Mitigating the Secure Boot UEFI bootkit using the May 2023 cumulative update still causes misunderstandings at some of my customers. So I wrote this short article to give you an overview and illustrate how this update works, especially regarding the elemination of the BlackLotus bootkit, covered in CVE-2023-24932. A very detailed description can be found in the official KB article: KB5025885 support page.
Among many other fixes, this update adds protection against a Secure Boot security feature bypass of the BlackLotus UEFI bootkit tracked by CVE-2023-24932. However, some steps to fully mitigate the vulnerability must be performed manually. For easier understanding, let me first divide the May 2023 CU into 2 steps:
- Install the CU to apply all the monthly security fixes, update the boot files of the running OS and copy the UEFI Code Integrity boot policy file to the harddrive.
- Manually copy the Code Integrity boot policy to the EFI partition and apply the UEFI block list
Step 1 only affects the running operating system while step 2 modifies the UEFI of your PC. This is important because the 2nd step has to be done manually at the time of writing. Later CUs will simplify this part. Following illustration may help.
Install the CU
Installing the CU updates the boot components of the running operating system or an offline image, if you slipstream the update into it. As a part of the CU installation, files necessary for the UEFI patch (2nd step) are copied to the hard drive to %systemroot%System32SecureBootUpdates. However, the update installation process does not acitivate the UEFI patch, which means, it does not copy those files to the EFI partition so the PC remains vulnerable against the CVE-2023-24932 bootkit.
If you just install the CU using Windows Update, WSUS or any other method, all fixes will be applied to the OS but the UEFI of the PC remains unpatched. In that case, both, updated and unpatched images will boot from that PC.
Install the UEFI patch
Applying the UEFI patch requires you to add the code integrity policy to the EFI partition. The CI policy file, you need for this step, was copied to the system as part of the CU installation. As mentioned before, I will not cover the technical details in this blog post. See chapter 3a within the KB5025885 support page for technical instructions. Secondly, the UEFI deny list needs to be applied. This is done by adding a registry key to the patched OS, followed by a reboot. Technical instructions can also be found in the KB article, chapter 3b.
After the PC’s UEFI has been patched, the vulnerability for the BlackLotus bootkit has been mitigated. However, this PC does not longer boot unpatched operating systems (meaning OS with boot files from before the May 2023 update).
Best practice for enterprises
I suggest to follow the rough approach below. Note, that only after finishing step 3 your PC is fully protected against the Secure Boot bypass vulnerability.
- Patch all running operating systems with the May 2023 CU or later. Do not apply the UEFI patch part yet. Only install the CU.
- After that or at the same time, make sure to patch all Windows PE and Windows images you use for fresh installations. You can use DISM to “slipstream” the patch into the images. See Appendix B in this post for a rough explanation. If you’re using Windows Recovery Environment (WinRE), those images must be patched as well. Please use the corresponding Dynamic Updates in the context with WinRE.
- As a last action, apply the UEFI patch on all running systems by following the steps 3a and 3b of the KB article mentioned at the beginning of this blog. For automation you can write a batch file and deploy it using your system management tool.
Appendix A – Download a cumulative update
Navigate to the Microsoft Update Catalog to download the latest cumulative update in MSU file format. In the search field enter 2023-05 22H2 to narrow down the search results. Find your desired update in the list and click the Download button.
Appendix B – Update a custom Image using DISM
There are tons of examples of how to update offline images available in the web. So I do not spend too much time for explanation. Use these lines just as a reference. Please note that you may need to change some values to fit your environment:
DISM /mount-wim /wimfile:“C:PathToInstall.wim“ /mountdir:C:Mount /index:3
DISM /image:C:Mount /add-package /packagepath:“C:PathToUpdate.msu“
DISM /unmount-wim /mountdir:“C:Mount“ /commit
rmdir /Q /S C:Mount
The sample scripts are not supported under any Microsoft standard support program or service. The sample scripts are provided AS IS without warranty of any kind. Microsoft further disclaims all implied warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of the sample scripts and documentation remains with you. In no event shall Microsoft, its authors, or anyone else involved in the creation, production, or delivery of the scripts be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample scripts or documentation, even if Microsoft has been advised of the possibility of such damages.