Microsoft's Secure Boot BlackLotus Patching To Extend into 2024

Microsoft this week offered guidance to address a Secure Boot vulnerability in Windows and Linux systems, but it'll likely be a long-term project for IT pros.

The issue was identified by Microsoft in April as being associated with a "baton drop" vulnerability (CVE-2022-21894) that permits the removal of blocks of memory to bypass Secure Boot. This approach was getting leveraged by so-called "BlackLotus" bootkits.

Secure Boot is a feature for Unified Extensible Firmware Interface (UEFI)-based systems that is expressly designed to protect those systems from such bootkits, which load before the operating system does and thereby can bypass antimalware protections. A bootkit, if successful, can gain high system privileges while remaining undetected.

Even though Secure Boot was thought to protect systems from bootkits, attackers found a way around it with the vulnerability CVE-2022-21894. Microsoft had issued a patch for CVE-2022-21894 back in Jan. 2022, but the vulnerability still exists. Security researchers at ESET had explained back in March that the baton drop vulnerability still exists in systems using Secure Boot because the affected UEFI binaries haven't been revoked.

Microsoft's Ugly Remediation Advice
Microsoft, in its April communication, had just recommended that organizations follow certain security best practices that reduce local administrative privileges. This week, Microsoft offered remediation advice for the Secure Boot vulnerability, but it is ugly stuff that's fraught with peril.

Organizations can go through exacting steps outlined in Knowledge Base article KB5025855 if they don't want to wait for Microsoft's software fixes.  However, backup and images also need to be updated or they will fail. Microsoft's remediation advice is filled with caveats.

"If you use Secure Boot and incorrectly perform the steps on this article, you might be unable to start or recover your device from media," it warned.

Update 5/12: Microsoft published "KB5027455: Guidance for blocking vulnerable Windows boot manager." In it, Microsoft explained that it is addressing the BlackLotus malware by revoking "vulnerable boot managers," but it can't revoke them all. It's taking an alternative approach, called "UEFI Lock," that will affect users of non-Windows operating systems. The guidance included further murky details and precautions for non-Windows and dual-boot users.

Three-Phased Patch Approach
The vulnerability to Secure Boot systems is described in Microsoft's May CVE-2023-24932 bulletin. It's one of three "zero-day" issues getting patched in Microsoft's May security patch release, but Microsoft isn't fixing this vulnerability with its CVE-2023-24932 May patch release. Instead, the May patch is just one step in a three-phase approach that will extend into 2024.

Here's Microsoft's phased patch approach, which begins with the May CVE-2023-24932 patch:

  • May 9, 2023: The initial fix for CVE-2023-24932 is released. In this release, this fix requires the May 9, 2023, Windows Security Update and additional customer action to fully implement the protections.
  • July 11, 2023: A second release will provide additional update options to simplify the deployment of the protections.
  • First quarter 2024: This final release will enable the fix for CVE-2023-24932 by default and enforce bootmanager revocations on all Windows devices.

Microsoft is taking this phased approach to patching the vulnerability associated with Secure Boot because it requires some care. Systems might not be able start.

"The Secure Boot feature precisely controls the boot media that is allowed to load when an operating system is initiated, and if this fix is not properly enabled there is a potential to cause disruption and prevent a system from starting up," Microsoft's guidance indicated.

Local Admin Privileges Needed
One somewhat comforting notion is that attackers can't exploit this vulnerability unless they have "physical access or local admin privileges on the targeted device." However, the main reason attackers use the BlackLotus bootkit is to stealthily maintain persistence on a system and connect via HTTP to command and control software. In other words, there's potentially no detection if a system has already been compromised.

Microsoft claimed back in April that Microsoft Defender Antivirus (if not deactivated by an attacker) can detect BlackLotus threat components. Moreover, Microsoft Defender for Endpoint will send alerts regarding BlackLotus activity, Microsoft had indicated.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.


comments powered by Disqus

Subscribe on YouTube