Is there a fix for Windows Security Feature Bypass in Secure Boot (BootHole) Medium Windows Description? This comes up as a vulnerability on our security scans and posts I've seen say there will be an upcoming fix bit it's been months but haven't seen one yet. Any help appreciated, thanks.
Hi,
Just checking in to see if the information provided was helpful.
If the reply helped you, please remember to accept as answer.
If no, please reply and tell us the current situation in order to provide further help.
The mitigation section (site) was a bit cryptic. Do you know of anyone who applied this on 2019 servers?
Hi,
Not yet.
I will watching closely to this issue, If there is any related update, I will let you know.
@RichWines-9402
Hi,
Based on my research, there is no patch or workaround.
See the Mitigations section following:
https://msrc.microsoft.com/update-guide/en-US/vulnerability/ADV200011
Hope above information can help you.
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
I also forgot to mention this is only on the 2019 servers....
i have done the following
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-0689
Customers who need to manually install these three updates should install them in the following order:
Servicing Stack Update
Standalone Secure Boot Update listed in this CVE
January 2021 Security Update
Installed for Win server 2016, the boothole is still there.
Not sure what is the advice for this.
After much frustration these links below helped us to resolve the issue but Microsoft claims it will resolve with a later update:
This MS guidance article sent us here: https://uefi.org/revocationlistfile
I downloaded the x64 file. Under “More Information” on the Microsoft guidance document, I placed the downloaded file called dbxupdate_x64.bin into a folder I created under C:\Temp\Powershell called “Dbx”.
I then downloaded the script to split this file. The file has to be split before it can be uploaded. Microsoft has a PowerShell script to run this (in link above) There are two files it will place in the folder: Content.bin and Signature.p7 that are key. There is also this file that is placed there: splitdbxcontent.1.0.0.nupkg.
SplitDbxAuthInfo.ps1” splits a DBX update package into the new DBX variable contents and the signature authorizing the change.
Run Set-SecureBootUefi script to apply the updates.
Here’s a synopsis of the steps we used:
Download the dbxupdate_x64.bin file.
Create a folder under C:\Temp\Powershell\DBX and place the scripts and the file there.
Open PowerShell ISE (elevated). Change directory to the DBX folder.
Run .\SplitDbxAuthInfo.ps1 DbxUpdate_x64.bin
To apply the update using the output files of this script, run: Set-SecureBootUefi -Name dbx -ContentFilePath .\content.bin -SignedFilePath .\signature.p7 -Time 2010-03-06T19:17:21Z -AppendWrite'
This should come back as successful.
I remembered I tried this on my Win server 2016, when this was first released in Jul 2020, after applying it failed to bootup.
Then, I waited for it to release in Jan 21, I applied and it still didnt fix the issue.
Recently, in around Mar 21, I applied the KB but it seems to only work for Win 2019.
So now, I am not sure I am waiting for a KB fix, or Microsoft will follow up with a KB update for Win 2016?
i assume that you have applied the above steps in a Win server 2016 and didn't have the bootup issue?
Unfortunately we never migrated to 2016 Server and only found the issue on 2019, sorry for your troubles and hopefully MS will address soon.
5 people are following this question.
