overview
Common Vulnerability Scoring – CVE-2023-24932:
- CVSS Base Score: 6.7
- Impact Subscore: 5.9
- Exploitability Subscore: 0.8
- Overall CVSS Score: 6.7
Microsoft has issued security updates for a Secure-Boot zero-day vulnerability (CVE-2023-24932) that has been exploited by BlackLotus UEFI malware in the wild. This exploit has allowed the malware to infect Windows systems that were already fully patched.
Secure Boot prevents rootkits from loading during the boot process on computers with Unified Extensible Firmware Interface (UEFI) firmware and a Trusted Platform Module (TPM) chip. Secure Boot accomplishes this by blocking bootloaders untrusted by the OEM.
CVE-2023-24932 allows attackers to evade Secure Boot protections. The vulnerability is currently being used by BlackLotus to bypass patches for CVE-2022-21894, which is another flaw that allowed for Secure Boot bypass last year.
Microsoft’s advisory states that the vulnerability allows the attackers to execute code at the Unified Extensible Firmware Interface (UEFI) level while Secure Boot is enabled. This is used by the attackers as a persistence and defense evasion mechanism. Microsoft further stated that successful exploitation relies on the attacker having physical or local admin privileges on the targeted device.
According to Microsoft, CVE-2023-24932 affects any Windows system with Secure Boot protections enabled, including on-premises configurations, virtual machines, and cloud-based devices. Additionally, the security patches designed to address CVE-2023-24932 are solely available for supported versions of Windows 10, Windows 11, and Windows Server.
Keep in mind that Microsoft’s security update for CVE-2023-24932 focuses on updating the Windows Boot Manager, but the update is not enabled by default because it could prevent the system from starting up and cause other disruptions. You can find guidance on the manual steps for updating in Avertium’s Recommendations.
avertium's recommendations
- Per Microsoft, to protect against this attack, a fix for the Windows boot manager (CVE-2023-24932) is included in the May 9, 2023, security update release, but disabled by default and will not provide protections. Customers will need to carefully follow manual steps to update bootable media and apply revocations before enabling this update.
- Microsoft also stated that they are taking a phased approach to addressing CVE-2023-24932. Protections will be enforced in three phases to reduce customer and industry partner impact with existing Secure Boot while applying the change:
- May 9, 2023: The initial fix for CVE-2023-24932 is released. In this release, this fix requires the May 9, 2023, Windows Security Update and additional customer action to fully implement the protections.
- July 11, 2023: A second release will provide additional update options to simplify the deployment of the protections.
- First quarter 2024: This final release will enable the fix for CVE-2023-24932 by default and enforce bootmanager revocations on all Windows devices.
- For guidance on how to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932, please see Microsoft’s support article.
INDICATORS OF COMPROMISE (IoCs)
At this time, there are no known IoCs associated with CVE-2022-21894 and CVE-2023-24932. Avertium’s threat hunters remain vigilant in locating IoCs for our customers. Should any be located, Avertium will disclose them as soon as possible. For more information on how Avertium can help protect your organization, please reach out to your Avertium Service Delivery Manager or Account Executive.
How Avertium is Protecting Our CUSTOMERS
- Avertium offers Vulnerability Management (VM) to provide a deeper understanding and control over organizational information security risks. If your enterprise is facing challenges with the scope, resources, or skills required to implement a vulnerability management program with your team, outsourced solutions can help you bridge the gap.
- Avertium offers Zero Trust Network as a Service (ZTNaaS) for any organization that wants to control their attack surface. The zero-trust security model delivers exactly what the name promises: it is an IT security concept that specifies no access is allowed until the successful completion of authentication and authorization processes.
- Fusion MXDR is the first MDR offering that fuse together all aspects of security operations into a living, breathing, threat-resistant XDR solution. By fusing insights from threat intelligence, security assessments, and vulnerability management into our MDR approach, Fusion MXDR offers a more informed, robust, and cost-effective approach to cybersecurity – one that is greater than the sum of its parts.
SUPPORTING DOCUMENTATION