Common Vulnerability Scoring – CVE-2023-24932:
Microsoft has issued security updates for a Secure-Boot zero-day vulnerability (CVE-2023-24932) that has been exploited by BlackLotus UEFI malware in the wild. This exploit has allowed the malware to infect Windows systems that were already fully patched.
Secure Boot prevents rootkits from loading during the boot process on computers with Unified Extensible Firmware Interface (UEFI) firmware and a Trusted Platform Module (TPM) chip. Secure Boot accomplishes this by blocking bootloaders untrusted by the OEM.
CVE-2023-24932 allows attackers to evade Secure Boot protections. The vulnerability is currently being used by BlackLotus to bypass patches for CVE-2022-21894, which is another flaw that allowed for Secure Boot bypass last year.
Microsoft’s advisory states that the vulnerability allows the attackers to execute code at the Unified Extensible Firmware Interface (UEFI) level while Secure Boot is enabled. This is used by the attackers as a persistence and defense evasion mechanism. Microsoft further stated that successful exploitation relies on the attacker having physical or local admin privileges on the targeted device.
According to Microsoft, CVE-2023-24932 affects any Windows system with Secure Boot protections enabled, including on-premises configurations, virtual machines, and cloud-based devices. Additionally, the security patches designed to address CVE-2023-24932 are solely available for supported versions of Windows 10, Windows 11, and Windows Server.
Keep in mind that Microsoft’s security update for CVE-2023-24932 focuses on updating the Windows Boot Manager, but the update is not enabled by default because it could prevent the system from starting up and cause other disruptions. You can find guidance on the manual steps for updating in Avertium’s Recommendations.
INDICATORS OF COMPROMISE (IoCs)
At this time, there are no known IoCs associated with CVE-2022-21894 and CVE-2023-24932. Avertium’s threat hunters remain vigilant in locating IoCs for our customers. Should any be located, Avertium will disclose them as soon as possible. For more information on how Avertium can help protect your organization, please reach out to your Avertium Service Delivery Manager or Account Executive.
Guidance related to Secure Boot Manager changes associated with CVE-2023-24932 | MSRC Blog | Microsoft Security Response Center
Microsoft fixes Secure Boot zero-day used by BlackLotus UEFI malware (bleepingcomputer.com)
KB5025885: How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932 - Microsoft Support
Microsoft Patches 3 Zero Day Flaws in May Security Update -- Redmondmag.com
Microsoft fixes two actively exploited bugs, one used by BlackLotus bootkit (CVE-2023-29336, CVE-2023-24932) - Help Net Security