Lucene search

MicrosoftKB5012170

HistoryAug 09, 2022 - 7:00 a.m.

KB5012170: Security update for Secure Boot DBX

2022-08-0907:00:00

Microsoft

support.microsoft.com

6.7 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

7 High

AI Score

Confidence

High

4.6 Medium

CVSS2

Access Vector

LOCAL

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:L/AC:L/Au:N/C:P/I:P/A:P

0.001 Low

EPSS

Percentile

27.4%

JSON

KB5012170: Security update for Secure Boot DBX

NOTE Improved diagnostics have been added to detect and report issue details through the event log. Please see KB5016061: Addressing vulnerable and revoked Boot Managers for more information.

Applies to

This security update applies only to the following Windows versions:

```
* Windows Server 2012
```
- Windows 8.1 and Windows Server 2012 R2
- Windows 10, version 1507
- Windows 10, version 1607 and Windows Server 2016
- Windows 10, version 1809 and Windows Server 2019
- Windows 10, version 20H2
- Windows 10, version 21H1
- Windows 10, version 21H2
- Windows 10, version 22H2
- Windows Server 2022
- Windows 11, version 21H2
- Windows 11, version 22H2
- Azure Stack HCI, version 1809
- Azure Stack Data Box, version 1809 (ASDB)

Summary

This security update makes improvements to Secure Boot DBX for the supported Windows versions listed in the “Applies to” section. Key changes include the following:

* Windows devices that has Unified Extensible Firmware Interface (UEFI) based firmware can run with Secure Boot enabled. The Secure Boot Forbidden Signature Database (DBX) prevents UEFI modules from loading. This update adds modules to the DBX.

A security feature bypass vulnerability exists in secure boot. An attacker who successfully exploited the vulnerability might bypass secure boot and load untrusted software.

This security update addresses the vulnerability by adding the signatures of the known vulnerable UEFI modules to the DBX.
To learn more about this security vulnerability, see the following advisory:

* [ADV200011 | Microsoft Guidance for Addressing Security Feature Bypass in GRUB](&lt;https://msrc.microsoft.com/update-guide/vulnerability/ADV200011&gt;)

For additional information about this security vulnerability, see the following resources:

```
* [CVE-2022-34301 | Eurosoft Boot Loader Bypass](&lt;https://vulners.com/cve/CVE-2022-34301&gt;)
```
- CVE-2022-34302 | New Horizon Data Systems Inc Boot Loader Bypass
- CVE-2022-34303 | Crypto Pro Boot Loader Bypass

Known issues

Issue	Next step
If BitLocker Group Policy Configure TPM platform validation profile for native UEFI firmware configurations is enabled and PCR7 is selected by policy, it may result in the update failing to install.To view the PCR7 binding status, run the Microsoft System Information (Msinfo32.exe) tool with administrative permissions.	To workaround this issue, do one of the following before you deploy this update:

On a device that does not have Credential Gard enabled, run following command from an Administrator command prompt to suspend BitLocker for 1 restart cycle:`

Manage-bde –Protectors –Disable C: -RebootCount 1

`Then, deploy the update and restart the device to resume the BitLocker protection.

On a device that has Credential Guard enabled, run the following command from an Administrator command prompt to suspend BitLocker for 2 restart cycles:`

Manage-bde –Protectors –Disable C: -RebootCount 3

`Then, deploy the update and restart the device to resume the BitLocker protection.
When attempting to install this update, it might fail to install, and you might receive Error 0x800f0922.Note This issue only affects this security update for Secure Boot DBX (KB5012170) and does not affect the latest cumulative security updates, monthly rollups, or security-only updates.| To resolve this issue, install the Servicing Stack Update (SSU) released March 14, 2023, or a later SSU update, for your supported Windows operating system:

Windows 11, version 22H2 SSU (SSU installed from cumulative update KB5023706)
Windows 11, version 21H2 SSU (SSU installed from cumulative update KB5023698)
Windows Server 2022 SSU (SSU installed from cumulative update KB5023705)
Windows 10, version 20H2, 21H2, and 22H2 SSU (SSU installed from cumulative update KB5023696)
Windows 10, version 1809/Windows Server 2019 (SSU installed from cumulative update KB5023702)
Windows Server 2016 SSU KB5023788
Windows 10 SSU KB5023787
Windows Server 2012 R2 SSU KB5023790
Windows Server 2012 SSU KB5023791
For information about the new error events added by these SSU updates and actions to take when an error occurs, see KB5016061.
Some devices might enter BitLocker Recovery on the first or second restart after attempting to install this update on Windows 11.| This issue is addressed in the servicing stack updates (SSU) and the latest cumulative updates (LCU) dated July 12, 2022 and later.

