Secure Boot BootHole March 2023 UEFI REVOCATION LIST FILE

Question

Hi,

Servers 2016, 2019, and even 2022; which have been patched with all the previous UEFI Revocations and the latest patches also; these machines are showing vulnerabilities to the Tenable Plugin 139239 Windows Security Feature Bypass in Secure Boothole.

There is a new revocation on the UEFI REVOCATION LIST FILE at https://uefi.org/revocationlistfile. Microsoft is not showing that this needs to be applied to the servers/workstations for Windows.

Is this applicable to the Windows 10, Windows 11, Server 2016, Server 2019, and Server 2022???

I have tested this on a Windows 11 machine for the following versions of DBX files:

Release Date: March 14, 2023 (most current)

Release Date: September 7, 2022

Release Date: August 12, 2022

When running the command to verify if applied correctly: .\check-dbx.ps1 .\DBXUpdate_X64.bin for each one on my test machine of Windows 11 I receive errors.

"Byte array for GUID must be exactly 16 bytes long" then the output of "Warning: !!! Not Found" and "Warning: !!! Fail: 2 failures Detected" (which is part of the script with the warning output).

It is my understanding that these are not for Windows, and I have not tried on a server just Windows 11.

Please let me know if this to be installed.

Thank you

Answer 1

Hello there,

Microsoft might take time to release the list of applicable devices and official articles for the vulnerability but the general guidance provided by Microsoft is to Download the appropriate UEFI Revocation List File (Dbxupdate.bin) for your platform.

On July 29, 2020, Microsoft published security advisory 200011 that describes a new vulnerability that’s related to Secure Boot. Devices that trust the Microsoft third-party Unified Extensible Firmware Interface (UEFI) Certificate Authority (CA) in their Secure Boot configuration may be susceptible to an attacker who has administrative privileges or physical access to the device.

Microsoft guidance for applying Secure Boot DBX update (KB4575994) https://support.microsoft.com/en-gb/topic/microsoft-guidance-for-applying-secure-boot-dbx-update-kb4575994-e3b9e4cb-a330-b3ba-a602-15083965d9ca

Hope this resolves your Query !!

--If the reply is helpful, please Upvote and Accept it as an answer–

Answer 2

This does not resolve the problem or question.

See below:

When running the command to verify if applied correctly: .\check-dbx.ps1 .\DBXUpdate_X64.bin for each one on my test machine of Windows 11 I receive errors.

"Byte array for GUID must be exactly 16 bytes long" then the output of "Warning: !!! Not Found" and "Warning: !!! Fail: 2 failures Detected" (which is part of the script with the warning output).