Secure Boot Component Security Feature Bypass Vulnerability

2016-11-0808:00:00

Microsoft

msrc.microsoft.com

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

5 Medium

CVSS2

Access Vector

Access Complexity

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

0.003 Low

EPSS

Percentile

68.1%

JSON

A security feature bypass vulnerability exists when Windows Secure Boot improperly loads a boot policy that is affected by the vulnerability. An attacker who successfully exploited this vulnerability could disable code integrity checks, allowing test-signed executables and drivers to be loaded onto a target device.

To exploit the vulnerability, an attacker who has physical access or Administrative rights to a target device could install an affected boot policy.

The security update addresses the vulnerability by revoking affected boot policies in the firmware. The revocation protection level depends upon platform firmware. The Windows event channel Microsoft-Windows-Kernel-Boot may be used to determine the protection level provided. Note that an additional reboot is needed to view the event:

Windows versions prior to Windows 10 do not log the event by default. You must enable “analytic” logging for this channel prior to installation of the patch.
Windows versions 10 and higher log the event by default. Event ID 155 indicates baseline protection. Event ID 154 indicates enhanced protection.

For systems that provide baseline protection, firmware updates from your OEM may be available that upgrade systems to enhanced protection.