The Windows Security Feature Bypass in Secure Boot (BootHole) when detected with a vulnerability scanner will report it as a CVSS 8.2 (v3).

CVSS:

CVSS is a scoring system for vulnerability systems, its an industry standard scoring system to mark findings against a specific number ranging from 0 to 10. They are shown as:

The Windows Security Feature Bypass in Secure Boot (BootHole) Vulnerability Information

On July 29, 2020, Microsoft published security advisory 200011 that describes a new vulnerability that’s related to Secure Boot. Devices that trust the Microsoft third-party Unified Extensible Firmware Interface (UEFI) Certificate Authority (CA) in their Secure Boot configuration may be susceptible to an attacker who has administrative privileges or physical access to the device.

This article provides guidance to apply the latest Secure Boot DBX revocation list to invalidate the vulnerable modules.

The Secure Boot update binaries are hosted on this UEFI webpage.

The posted files are as follows:

  • UEFI Revocation List File for x86 (32 bit)

  • UEFI Revocation List File for x64 (64 bit)

  • UEFI Revocation List File for arm64

After these hashes are added to the Secure Boot DBX on your device, those applications will no longer be allowed to load.

Remediation

Applying a DBX update on Windows

After you read the warnings and verify that your device is compatible, follow these steps to update the Secure Boot DBX:

  1. Download the appropriate UEFI Revocation List File (Dbxupdate.bin) for your platform from this UEFI webpage

  2. You have to split the Dbxupdate.bin file into the necessary components in order to apply them by using PowerShell cmdlets. To do this, follow these steps:

    Download the PowerShell script from this PowerShell Gallery webpage.

    a. Run the following PowerShell script on the Dbxupdate.bin file:

    SplitDbxContent.ps1 “c:\path\to\file\dbxupdate.bin

    b. Verify that the command created the following files:

    • Content.bin – update contents

    • Signature.p7 – signature authorizing the update process

  3. In an administrative PowerShell session, run the Set-SecureBootUefi cmdlet to apply the DBX update:



    Set-SecureBootUefi -Name dbx -ContentFilePath .\content.bin -SignedFilePath .\signature.p7 -Time 2010-03-06T19:17:21Z -AppendWrite

    Expected output

  4. Restart the device to complete the update installation process.

For more information about the Secure Boot configuration cmdlet and how to use it for DBX updates, see Set-Secure.

Verifying that the update was successful

After you successfully complete the steps in the previous section and restart the device, follow these steps to verify that the update was applied successfully. After successful verification, your device will no longer be affected by the GRUB vulnerability.

1. Download the DBX update verification scripts from this GitHub Gist webpage.

2. Extract the scripts and binaries from the compressed file.

3. Run the following PowerShell script within the folder that contains the expanded scripts and binaries to verify the DBX update: 

Check-Dbx.ps1 .\dbx-2021-April.bin'

4. Verify that the output matches the expected result:

Did this answer your question?