question

Adino-9402 avatar image
1 Vote"
Adino-9402 asked Adino-9402 commented

Is there a fix for Windows Security Feature Bypass in Secure Boot (BootHole) ?

Is there a fix for Windows Security Feature Bypass in Secure Boot (BootHole) Medium Windows Description? This comes up as a vulnerability on our security scans and posts I've seen say there will be an upcoming fix bit it's been months but haven't seen one yet. Any help appreciated, thanks.

windows-server
· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,

Just checking in to see if the information provided was helpful.

If the reply helped you, please remember to accept as answer.
If no, please reply and tell us the current situation in order to provide further help.

2 Votes 2 ·

The mitigation section (site) was a bit cryptic. Do you know of anyone who applied this on 2019 servers?

0 Votes 0 ·

Hi,
Not yet.
I will watching closely to this issue, If there is any related update, I will let you know.


1 Vote 1 ·
JennyFeng-MSFT avatar image
1 Vote"
JennyFeng-MSFT answered z080236 commented

@RichWines-9402
Hi,
Based on my research, there is no patch or workaround.
See the Mitigations section following:
https://msrc.microsoft.com/update-guide/en-US/vulnerability/ADV200011
Hope above information can help you.

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

is there any fix for Win 2016 servers?

0 Votes 0 ·
Adino-9402 avatar image
1 Vote"
Adino-9402 answered z080236 commented

I also forgot to mention this is only on the 2019 servers....

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

how about the win 2016 servers
is there any fix for this?

0 Votes 0 ·
z080236 avatar image
0 Votes"
z080236 answered

i have done the following
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-0689

Customers who need to manually install these three updates should install them in the following order:

Servicing Stack Update
Standalone Secure Boot Update listed in this CVE
January 2021 Security Update

Installed for Win server 2016, the boothole is still there.

Not sure what is the advice for this.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Adino-9402 avatar image
0 Votes"
Adino-9402 answered Adino-9402 commented

After much frustration these links below helped us to resolve the issue but Microsoft claims it will resolve with a later update:

https://support.microsoft.com/en-us/topic/microsoft-guidance-for-applying-secure-boot-dbx-update-e3b9e4cb-a330-b3ba-a602-15083965d9ca

This MS guidance article sent us here: https://uefi.org/revocationlistfile

I downloaded the x64 file. Under “More Information” on the Microsoft guidance document, I placed the downloaded file called dbxupdate_x64.bin into a folder I created under C:\Temp\Powershell called “Dbx”.

I then downloaded the script to split this file. The file has to be split before it can be uploaded. Microsoft has a PowerShell script to run this (in link above) There are two files it will place in the folder: Content.bin and Signature.p7 that are key. There is also this file that is placed there: splitdbxcontent.1.0.0.nupkg.

SplitDbxAuthInfo.ps1” splits a DBX update package into the new DBX variable contents and the signature authorizing the change.

Run Set-SecureBootUefi script to apply the updates.


Here’s a synopsis of the steps we used:

  1.  Download the dbxupdate_x64.bin file.
    
  2.  Create a folder under C:\Temp\Powershell\DBX and place the scripts and the file there.
    
  3.  Open PowerShell ISE (elevated).  Change directory to the DBX folder.
    
  4.  Run .\SplitDbxAuthInfo.ps1 DbxUpdate_x64.bin
    
  5.  To apply the update using the output files of this script, run:    Set-SecureBootUefi -Name dbx -ContentFilePath .\content.bin -SignedFilePath .\signature.p7 -Time 2010-03-06T19:17:21Z -AppendWrite' 
    

This should come back as successful.

· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I remembered I tried this on my Win server 2016, when this was first released in Jul 2020, after applying it failed to bootup.

Then, I waited for it to release in Jan 21, I applied and it still didnt fix the issue.

Recently, in around Mar 21, I applied the KB but it seems to only work for Win 2019.

So now, I am not sure I am waiting for a KB fix, or Microsoft will follow up with a KB update for Win 2016?

0 Votes 0 ·

i assume that you have applied the above steps in a Win server 2016 and didn't have the bootup issue?

0 Votes 0 ·

Unfortunately we never migrated to 2016 Server and only found the issue on 2019, sorry for your troubles and hopefully MS will address soon.

0 Votes 0 ·