Brief about the vulnerability
The security feature bypass vulnerability (CVE-2020-0689) allows attackers to bypass the secure boot feature and load untrusted or malicious software during the Windows boot-up process. While this vulnerability created panic among Microsoft customers, Microsoft released a security update (KB4535680) to tackle the same. But the update has caused further inconvenience to the already troubled customers by triggering BitLocker key recovery issues across multiple Windows OS products in servers and workstations.
Who is affected?
Any organizations or individuals worldwide who are using Windows 10 releases (from v1607 to v1909), Windows 8.1, Windows Server 2012 R2, and Windows Server 2012 operating system products from Microsoft are vulnerable to the risk posed by the security feature bypass vulnerability (CVE-2020-0689). These customers will also have to deal with the BitLocker key recovery issue after installing the security update (KB4535680) to tackle the vulnerability.
How is the vulnerability exploited?
To exploit this vulnerability (CVE-2020-0689), an attacker must first find his/her way into the target server. This can be done through spear-phishing email with malicious links or attachments to download and install malicious payload capable of allowing reverse shell or backdoor access into systems. The attacker can then take advantage of this initial access to execute the next steps like installing “LoJax” (popular rootkit), etc. Post-installation of the rootkit, the attacker, will have continuous access into the system. Even if the system is rebuilt (or formatted) or the OEM vendor releases BIOS-updates, the rootkit will remain within the system’s UEFI firmware.
The vulnerability poses a severe risk of unauthorized access, security breach, data breach, data loss, disruption in business operation, and impact on the attacked organization’s reputation.
The security update (KB4535680) from Microsoft triggers the BitLocker key recovery issue on Windows 10 releases (from v1607 to v1909), Windows 8.1, Windows Server 2012 R2, and Windows Server 2012. This issue could allow attackers with initial access onto the system to attempt BitLocker key recovery using malicious payload and gain unauthorized access to the BitLocker-protected drive.
What can you do?
Microsoft has acknowledged the repeated triggering of BitLocker key recovery issue on affected Windows operating systems. The company says that if the BitLocker Group Policy, “Configure TPM platform validation profile for native UEFI firmware configurations,” is enabled and PCR7 is selected by policy, it may result in the BitLocker recovery key being required on some devices where PCR7 binding is not possible. To view the PCR7 binding status, one needs to run the Microsoft System Information (Msinfo32.exe) tool with administrative permissions.
Microsoft has provided few workarounds to resolve this issue. The company recommends implementing workarounds before installing the security update (KB4535680) on the system:
- On a device that does not have Credential Guard enabled, run the following command from an Administrator command prompt to suspend BitLocker for one reboot cycle:
Manage-bde –Protectors –Disable C: -RebootCount 1
Then, restart the device to resume the BitLocker protection.
Note:- Do not enable BitLocker protection without again restarting the device as it would result in BitLocker recovery.
- A Credential Guard enabled device could have multiple restarts during the update that require BitLocker to be suspended. Run the following command from an Administrator command prompt to suspend BitLocker for three restart cycles:
Manage-bde –Protectors –Disable C: -RebootCount 3
This security update (KB4535680) is expected to restart the system twice. Restart the device once again to resume the BitLocker protection.
Note:- Do not enable BitLocker protection without additionally restarting as it would result in BitLocker recovery.
It is strongly recommended to install the security update (KB4535680) after implementing the above workarounds to mitigate the risk posed by the security feature bypass vulnerability (CVE-2020-0689).
About the Author
Rahil Karedia is a threat intelligence lead with more than 5 years of experience in cyberspace operations. He is closely working and collaborating with the threat intelligence team at Network Intelligence. His expertise lies in domains such as threat intelligence (technical, tactical, and strategic), threat hunting, compromise assessment, SOC, and incident response & management.
You can connect with him on LinkedIn.
Do you want more information on the above and similar vulnerabilities?
Feel free to reach out to Network intelligence at firstname.lastname@example.org