Lucene search

K
mskbMicrosoftKB5012170
HistoryAug 09, 2022 - 7:00 a.m.

KB5012170: Security update for Secure Boot DBX

2022-08-0907:00:00
Microsoft
support.microsoft.com
45
uefi
secure boot
security feature bypass
vulnerability
bitlocker group policy
servicing stack update

CVSS2

4.6

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:L/AC:L/Au:N/C:P/I:P/A:P

CVSS3

6.7

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

AI Score

7

Confidence

High

EPSS

0.001

Percentile

34.5%

KB5012170: Security update for Secure Boot DBX

NOTE Improved diagnostics have been added to detect and report issue details through the event log. Please see KB5016061: Addressing vulnerable and revoked Boot Managers for more information.

Applies to

This security update applies only to the following Windows versions:

  • * Windows Server 2012
    
    • Windows 8.1 and Windows Server 2012 R2
    • Windows 10, version 1507
    • Windows 10, version 1607 and Windows Server 2016
    • Windows 10, version 1809 and Windows Server 2019
    • Windows 10, version 20H2
    • Windows 10, version 21H1
    • Windows 10, version 21H2
    • Windows 10, version 22H2
    • Windows Server 2022
    • Windows 11, version 21H2
    • Windows 11, version 22H2
    • Azure Stack HCI, version 1809
    • Azure Stack Data Box, version 1809 (ASDB)

Summary

This security update makes improvements to Secure Boot DBX for the supported Windows versions listed in the “Applies to” section. Key changes include the following:

  • * Windows devices that has Unified Extensible Firmware Interface (UEFI) based firmware can run with Secure Boot enabled. The Secure Boot Forbidden Signature Database (DBX) prevents UEFI modules from loading. This update adds modules to the DBX.  
    

A security feature bypass vulnerability exists in secure boot. An attacker who successfully exploited the vulnerability might bypass secure boot and load untrusted software.

This security update addresses the vulnerability by adding the signatures of the known vulnerable UEFI modules to the DBX.
To learn more about this security vulnerability, see the following advisory:

  • * [ADV200011 | Microsoft Guidance for Addressing Security Feature Bypass in GRUB](<https://msrc.microsoft.com/update-guide/vulnerability/ADV200011>)
    

For additional information about this security vulnerability, see the following resources:

Known issues

Issue Next step
If BitLocker Group Policy Configure TPM platform validation profile for native UEFI firmware configurations is enabled and PCR7 is selected by policy, it may result in the update failing to install.To view the PCR7 binding status, run the Microsoft System Information (Msinfo32.exe) tool with administrative permissions. To workaround this issue, do one of the following before you deploy this update:
  • On a device that does not have Credential Gard enabled, run following command from an Administrator command prompt to suspend BitLocker for 1 restart cycle:`

Manage-bde –Protectors –Disable C: -RebootCount 1

`Then, deploy the update and restart the device to resume the BitLocker protection.

  • On a device that has Credential Guard enabled, run the following command from an Administrator command prompt to suspend BitLocker for 2 restart cycles:`

Manage-bde –Protectors –Disable C: -RebootCount 3

`Then, deploy the update and restart the device to resume the BitLocker protection.
When attempting to install this update, it might fail to install, and you might receive Error 0x800f0922.Note This issue only affects this security update for Secure Boot DBX (KB5012170) and does not affect the latest cumulative security updates, monthly rollups, or security-only updates.| To resolve this issue, install the Servicing Stack Update (SSU) released March 14, 2023, or a later SSU update, for your supported Windows operating system:

  • Windows 11, version 22H2 SSU (SSU installed from cumulative update KB5023706)
  • Windows 11, version 21H2 SSU (SSU installed from cumulative update KB5023698)
  • Windows Server 2022 SSU (SSU installed from cumulative update KB5023705)
  • Windows 10, version 20H2, 21H2, and 22H2 SSU (SSU installed from cumulative update KB5023696)
  • Windows 10, version 1809/Windows Server 2019 (SSU installed from cumulative update KB5023702)
  • Windows Server 2016 SSU KB5023788
  • Windows 10 SSU KB5023787
  • Windows Server 2012 R2 SSU KB5023790
  • Windows Server 2012 SSU KB5023791
    For information about the new error events added by these SSU updates and actions to take when an error occurs, see KB5016061.
    Some devices might enter BitLocker Recovery on the first or second restart after attempting to install this update on Windows 11.| This issue is addressed in the servicing stack updates (SSU) and the latest cumulative updates (LCU) dated July 12, 2022 and later.

