Secure Boot Security Feature Bypass Vulnerability

2016-08-09T07:00:00
ID MS:CVE-2016-3320
Type mscve
Reporter Microsoft
Modified 2016-08-09T07:00:00

Description

A security feature bypass vulnerability exists when Windows Secure Boot improperly loads a boot manager that is affected by the vulnerability. An attacker who successfully exploited this vulnerability could disable code integrity checks, allowing test-signed executables and drivers to be loaded onto a target device. Furthermore, the attacker could bypass Secure Boot Integrity Validation for BitLocker and Device Encryption security features.

To exploit the vulnerability, an attacker who has gained administrative privileges or who has physical access to a target device could install an affected boot manager and then install a policy affected by the vulnerability onto a target device.

The security update addresses the vulnerability by blacklisting affected boot managers.

Configure BitLocker to use Trusted Platform Module (TPM)+PIN protection To enable TPM and PIN protector, enable the enhanced protection group policy as follows:

  1. Click Start, click Run, type gpedit.msc, and then click OK to open the Local Group Policy Editor.
  2. Under Local Computer Policy, navigate to Administrative Templates>Windows Components>BitLocker Drive Encryption>Operating Systems Drives.
  3. In the right-hand pane, double-click Require additional authentication at startup.
  4. In the dialog box that appears, click Enabled.
  5. Under Options, select Require TPM and Require startup PIN with TPM.
  6. Click Apply and exit the Local Group Policy Editor.
  7. Open the command prompt with Administrator privileges.
  8. Enter the following command: manage-bde -protectors -add c: <OR OS volume letter> -tpmandpin
  9. When prompted for a PIN, enter a 4 or 6-digit PIN.
  10. Restart the system.

Impact of workaround. The user will be required to enter the PIN every time the computer restarts.

How to undo the workaround

  1. Click Start, click Run, type gpedit.msc, and then click OK to open the Local Group Policy Editor.
  2. Under Local Computer Policy, navigate to Administrative Templates>Windows Components>BitLocker Drive Encryption>Operating Systems Drives
  3. In the right-hand pane, double-click “Require additional authentication at startup”
  4. In the dialog box that appears, click Enabled.
  5. Under Options, select Allow TPM and Allow startup PIN with TPM.
  6. Click Apply and exit the Local Group Policy Editor.
  7. Restart the system.

Disable Secure Boot integrity protection of BitLocker To disable Secure Boot, you must follow each of the steps in order.

  1. Disable BitLocker
    1. Open Control Panel and then click BitLocker Drive Encryption.
    2. Click Turn off BitLocker
    3. In the BitLocker Drive Encryption dialog box, click Turn off BitLocker.
    4. Exit Control Panel.
  2. Disable Secure Boot
    1. Click Start, click Run, type gpedit.msc, and then click OK to open the Local Group Policy Editor.
    2. Under Local Computer Policy, navigate to Administrative Templates>Windows Components>BitLocker Drive Encryption>Operating Systems Drives
    3. Double-click Allow Secure Boot for integrity validation.
    4. In the dialog box that appears, click Disabled.
    5. Click Apply and exit the Local Group Policy Editor.
  3. Re-enable BitLocker
    1. Open Control Panel, then click BitLocker Drive Encryption.
    2. Click Turn on BitLocker
    3. In the BitLocker Drive Encryption dialog box, click Turn on BitLocker.
    4. Exit Control Panel.

Impact of workaround. Disabling Secure Boot may cause systems to enter BitLocker recovery mode more often when you update firmware versions or BCD settings.

How to undo the workaround.

  1. Disable BitLocker
    1. Open Control Panel, then click BitLocker Drive Encryption.
    2. Click Turn off BitLocker
    3. In the BitLocker Drive Encryption dialog box, click Turn off BitLocker.
    4. Exit Control Panel.
  2. Enable Secure Boot
    1. Click Start, click Run, type gpedit.msc, and then click OK to open the Local Group Policy Editor.
    2. Under Local Computer Policy, navigate to Administrative Templates>Windows Components>BitLocker Drive Encryption>Operating Systems Drives
    3. Double-click Allow Secure Boot for integrity validation.
    4. In the dialog box that appears, click Enabled.
    5. Click Apply and exit the Local Group Policy Editor.
  3. Re-enable BitLocker
    1. Open Control Panel, then click BitLocker Drive Encryption.
    2. Click Turn on BitLocker
    3. In the BitLocker Drive Encryption dialog box, click Turn on BitLocker.
    4. Exit Control Panel.

The following mitigating factors may be helpful in your situation: To exploit the vulnerability, an attacker must have either administrative privileges or physical access to the target device.