How to get this update

Release Channel	Available	Next Step
Windows Update or Microsoft Update	Yes	None. This update will be downloaded and installed automatically from Windows Update.
Windows Update for Business	Yes	None. This update will be downloaded and installed automatically from Windows Update in accordance with configured policies.
Microsoft Update Catalog	Yes	To get the standalone package for this update, go to the Microsoft Update Catalog website.
Windows Server Update Services (WSUS)	Yes	This update will automatically synchronize with WSUS if you configure Products and Classifications as follows:Product: Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows Server 2022, Windows 10, version 1903 and later, Windows 11, Azure Stack HCI, Azure Data BoxClassification: Security Updates PrerequisitesMake sure you have the lastest servicing stack update (SSU) installed. For information about the latest SSU for your operating system, see [ADV990001

File information

The English (United States) version of this security update installs files that have the attributes that are listed in the following tables.

Azure Stack HCI, version 1809

For all supported x64-based versions

File name	File version	Date	Time	File size
dbupdate.bin	Not versioned	13-Jul-2022	18:12	3
dbxupdate.bin	Not versioned	13-Jul-2022	18:12	13,778
TpmTasks.dll	10.0.17784.2602	20-Jul-2022	21:53	114,688

Azure Stack Data Box, version 1809

For all supported x86-based versions

File name	File version	Date	Time	File version
dbupdate.bin	Not versioned	13-Jun-2022	21:46	3
dbxupdate.bin	Not versioned	11-Jul-2022	17:50	6,002
TpmTasks.dll	10.0.17763.10933	20-Jul-2022	21:13	84,992

For all supported x64-based versions

File name	File version	Date	Time	File size
dbupdate.bin	Not versioned	13-Jul-2022	18:07	3
dbxupdate.bin	Not versioned	13-Jul-2022	18:07	13,778
TpmTasks.dll	10.0.17763.10933	20-Jul-2022	21:32	110,592

Windows 11, version 22H2

For all supported x64-based versions

File name	File version	Date	Time	File size
dbupdate.bin	Not versioned	16-Jun-2022	19:56	3
dbxupdate.bin	Not versioned	11-Jul-2022	18:18	13,778
TpmTasks.dll	10.0.19041.1880	11-Jul-2022	21:05	296,960

For all supported Arm64-based versions

File name	File version	Date	Time	File size
dbupdate.bin	Not versioned	6-Jun-2022	18:24	3
dbxupdate.bin	Not versioned	11-Jul-2022	18:16	4,370
TpmTasks.dll	10.0.19041.1880	11-Jul-2022	20:43	324,096

Windows 11, version 21H2

For all supported x64-based versions

File name	File version	Date	Time	File size
dbupdate.bin	Not versioned	23-Apr-2022	14:18	3
dbxupdate.bin	Not versioned	11-Jul-2022	18:06	13,778
TpmTasks.dll	10.0.22000.850	11-Jul-2022	20:34	323,584

For all supported Arm64-based versions

File name	File version	Date	Time	File size
dbupdate.bin	Not versioned	23-Apr-2022	14:18	3
dbxupdate.bin	Not versioned	11-Jul-2022	18:04	4,370
TpmTasks.dll	10.0.22000.850	11-Jul-2022	20:50	313,856

Windows Server 2022

For all supported x64-based versions

File name	File version	Date	Time	File size
dbupdate.bin	Not versioned	23-Apr-2022	14:18	3
dbxupdate.bin	Not versioned	11-Jul-2022	18:06	13,778
TpmTasks.dll	10.0.22000.850	11-Jul-2022	20:34	323,584

For all supported Arm64-based versions

File name	File version	Date	Time	File size
dbupdate.bin	Not versioned	23-Apr-2022	14:18	3
dbxupdate.bin	Not versioned	11-Jul-2022	18:04	4,370
TpmTasks.dll	10.0.22000.850	11-Jul-2022	20:50	313,856

Windows 10, version 22H2

For all supported x86-based versions

File name	File version	Date	Time	File size
dbupdate.bin	Not versioned	30-Dec-21	18:29	3
dbxupdate.bin	Not versioned	21-Jul-22	0:24	6,002
TpmTasks.dll	10.0.14393.5285	21-Jul-22	0:25	59,904

For all supported x64-based versions

File name	File version	Date	Time	File size
dbupdate.bin	Not versioned	30-Sep-21	13:17	3
dbxupdate.bin	Not versioned	21-Jul-22	1:38	13,778
TpmTasks.dll	10.0.14393.5285	21-Jul-22	1:42	72,192

For all supported Arm64-based versions

File name	File version	Date	Time	File size
dbupdate.bin	Not versioned	6-Jun-2022	18:24	3
dbxupdate.bin	Not versioned	11-Jul-2022	18:16	4,370
TpmTasks.dll	10.0.19041.1880	11-Jul-2022	20:43	324,096

Windows 10, version 20H2, 21H1, and 21H2

For all supported x86-based versions

File name	File version	Date	Time	File size
dbupdate.bin	Not versioned	11-Jul-2022	18:16	3
dbxupdate.bin	Not versioned	11-Jul-2022	18:16	6,002
TpmTasks.dll	10.0.19041.1880	11-Jul-2022	20:38	242,688