How to get this update

Release Channel Available Next Step
Windows Update or Microsoft Update Yes None. This update will be downloaded and installed automatically from Windows Update.
Windows Update for Business Yes None. This update will be downloaded and installed automatically from Windows Update in accordance with configured policies.
Microsoft Update Catalog Yes To get the standalone package for this update, go to the Microsoft Update Catalog website.
Windows Server Update Services (WSUS) Yes This update will automatically synchronize with WSUS if you configure Products and Classifications as follows:Product: Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows Server 2022, Windows 10, version 1903 and later, Windows 11, Azure Stack HCI, Azure Data BoxClassification: Security Updates PrerequisitesMake sure you have the lastest servicing stack update (SSU) installed. For information about the latest SSU for your operating system, see [ADV990001

File information

The English (United States) version of this security update installs files that have the attributes that are listed in the following tables.

Azure Stack HCI, version 1809

__

For all supported x64-based versions

File name File version Date Time File size
dbupdate.bin Not versioned 13-Jul-2022 18:12 3
dbxupdate.bin Not versioned 13-Jul-2022 18:12 13,778
TpmTasks.dll 10.0.17784.2602 20-Jul-2022 21:53 114,688

Azure Stack Data Box, version 1809

__

For all supported x86-based versions

File name File version Date Time File version
dbupdate.bin Not versioned 13-Jun-2022 21:46 3
dbxupdate.bin Not versioned 11-Jul-2022 17:50 6,002
TpmTasks.dll 10.0.17763.10933 20-Jul-2022 21:13 84,992

__

For all supported x64-based versions

File name File version Date Time File size
dbupdate.bin Not versioned 13-Jul-2022 18:07 3
dbxupdate.bin Not versioned 13-Jul-2022 18:07 13,778
TpmTasks.dll 10.0.17763.10933 20-Jul-2022 21:32 110,592

Windows 11, version 22H2

__

For all supported x64-based versions

File name File version Date Time File size
dbupdate.bin Not versioned 16-Jun-2022 19:56 3
dbxupdate.bin Not versioned 11-Jul-2022 18:18 13,778
TpmTasks.dll 10.0.19041.1880 11-Jul-2022 21:05 296,960

__

For all supported Arm64-based versions

File name File version Date Time File size
dbupdate.bin Not versioned 6-Jun-2022 18:24 3
dbxupdate.bin Not versioned 11-Jul-2022 18:16 4,370
TpmTasks.dll 10.0.19041.1880 11-Jul-2022 20:43 324,096

Windows 11, version 21H2

__

For all supported x64-based versions

File name File version Date Time File size
dbupdate.bin Not versioned 23-Apr-2022 14:18 3
dbxupdate.bin Not versioned 11-Jul-2022 18:06 13,778
TpmTasks.dll 10.0.22000.850 11-Jul-2022 20:34 323,584

__

For all supported Arm64-based versions

File name File version Date Time File size
dbupdate.bin Not versioned 23-Apr-2022 14:18 3
dbxupdate.bin Not versioned 11-Jul-2022 18:04 4,370
TpmTasks.dll 10.0.22000.850 11-Jul-2022 20:50 313,856

Windows Server 2022

__

For all supported x64-based versions

File name File version Date Time File size
dbupdate.bin Not versioned 23-Apr-2022 14:18 3
dbxupdate.bin Not versioned 11-Jul-2022 18:06 13,778
TpmTasks.dll 10.0.22000.850 11-Jul-2022 20:34 323,584

__

For all supported Arm64-based versions

File name File version Date Time File size
dbupdate.bin Not versioned 23-Apr-2022 14:18 3
dbxupdate.bin Not versioned 11-Jul-2022 18:04 4,370
TpmTasks.dll 10.0.22000.850 11-Jul-2022 20:50 313,856

Windows 10, version 22H2

__

For all supported x86-based versions

File name File version Date Time File size
dbupdate.bin Not versioned 30-Dec-21 18:29 3
dbxupdate.bin Not versioned 21-Jul-22 0:24 6,002
TpmTasks.dll 10.0.14393.5285 21-Jul-22 0:25 59,904

__

For all supported x64-based versions

File name File version Date Time File size
dbupdate.bin Not versioned 30-Sep-21 13:17 3
dbxupdate.bin Not versioned 21-Jul-22 1:38 13,778
TpmTasks.dll 10.0.14393.5285 21-Jul-22 1:42 72,192

__

For all supported Arm64-based versions

File name File version Date Time File size
dbupdate.bin Not versioned 6-Jun-2022 18:24 3
dbxupdate.bin Not versioned 11-Jul-2022 18:16 4,370
TpmTasks.dll 10.0.19041.1880 11-Jul-2022 20:43 324,096

Windows 10, version 20H2, 21H1, and 21H2

__

For all supported x86-based versions

File name File version Date Time File size
dbupdate.bin Not versioned 11-Jul-2022 18:16 3
dbxupdate.bin Not versioned 11-Jul-2022 18:16 6,002
TpmTasks.dll 10.0.19041.1880 11-Jul-2022 20:38 242,688

