Vulnerability CVE
CVE-2023-24932 - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24932
Problem Description
Microsoft is aware of a publicly available exploit for Secure Boot bypass allowing attackers to execute self-signed code at the Unified Extensible Firmware Interface (UEFI) level while Secure Boot is enabled. To protect against this attack, the Windows boot manager will be updated to address the security vulnerabilities, and boot manager revocation policies (revocations) are being provided to prevent the previous, vulnerable boot managers from running after the system has been updated.
Microsoft has announced a public KB article which describes the protection against the public disclosure of a Secure Boot security feature bypass by using the BlackLotus UEFI bootkit tracked by CVE-2023-24932, the article has provided the protections and guidance to update bootable media. A bootkit is a malicious program that is designed to load as early as possible in a device’s sequence, in order to control the operating system start.
For the BlackLotus UEFI bootkit exploit described above to be possible, an attacker must gain administrative privileges on a device or gain physical access to the device. This can be done by accessing the device physically or remotely, such as by using a hypervisor to access VMs/cloud. An attacker will commonly use this vulnerability to continue controlling a device that they can already access and possibly manipulate.
Microsoft provides the security update and configuration options to manually enable protections for the Secure Boot bypass on May 9, 2023 (internally called as 5B patch) but these protections are not enabled automatically. Before enabling these protections, please ensure the devices and all bootable media are updated and ready for this security hardening change.
Please refer to Microsoft's KB: 5025885 for more information:
Note: Mitigations in the KB article are preventive and not corrective.
Root Cause
Secure Boot makes a safe and trusted path from the UEFI through the Windows kernel's Trusted Boot sequence, it helps prevent bootkit malware in the boot sequence. Disabling Secure Boot puts a device at risk of being infected by a bootkit malware. Fixing the Secure Boot bypass described in CVE-2023-24932 requires revoking boot managers. This could cause issues for some device’s boot configurations.
Problem Impact Range
Refer to the public announcement from Microsoft KB: 5025885
All Windows devices with Secure Boot protections enabled are affected by this issue, both on-premises physical devices and some virtual machines (VMs) or cloud-based devices. Protections are available for supported versions of Windows. For the full list, please see CVE-2023-24932.
Linux is also affected by this issue. Microsoft has been coordinating with representatives from major Linux distributions to make the fix available for their operating systems. You must contact support for your Linux distribution for guidance on mitigating this issue for your Linux devices.
Resolution
Acer is working closely with Microsoft to mitigate impact to users and devices and will provide additional information and updates as they become available.
