ADV200011

Меры по смягчению последствий

Microsoft has identified the following mitigations. Please be advised that these mitigations are not compatible with all software on all devices, so please ensure that your system is compatible before taking any action.

Reconfigure Secure Boot

• Microsoft Surface provides the capability to configure Secure Boot with or without trust in 3rd-party UEFI CA.  Surface customers who do not require the 3rd-party UEFI CA can configure Secure Boot as 'Microsoft only' as a mitigation to this issue. For more information see Manage Surface UEFI settings.

WARNING Modification of UEFI Secure Boot configuration can trigger BitLocker Recovery and failures in other security software. Be sure to suspend BitLocker and have your BitLocker Recovery Key available if you are performing this operation.

• Other OEMs may provide a similar reconfiguration option. Contact your OEM for more information.

Manually install untested DBX update

Working with the Linux community, Microsoft has released an untested update to address this vulnerability. This optional DBX update has received limited testing and is intended for IT professionals and enthusiasts. The update is hosted by the UEFI Forum at: https://uefi.org/revocationlistfile.

Important Please note that the currently available DBX update applies to the CVEs originally released for this issue on July 29, 2020, and to the additional CVEs released on March 2, 2021. We recommend that you register for the security notifications mailer to be alerted of content changes to this advisory. See Microsoft Technical Security Notifications.

Please see the References section of this advisory for guidance on installing this update.

WARNING Installation of this patch on incompatible systems could result in runtime error, system hang, or even unrecoverable failure to boot. Please check with your OEM to determine if your equipment is compatible.

FAQ

Is BitLocker affected by this vulnerability?

No. BitLocker is not affected.

Are Hyper-V guests configured for Secure Boot of Windows vulnerable?

No. Hyper-V guests configured for Secure Boot of Windows are not vulnerable.

How do I know my system might be affected by this vulnerability?

Run the following command in an administrative PowerShell session:

[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Microsoft Corporation UEFI CA 2011'

If the PowerShell command returns “True”, then your system firmware trusts the 'Microsoft Corporation UEFI CA 2011' signing Certificate Authority that is used to sign third-party boot managers and will allow the known vulnerable third-party boot managers to be installed and run on your system system if the latest DBXUpdate is not installed to firmware. If the PowerShell command returns “False”, then the third-party boot managers will not be trusted by your system.

For more detailed instructions on verifying and manually applying updates, see Microsoft guidance for applying Secure Boot DBX update.

Note that it is not necessary to verify that your system firmware trusts the 'Microsoft Corporation UEFI CA 2011' signing Certificate Authority. You can automatically install the latest update if they are applicable to your system. See KB5012170: Security update for Secure Boot DBX - Microsoft Support for more details.

What is UEFI?

UEFI (Unified Extensible Firmware Interface) defines the interactions between the operating system and the platform firmware. The Secure Boot feature of UEFI prevents the loading of operating system loaders and firmware drivers that are not signed by a trusted signature.

What is GRUB?

GRUB (GRand Unified Bootloader) is the default boot loader for multiple Linux Distributions. It loads the selected kernel or operating system upon boot.

What is DBX?

DBX is the Forbidden Signature Database and tracks the revoked boot images.

Does this vulnerability only affect Linux?

No. The vulnerability affects any computer where Secure Boot trusts the 3rd-party UEFI CA.

You have indicated that an optional update is available. When will this update become mandatory?

Microsoft will release an update to address this vulnerability during mid-year 2022. You can register for the security notifications mailer to be alerted when this update is available, and when content changes are made to this advisory. See Microsoft Technical Security Notifications and Coming Soon: New Security Update Guide Notification System.

Why are there different security update packages for this CVE?

These are standalone security updates. These packages must be installed in addition to the normal security updates to be protected from this vulnerability.

Are there any prerequisites to these security updates?

These security updates have a Servicing Stack Update prerequisite for specific KB numbers. The packages have a built in pre-requisite logic to ensure the ordering.

Customer should ensure that they have the latest Servicing Stack Update installed before installing these standalone security updates. See ADV990001 | Latest Servicing Stack Updates for more information.

If I need to manually install these standalone updates, a Servicing Stack Update, and an August 2022 Security Update, in what order should they be installed?

Customers who need to manually install these three updates should install them in the following order:

• Servicing Stack Update
• Standalone Secure Boot Update listed in this CVE
• August 2022 Security Update

Customers whose systems are configured to receive automatic updates will automatically receive these updates in the correct order.

Is there anything else that I should know about these updates?

If Windows Defender Credential Guard (Virtual Secure Mode) is enabled, two additional reboots will be required.