__

For all supported x64-based versions

File name File version Date Time File size
dbupdate.bin Not versioned 16-Jun-2022 19:56 3
dbxupdate.bin Not versioned 11-Jul-2022 18:18 13,778
TpmTasks.dll 10.0.19041.1880 11-Jul-2022 21:05 296,960

__

For all supported Arm64-based versions

File name File version Date Time File size
dbupdate.bin Not versioned 6-Jun-2022 18:24 3
dbxupdate.bin Not versioned 11-Jul-2022 18:16 4,370
TpmTasks.dll 10.0.19041.1880 11-Jul-2022 20:43 324,096

Windows 10, version 1809 and Windows Server 2019

__

For all supported x86-based versions

File name File version Date Time File size
dbupdate.bin Not versioned 27-Jun-2022 17:57 3
dbxupdate.bin Not versioned 11-Jul-2022 17:47 6,002
TpmTasks.dll 10.0.17763.3280 11-Jul-2022 21:36 84,992

__

For all supported x64-based versions

File name File version Date Time File size
dbupdate.bin Not versioned 24-May-2022 12:34 3
dbxupdate.bin Not versioned 11-Jul-2022 17:50 13,778
TpmTasks.dll 10.0.17763.3280 11-Jul-2022 21:40 110,592

__

For all supported Arm64-based versions

File name File version Date Time File size
dbupdate.bin Not versioned 24-May-2022 12:33 3
dbxupdate.bin Not versioned 11-Jul-2022 17:49 4,370
TpmTasks.dll 10.0.17763.3280 11-Jul-2022 21:30 115,712

Windows 10, version 1607 and Windows Server 2016

__

For all supported x86-based versions

File name File version Date Time File size
dbupdate.bin Not versioned 30-Dec-2021 18:29 3
dbxupdate.bin Not versioned 12-Jul-2022 20:44 6,002
TpmTasks.dll 10.0.14393.5281 12-Jul-2022 20:44 59,904

__

For all supported x64-based versions

File name File version Date Time File size
dbupdate.bin Not versioned 30-Sep-2021 13:17 3
dbxupdate.bin Not versioned 14-Jul-2022 2:15 13,778
TpmTasks.dll 10.0.14393.5281 14-Jul-2022 2:17 72,192

Windows 10, version 1507

__

For all supported x86-based versions

File name File version Date Time File size
dbupdate.bin Not versioned 11-Jul-2022 18:41 3
dbxupdate.bin Not versioned 11-Jul-2022 18:41 6,002
TpmTasks.dll 10.0.10240.19297 2-May-2022 16:52 46,080

__

For all supported x64-based versions

File name File version Date Time File size
dbupdate.bin Not versioned 11-Jul-2022 18:41 3
dbxupdate.bin Not versioned 11-Jul-2022 18:41 13,778
TpmTasks.dll 10.0.10240.19297 2-May-2022 16:56 56,320

Windows 8.1 and Windows Server 2012 R2

__

For all supported x86-based versions

File name File version Date Time File size
dbupdate.bin Not versioned 28-Oct-2021 12:35 3
dbxupdate.bin Not versioned 11-Jul-2022 18:51 6,002
TpmTasks.dll 6.3.9600.20512 11-Jul-2022 20:50 152,576

__

For all supported x64-based versions

File name File version Date Time File size
dbupdate.bin Not versioned 1-Jan-2022 0:00 3
dbxupdate.bin Not versioned 12-Jul-2022 12:36 13,778
TpmTasks.dll 6.3.9600.20512 12-Jul-2022 14:57 181,760

__

For all supported Arm-based versions

File name File version Date Time File size
dbupdate.bin Not versioned 14-Oct-2021 18:42 3
dbxupdate.bin Not versioned 7-Jun-2022 12:03 7,085
TpmTasks.dll 6.3.9600.20512 11-Jul-2022 20:38 137,216

Windows Server 2012

__

For all supported x86-based versions

File name File version Date Time File size
dbupdate.bin Not versioned 11-Jul-2022 18:14 3
dbxupdate.bin Not versioned 11-Jul-2022 18:14 6,002
TpmTasks.dll 6.2.9200.23709 21-Apr-2022 12:26 81,408

__

For all supported x64-based versions

File name File version Date Time File size
dbupdate.bin Not versioned 17-Jun-2022 18:01 3
dbxupdate.bin Not versioned 11-Jul-2022 18:07 13,778
TpmTasks.dll 6.2.9200.23709 21-Apr-2022 12:45 99,328

References

Learn about the standard terminology that is used to describe Microsoft software updates.

CVSS2

4.6

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:L/AC:L/Au:N/C:P/I:P/A:P

CVSS3

6.7

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

AI Score

7

Confidence

High

EPSS

0.001

Percentile

34.5%