CVE-2024-23594

FAQ

Why is this Lenovo CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in certain Lenovo bootloaders. The mitigation for this vulnerability requires a Windows update. This CVE is being documented in the Security Update Guide to announce that the latest builds of Windows enable the mitigation and provide protection against the vulnerability.

Please see the following for more information:

• LEN-132277

What kind of security feature could be bypassed by successfully exploiting this vulnerability?

An attacker who successfully exploited this vulnerability could bypass Secure Boot.

According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?

Successful exploitation of this vulnerability requires an attacker to take additional actions prior to exploitation to prepare the target environment.

Are there additional steps I need to take to be protected from this vulnerability?

All customers should apply the April 9, 2024 Windows security updates. These security updates address this vulnerability by updating the Windows Boot Manager and other components, but the protections are not enabled by default. Additional steps are required at this time to mitigate this vulnerability. Please refer to KB5025885: How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932. This article describes the protection against this Secure Boot security feature bypass, how to enable the protections, and guidance to update bootable media.