Is there a fix for Windows Security Feature Bypass in Secure Boot (BootHole) ?

Adino 31 Reputation points
2021-01-26T19:08:14.95+00:00

Is there a fix for Windows Security Feature Bypass in Secure Boot (BootHole) Medium Windows Description? This comes up as a vulnerability on our security scans and posts I've seen say there will be an upcoming fix bit it's been months but haven't seen one yet. Any help appreciated, thanks.

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,110 questions

4 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Jenny Feng 14,076 Reputation points
    2021-01-27T07:09:09.18+00:00

    @RichWines-9402
    Hi,
    Based on my research, there is no patch or workaround.
    See the Mitigations section following:
    https://msrc.microsoft.com/update-guide/en-US/vulnerability/ADV200011
    Hope above information can help you.

    ============================================
    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

  2. Adino 31 Reputation points
    2021-01-27T14:15:55.503+00:00

    I also forgot to mention this is only on the 2019 servers....

  3. z080236 1 Reputation point
    2021-05-18T05:11:11.8+00:00

    i have done the following
    https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-0689

    Customers who need to manually install these three updates should install them in the following order:

    Servicing Stack Update
    Standalone Secure Boot Update listed in this CVE
    January 2021 Security Update

    Installed for Win server 2016, the boothole is still there.

    Not sure what is the advice for this.

    0 comments
  4. Adino 31 Reputation points
    2021-05-18T12:08:21.227+00:00

    After much frustration these links below helped us to resolve the issue but Microsoft claims it will resolve with a later update:

    https://support.microsoft.com/en-us/topic/microsoft-guidance-for-applying-secure-boot-dbx-update-e3b9e4cb-a330-b3ba-a602-15083965d9ca

    This MS guidance article sent us here: https://uefi.org/revocationlistfile

    I downloaded the x64 file. Under “More Information” on the Microsoft guidance document, I placed the downloaded file called dbxupdate_x64.bin into a folder I created under C:\Temp\Powershell called “Dbx”.

    I then downloaded the script to split this file. The file has to be split before it can be uploaded. Microsoft has a PowerShell script to run this (in link above) There are two files it will place in the folder: Content.bin and Signature.p7 that are key. There is also this file that is placed there: splitdbxcontent.1.0.0.nupkg.

    SplitDbxAuthInfo.ps1” splits a DBX update package into the new DBX variable contents and the signature authorizing the change.

    Run Set-SecureBootUefi script to apply the updates.

    Here’s a synopsis of the steps we used:

    1. Download the dbxupdate_x64.bin file.
    2. Create a folder under C:\Temp\Powershell\DBX and place the scripts and the file there.
    3. Open PowerShell ISE (elevated). Change directory to the DBX folder.
    4. Run .\SplitDbxAuthInfo.ps1 DbxUpdate_x64.bin
    5. To apply the update using the output files of this script, run: Set-SecureBootUefi -Name dbx -ContentFilePath .\content.bin -SignedFilePath .\signature.p7 -Time 2010-03-06T19:17:21Z -AppendWrite'

    This should come back as successful.