question

9manloon-5206 avatar image
0 Votes"
9manloon-5206 asked z080236 edited

Windows Security Feature Bypass in Secure Boot (BootHole) cannot be fixed for Server 2019 (VMware Guest)

I have scanned my Windows Server 2019 VM Guest (VMware) and get the Windows Security Feature Bypass in Secure Boot (BootHole) warning.
103397-1.jpg


I am sure that the Secure Boot of the VM Guest has been enabled on the VMware setting. (Beside, the VMware Host is up to date)

103417-2.jpg

I have run the Windows Update so that the server is up to date.
Also, I have followed Microsoft’s instruction (the link below) to apply update for Secure Boot DBX and gotten the positive result from the Server.
https://support.microsoft.com/en-us/topic/microsoft-guidance-for-applying-secure-boot-dbx-update-e3b9e4cb-a330-b3ba-a602-15083965d9ca

103376-3.jpg


However, when I ran again the Nessus scan, the same vulnerabilities warning still came out with same message. What did I miss?


windows-server-2019
1.jpg (117.9 KiB)
2.jpg (70.9 KiB)
3.jpg (40.6 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

LeonLaude avatar image
0 Votes"
LeonLaude answered 9manloon-5206 commented

Hi @9manloon-5206,

I just want to say that I have found Nessus not to always be 100% reliable, the same could also be with any other scanning tool.
Even if the system is fully mitigated from vulnerabilities, the scanning software may sometimes still show that there's a vulnerability.

If you have followed the Microsoft guidance, then I would say it is enough.


(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)


Best regards,
Leon

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

But somehow Nessus still shows this detection and I want to know how Nessus decide. Cause this issue doesn't happen in Windows Server 2016 and Windows Server 2012R2 in the same VM host.

0 Votes 0 ·
TeemoTang-MSFT avatar image
0 Votes"
TeemoTang-MSFT answered 9manloon-5206 commented

I have run the Windows Update so that the server is up to date.
Also, I have followed Microsoft’s instruction (the link below) to apply update for Secure Boot DBX and gotten the positive result from the Server.
https://support.microsoft.com/en-us/topic/microsoft-guidance-for-applying-secure-boot-dbx-update-e3b9e4cb-a330-b3ba-a602-15083965d9ca

You have done a good job, in general, keep your Server 2019 is up to date and Windows Defender is working, that’s enough for system security.
Please refer to this similar case for a hint
https://docs.microsoft.com/en-us/answers/questions/246018/is-there-a-fix-for-windows-security-feature-bypass.html


If the Answer is helpful, please click "Accept Answer" and upvote it.
Information posted in the given link is hosted by a third party. Microsoft does not guarantee the accuracy and effectiveness of information.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I just want to know if there is anybody having Windows server 2019 without this warning. Or the warning will always show up as long as you are using Windows Server 2019.

0 Votes 0 ·
z080236 avatar image
0 Votes"
z080236 answered z080236 edited

I was told by Nessus that this vulnerability will only go off , after applying all the DBX file, not only the Apr 2021 bin.

Check-Dbx.ps1 '.\dbx-2020-July.bin'

Check-Dbx.ps1 '.\dbx-2020-October.bin'

Not sure, what Microsoft recommends:
1. Apply all DBX file? or
2. Apply latest DBX file

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.