{"id":90786,"date":"2023-05-10T09:43:00","date_gmt":"2023-05-10T09:43:00","guid":{"rendered":"https:\/\/cloudnewshub.com\/?p=90786"},"modified":"2023-05-10T09:43:00","modified_gmt":"2023-05-10T09:43:00","slug":"secure-boot-vulnerability-causes-patch-tuesday-headache-for-admins","status":"publish","type":"post","link":"https:\/\/cloudnewshub.com\/?p=90786","title":{"rendered":"Secure Boot vulnerability causes Patch Tuesday headache for admins"},"content":{"rendered":"
<\/div>\n

On a significantly lighter Patch Tuesday<\/a> than of late, a publicly disclosed and actively exploited zero-day vulnerability in the Windows Secure Boot security feature looks set to cause an ongoing headache for administrators and security teams.<\/p>\n

Tracked as CVE-2023-24932<\/a> \u2013 and one of two exploited zero-days in Microsoft\u2019s May Patch Tuesday drop \u2013 successful exploitation of this security feature bypass vulnerability, credited to ESET\u2019s Martin Smol\u00e1r and SentinelOne\u2019s Tomer Sne-or, is considered particularly dangerous.<\/p>\n

This is because if used in conjunction with a bootkit known as BlackLotus<\/a> to run code signed by the malicious actor at the unified extensible firmware interface (UEFI) level, it will run before the operating system (OS), so the attacker can then deactivate security protections to do even more damage.<\/p>\n

\u201cThe CVE is rated as \u2018important\u2019 by Microsoft\u2019s assessment algorithms, but with the confirmed exploits you can ignore that severity rating and respond to the real-world risk indicators,\u201d explained Ivanti<\/a> security product management vice-president Chris Goettl.<\/p>\n

\u201cThe vulnerability does require the attacker to have either physical access or administrative permissions on the target system, with which they can install an affected boot policy that will be able to bypass Secure Boot to further compromise the system. The vulnerability affects all currently supported versions of the Windows OS,\u201d he said.<\/p>\n

Microsoft said<\/a> that while the fix for CVE-2023-24932 is provided in the current release, it is disabled by default and will not yet provide full protection, meaning customers will have to follow a manual sequence to update bootable media and apply revocations prior to enabling the update.<\/p>\n

To this end, it is taking a three-phased approach, of which the initial release is the first. The 11 July Patch Tuesday drop will see a second release containing additional update options to simplify deployment. Finally, sometime between January and March 2024, a final release will enable the fix by default, and enforce Boot Manager revocations on all Windows devices.<\/p>\n

According to Microsoft<\/a>, this is necessary because Secure Boot very precisely controls the boot media that can load when the system OS is first initiated, so if the update is improperly applied it can cause more disruption and stop the system from even starting up.<\/p>\n

Speaking to TechTarget<\/a> in the US, Goettl said this could be a painful process, with some facing the prospect of becoming \u201cbogged down for a very long time\u201d.<\/p>\n

\n

<\/i>Zero-days<\/h3>\n

The other exploited zero-day vulnerability resolved this month is CVE-2023-29336<\/a>, an elevation of privilege (EoP) vulnerability in Win32k, credited to Avast\u2019s Jan Vojt\u011b\u0161ek, Mil\u00e1nek, and Luigino Camastra, but also high on the docket will be CVE-2023-29325<\/a>, a critically rated remote code execution (RCE) vulnerability in Windows OLE which is disclosed but not yet exploited, credited to Vul Labs\u2019 Will Dormann.<\/p>\n

CVE-2023-29936 requires no user interaction and can be used to achieve system-level privileges if successfully exploited. It impacts Windows 10 and later, and Windows Server 2008 through 2016.<\/p>\n

\u201cThis is the fifth month in a row that an elevation of privilege vulnerability was exploited in the wild as a zero-day,\u201d said Tenable<\/a> senior staff research engineer Satnam Narang. \u201cWe anticipate details surrounding its exploitation to be made public soon by the researchers that discovered it.<\/p>\n

\u201cHowever, it is unclear if this flaw is a patch bypass. Historically, we\u2019ve seen three separate examples where Win32k EoP vulnerabilities were exploited as zero days,\u201d he explained. \u201cIn January 2022, Microsoft patched CVE-2022-21882<\/a>, which was exploited in the wild and is reportedly a patch bypass for CVE-2021-1732<\/a>, which was patched in February 2021 and also exploited in the wild. In October 2021, Microsoft patched another Win32k EoP, identified as CVE-2021-40449<\/a>, which was linked to a remote access trojan known as MysterySnail<\/a>, which was a patch bypass for CVE-2016-3309<\/a>.<\/p>\n

\u201cWhile relatively rare, it is interesting to observe multiple Win32k EoP flaws exploited as zero-days that were also patch bypasses,\u201d observed Narang.<\/p>\n

CVE-2023-29325, meanwhile, is a critical vulnerability for which a proof of concept is available. It has a network attack vector and high attack complexity, and though no special privileges are needed to exploit it, the victim does need to be tricked into opening a malicious email. It impacts Windows 10 and Windows Server 2008 and later.<\/p>\n

\u201cIn an email attack scenario, an attacker could exploit the vulnerability by sending a specially crafted email message to the victim,\u201d said Action1<\/a> co-founder and vice-president of vulnerability and threat research Mike Walters.<\/p>\n

\u201cThe victim could either open the email with an affected version of Microsoft Outlook or preview it in the Outlook application, thereby allowing the attacker to execute remote code on the victim\u2019s computer.<\/p>\n

\u201cTo mitigate the risk, Microsoft recommends employing certain measures. In Microsoft Outlook, caution should be exercised when handling RTF files from unknown or untrusted sources. Another precautionary step is to read email messages in plain text format, which can be configured in Outlook or through Group Policy. It\u2019s important to note that adopting the plain text format may result in the loss of visual elements such as images, special fonts and animations,\u201d said Walters.<\/p>\n

The remaining critical vulnerabilities in the May drop comprise five RCE vulnerabilities and one EoP vulnerability.<\/p>\n

The RCE vulns are, in CVE number order:<\/p>\n