and later, and Windows Server 2008 through 2016.
“This is the fifth month in a row that an elevation of privilege vulnerability was exploited in the wild as a zero-day,” said Tenable senior staff research engineer Satnam Narang. “We anticipate details surrounding its exploitation to be made public soon by the researchers that discovered it.
“However, it is unclear if this flaw is a patch bypass. Historically, we’ve seen three separate examples where Win32k EoP vulnerabilities were exploited as zero days,” he explained. “In January 2022, Microsoft patched CVE-2022-21882, which was exploited in the wild and is reportedly a patch bypass for CVE-2021-1732, which was patched in February 2021 and also exploited in the wild. In October 2021, Microsoft patched another Win32k EoP, identified as CVE-2021-40449, which was linked to a remote access trojan known as MysterySnail, which was a patch bypass for CVE-2016-3309.
“While relatively rare, it is interesting to observe multiple Win32k EoP flaws exploited as zero-days that were also patch bypasses,” observed Narang.
CVE-2023-29325, meanwhile, is a critical vulnerability for which a proof of concept is available. It has a network attack vector and high attack complexity, and though no special privileges are needed to exploit it, the victim does need to be tricked into opening a malicious email. It impacts Windows 10 and Windows Server 2008 and later.
“In an email attack scenario, an attacker could exploit the vulnerability by sending a specially crafted email message to the victim,” said Action1 co-founder and vice-president of vulnerability and threat research Mike Walters.
“The victim could either open the email with an affected version of Microsoft Outlook or preview it in the Outlook application, thereby allowing the attacker to execute remote code on the victim’s computer.
“To mitigate the risk, Microsoft recommends employing certain measures. In Microsoft Outlook, caution should be exercised when handling RTF files from unknown or untrusted sources. Another precautionary step is to read email messages in plain text format, which can be configured in Outlook or through Group Policy. It’s important to note that adopting the plain text format may result in the loss of visual elements such as images, special fonts and animations,” said Walters.
The remaining critical vulnerabilities in the May drop comprise five RCE vulnerabilities and one EoP vulnerability.
The RCE vulns are, in CVE number order:
- CVE-2023-24903 in Windows Secure Socket Tunnelling Protocol (SSTP).
- CVE-2023-24941 in Windows Network File System.
- CVE-2023-24943 in Windows Pragmatic General Multicast (PGM).
- CVE-2023-24955 in Microsoft SharePoint Server.
- And CVE 2023-28283 in Windows Lightweight Directory Access Protocol (LDAP).
The critical EoP vulnerability is CVE-2023-29324 in Windows MHSTML Platform.
Read more on Application security and coding requirements
Akamai bypasses mitigation for critical Microsoft Outlook flaw
By: Arielle Waldman
Light May Patch Tuesday will weigh heavily on Windows admins
By: Tom Walat
Thousands at risk from critical RCE bug in legacy MS service
By: Alex Scroxton
April Patch Tuesday fixes zero-day used to deliver ransomware
By: Alex Scroxton