For all supported x64-based versions

File name	File version	Date	Time	File size
dbupdate.bin	Not versioned	16-Jun-2022	19:56	3
dbxupdate.bin	Not versioned	11-Jul-2022	18:18	13,778
TpmTasks.dll	10.0.19041.1880	11-Jul-2022	21:05	296,960

For all supported Arm64-based versions

File name	File version	Date	Time	File size
dbupdate.bin	Not versioned	6-Jun-2022	18:24	3
dbxupdate.bin	Not versioned	11-Jul-2022	18:16	4,370
TpmTasks.dll	10.0.19041.1880	11-Jul-2022	20:43	324,096

Windows 10, version 1809 and Windows Server 2019

For all supported x86-based versions

File name	File version	Date	Time	File size
dbupdate.bin	Not versioned	27-Jun-2022	17:57	3
dbxupdate.bin	Not versioned	11-Jul-2022	17:47	6,002
TpmTasks.dll	10.0.17763.3280	11-Jul-2022	21:36	84,992

For all supported x64-based versions

File name	File version	Date	Time	File size
dbupdate.bin	Not versioned	24-May-2022	12:34	3
dbxupdate.bin	Not versioned	11-Jul-2022	17:50	13,778
TpmTasks.dll	10.0.17763.3280	11-Jul-2022	21:40	110,592

For all supported Arm64-based versions

File name	File version	Date	Time	File size
dbupdate.bin	Not versioned	24-May-2022	12:33	3
dbxupdate.bin	Not versioned	11-Jul-2022	17:49	4,370
TpmTasks.dll	10.0.17763.3280	11-Jul-2022	21:30	115,712

Windows 10, version 1607 and Windows Server 2016

For all supported x86-based versions

File name	File version	Date	Time	File size
dbupdate.bin	Not versioned	30-Dec-2021	18:29	3
dbxupdate.bin	Not versioned	12-Jul-2022	20:44	6,002
TpmTasks.dll	10.0.14393.5281	12-Jul-2022	20:44	59,904

For all supported x64-based versions

File name	File version	Date	Time	File size
dbupdate.bin	Not versioned	30-Sep-2021	13:17	3
dbxupdate.bin	Not versioned	14-Jul-2022	2:15	13,778
TpmTasks.dll	10.0.14393.5281	14-Jul-2022	2:17	72,192

Windows 10, version 1507

For all supported x86-based versions

File name	File version	Date	Time	File size
dbupdate.bin	Not versioned	11-Jul-2022	18:41	3
dbxupdate.bin	Not versioned	11-Jul-2022	18:41	6,002
TpmTasks.dll	10.0.10240.19297	2-May-2022	16:52	46,080

For all supported x64-based versions

File name	File version	Date	Time	File size
dbupdate.bin	Not versioned	11-Jul-2022	18:41	3
dbxupdate.bin	Not versioned	11-Jul-2022	18:41	13,778
TpmTasks.dll	10.0.10240.19297	2-May-2022	16:56	56,320

Windows 8.1 and Windows Server 2012 R2

For all supported x86-based versions

File name	File version	Date	Time	File size
dbupdate.bin	Not versioned	28-Oct-2021	12:35	3
dbxupdate.bin	Not versioned	11-Jul-2022	18:51	6,002
TpmTasks.dll	6.3.9600.20512	11-Jul-2022	20:50	152,576

For all supported x64-based versions

File name	File version	Date	Time	File size
dbupdate.bin	Not versioned	1-Jan-2022	0:00	3
dbxupdate.bin	Not versioned	12-Jul-2022	12:36	13,778
TpmTasks.dll	6.3.9600.20512	12-Jul-2022	14:57	181,760

For all supported Arm-based versions

File name	File version	Date	Time	File size
dbupdate.bin	Not versioned	14-Oct-2021	18:42	3
dbxupdate.bin	Not versioned	7-Jun-2022	12:03	7,085
TpmTasks.dll	6.3.9600.20512	11-Jul-2022	20:38	137,216

Windows Server 2012

For all supported x86-based versions

File name	File version	Date	Time	File size
dbupdate.bin	Not versioned	11-Jul-2022	18:14	3
dbxupdate.bin	Not versioned	11-Jul-2022	18:14	6,002
TpmTasks.dll	6.2.9200.23709	21-Apr-2022	12:26	81,408

For all supported x64-based versions

File name	File version	Date	Time	File size
dbupdate.bin	Not versioned	17-Jun-2022	18:01	3
dbxupdate.bin	Not versioned	11-Jul-2022	18:07	13,778
TpmTasks.dll	6.2.9200.23709	21-Apr-2022	12:45	99,328

References

Learn about the standard terminology that is used to describe Microsoft software updates.

6.7 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

7 High

AI Score

Confidence

High

4.6 Medium

CVSS2

Access Vector

LOCAL

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:L/AC:L/Au:N/C:P/I:P/A:P

0.001 Low

EPSS

Percentile

27.4%

JSON

Related for KB5012170