New security features are great, but it’s inevitable that bad actors will eventually find ways around even the most novel of protections. Keeping up with attackers may mean adjusting, changing, redeploying, or, in the case of secure boot, dealing with the update phases of deployment, evaluation, and ultimately enforcement.
Starting on May 9, 2023, and more recently in the July 9, 2024 security releases, and documented in KB5025885, Microsoft has introduced protections against attacks used by the BlackLotus UEFI bootkit to bypass secure boot protections, features designed to prevent malicious software being loaded when a computer starts.
Here are some actions that are crucial to ensuring the security and proper functioning of your systems.
Identify the systems most at risk for secure boot attacks
For these attacks to be successful, malware needs physical or administrative access to the device. Merely installing updates is not enough to protect a system from attack. To fully protect machines on a network, you will need to deploy updated DBX deny list hashes.
While not all machines need immediate attention, security products should be reviewed to determine whether they monitor for file and boot file changes. Even if there are systems in place that can monitor for such changes, machines that are more at risk or those with fewer monitoring resources should be updated first.
Managing bootloaders can be troublesome — the idea behind the code is to ensure that only the operating system intended to boot on the machine will load. As the documentation notes, UEFI Secure Boot includes a two part process: verification of the boot image and verification of updates to the image security database.
Bootloaders should have at least two certificates on the system which will control what software gets booted on the machine. Others may be added by the OEM manufacturer in order to control what loads. To dig into what certificates are available on your machines, consider installing a PowerShell module that will allow you to review the exact certificates on your machine.
You can download this courtesy of Michael Niehaus from the PowerShell gallery. Once installed you can then use the Get-UEFISecureBootCerts command to determine and inventory what is on each machine as you test your fleet.
Susan Bradley
Managing these bootloaders isn’t just about dealing with and protecting against ransomware attacks; bootloaders are dependent on certificates like many other technologies used in a secure manner, certificates that have start dates and, more importantly, end dates.
KB5036210 documents that since the February 13, 2024 Windows updates, you can apply a 2023 certificate to the UEFI Secure Boot Allowed Signature Database.
As they note: “Updates to the DB are known to have compatibility issues with some devices. To ease the rollout to Windows devices, the update to the DB does not apply automatically. For enterprise environments, it is important to have a controlled rollout of the update after careful validation with representative devices present in the environment to avoid any disruption.”
A disruptive process
In order to trigger the rollout of the newer certificate, you can use a registry key or group policy to trigger the system to automatically update this certificate.
First, enter a registry key to trigger the deployment of the new bootloader certificate found at the following location:
Registry path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot
Name: AvailableUpdates
Value: 0x40
This deploys the new bootloader to your systems. You’ll need to reboot systems twice in order to trigger the installation. Wait a few moments between each reboot.
Ensure that you validate the installation. Use a PowerShell command to confirm:
[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match ‘Windows UEFI CA 2023’
If the patch is staged properly, that value will say “True.”
Now use another registry key to deploy the update to your system:
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x100 /f
Once again, reboot your system twice.
Some side effects of firmware updates have been noted
You can review the boot certificate on the system to be sure the process has completed properly. Ensure you review the type of hardware you have standardized with — some vendors have already identified side effects triggered by updating the firmware as noted in KB5025885.
There has been some confusion over the impact of not taking action to update these bootloader files. The existing bootloader file has a certificate end date of 2026 and the concern revolves around whether this will detrimentally impact systems or if they will ignore this date and still boot.
As the SANS incidents website indicates: “If you fail to update, future firmware updates may fail. Some articles about this topic make it sound like your systems will fail to boot in Oct 2026. This is not the case. Firmware signatures using the old certificate authority will remain valid as long as they were issued before the certificate authority expired.” The bottom line is that existing systems will boot properly.
Networks using some Linux are also affected
If you are also using Linux in your environment, this also impacts you as well. You need to worry about both the issue with updating secure boot as well as considering that these devices too have certificates that will need to be updated. Reach out to your various vendors to determine what needs to be done going forward.
If you are in a business setting, what’s your best plan of action? Review your current deployment schedule. Many of you will “deploy” your way to patched boot files rather than update them. It’s recommended to set aside technical resources and have sample hardware to test on. Then test again. The hope is that a better plan of action will be had when Windows 11 24H2 is released. Currently there is too much testing and not enough definitive guidance on side effects and specific deployment guidance.
You may need to identify hardware in your network that you will decide to pass on upgrading and instead replace, thus bypassing this issue, especially if you are in the process of replacing your Windows 10-based hardware with Windows 11. Review your hardware refresh goals accordingly.