Safe Boot vulnerability causes Patch Tuesday headache for admins

On a considerably lighter Patch Tuesday than of late, a publicly disclosed and actively exploited zero-day vulnerability within the Home windows Secure Boot security function appears set to cause an ongoing headache for directors and security teams.

Tracked as CVE-2023-24932 – and certainly one of two exploited zero-days in Microsoft’s Might Patch Tuesday drop – profitable exploitation of this security function bypass vulnerability, credited to ESET’s Martin Smolár and SentinelOne’s Tomer Sne-or, is taken into account notably harmful.

It’s because if used at the side of a bootkit often known as BlackLotus to run code signed by the malicious actor at the unified extensible firmware interface (UEFI) degree, it can run earlier than the operating system (OS), so the attacker can then deactivate security protections to do even more injury.

“The CVE is rated as ‘essential’ by Microsoft’s evaluation algorithms, however with the confirmed exploits you’ll be able to ignore that severity score and reply to the actual-world danger indicators,” defined Ivanti security product management vice-president Chris Goettl.

“The vulnerability does require the attacker to have both physical access or administrative permissions on the goal system, with which they will set up an affected boot coverage that may be capable of bypass Safe Boot to additional compromise the system. The vulnerability affects all presently supported variations of the Home windows OS,” he stated.

Microsoft stated that whereas the fix for CVE-2023-24932 is offered in the present launch, it’s disabled by default and won’t but provide full safety, which means clients should comply with a guide sequence to replace bootable media and apply revocations previous to enabling the replace.

To this end, it’s taking a 3-phased strategy, of which the initial launch is the primary. The 11 July Patch Tuesday drop will see a second release containing further update options to simplify deployment. Lastly, sometime between January and March 2024, a remaining release will allow the fix by default, and enforce Boot Manager revocations on all Windows units.

In response to Microsoft, this is crucial as a result of Safe Boot very precisely controls the boot media that may load when the system OS is first initiated, so if the replace is badly applied it may possibly cause more disruption and cease the system from even starting up.

Chatting with TechTarget within the US, Goettl stated this could possibly be a painful course of, with some dealing with the prospect of turning into “bogged down for a very long time”.


The opposite exploited zero-day vulnerability resolved this month is CVE-2023-29336, an elevation of privilege (EoP) vulnerability in Win32k, credited to Avast’s Jan Vojtěšek, Milánek, and Luigino Camastra, but in addition excessive on the docket will probably be CVE-2023-29325, a critically rated remote code execution (RCE) vulnerability in Home windows OLE which is disclosed however not but exploited, credited to Vul Labs’ Will Dormann.

CVE-2023-29936 requires no consumer interplay and can be utilized to realize system-degree privileges if successfully exploited. It impacts Home windows 10 and later, and Windows Server 2008 by means of 2016.

“That is the fifth month in a row that an elevation of privilege vulnerability was exploited within the wild as a zero-day,” stated Tenable senior employees research engineer Satnam Narang. “We anticipate details surrounding its exploitation to be made public soon by the researchers that found it.

“Nevertheless, it’s unclear if this flaw is a patch bypass. Traditionally, we’ve seen three separate examples the place Win32k EoP vulnerabilities have been exploited as zero days,” he defined. “In January 2022, Microsoft patched CVE-2022-21882, which was exploited in the wild and is reportedly a patch bypass for CVE-2021-1732, which was patched in February 2021 and in addition exploited within the wild. In October 2021, Microsoft patched another Win32k EoP, identified as CVE-2021-40449, which was linked to a distant access trojan often known as MysterySnail, which was a patch bypass for CVE-2016-3309.

“Whereas relatively rare, it is fascinating to watch multiple Win32k EoP flaws exploited as zero-days that have been also patch bypasses,” noticed Narang.

CVE-2023-29325, meanwhile, is a crucial vulnerability for which a proof of idea is on the market. It has a community attack vector and excessive attack complexity, and though no particular privileges are wanted to take advantage of it, the sufferer does have to be tricked into opening a malicious e mail. It impacts Windows 10 and Windows Server 2008 and later.

“In an e mail assault state of affairs, an attacker might exploit the vulnerability by sending a specially crafted e-mail message to the sufferer,” stated Action1 co-founder and vice-president of vulnerability and menace analysis Mike Walters.

“The victim might either open the e-mail with an affected version of Microsoft Outlook or preview it within the Outlook software, thereby allowing the attacker to execute distant code on the victim’s pc.

“To mitigate the danger, Microsoft recommends employing sure measures. In Microsoft Outlook, caution ought to be exercised when handling RTF information from unknown or untrusted sources. One other precautionary step is to read e-mail messages in plain textual content format, which may be configured in Outlook or by way of Group Coverage. It’s essential to note that adopting the plain textual content format might outcome within the loss of visual parts resembling pictures, particular fonts and animations,” stated Walters.

The remaining crucial vulnerabilities within the Might drop comprise 5 RCE vulnerabilities and one EoP vulnerability.

The RCE vulns are, in CVE number order:

  • CVE-2023-24903 in Windows Safe Socket Tunnelling Protocol (SSTP).
  • CVE-2023-24941 in Home windows Network File System.
  • CVE-2023-24943 in Home windows Pragmatic Basic Multicast (PGM).
  • CVE-2023-24955 in Microsoft SharePoint Server.
  • And CVE 2023-28283 in Windows Lightweight Listing Access Protocol (LDAP).

The important EoP vulnerability is CVE-2023-29324 in Home windows MHSTML Platform.

Translate »