关联漏洞
标题:
Microsoft Windows Secure Boot 安全漏洞
(CVE-2023-24932)
描述:Microsoft Windows Secure Boot是美国微软(Microsoft)公司的安全启动。 Microsoft Windows Secure Boot存在安全漏洞。以下产品和版本受到影响:Windows 10 Version 1809 for 32-bit Systems,Windows 10 Version 1809 for x64-based Systems,Windows 10 Version 1809 for ARM64-based Systems,Windows Server 2
描述
BlackLotus aka CVE-2023-24932 Detection/Remediation Scripts for Intune, ConfigMgr, and generic use
介绍
# BlackLotus
BlackLotus aka CVE-2023-24932 remediation scripts for Intune, ConfigMgr, and generic ad-hoc use.
Blog post: https://ajf.one/blacklotus
## General Notes
* These remediation scripts do NOT initiate any reboots. These are designed to be run "over time", and eventually the device will report as compliant over its course of "natural" reboots, either due to monthly updates, user-initiated, or otherwise.
* The entirety of the remediation script MUST be placed within the detection script for Intune Remediation and ConfigMgr CI use. This is due to how these scripts work as a "choose your own adventure" story, with multiple exit points, each returning its own output.
* At the start of each script are the equivalent to "detection" scripts, in order to prevent making any changes or performing any excessive logging on an already compliant device.
* Feel free to open an issue here, or ping me on Discord in WinAdmins (@krbtgt) if you run into any issues or have any feedback, it would be much appreciated!
## Phase 1: Installing the updated certificate definitions to the DB, and updating the Boot Manager on your device
Process Flowchart:
<img src="https://raw.githubusercontent.com/ajf8729/BlackLotus/refs/heads/main/images/phase1.svg">
The Phase 1 script will perform steps 1 & 2 from the [guidance published by Microsoft](https://support.microsoft.com/en-us/topic/how-to-manage-the-windows-boot-manager-revocations-for-secure-boot-changes-associated-with-cve-2023-24932-41a975df-beb2-40c1-99a3-b3ff139f832d), by doing the following:
1. Set the `AvailableUpdates` registry value to `0x40`
2. Start the `\Microsoft\Windows\PI\Secure-Boot-Update` scheduled task to perform step 1, "Install the updated certificate definitions to the DB"
3. Validate step 1 is complete
4. Set the `AvailableUpdates` registry value to `0x100`
5. Start the `\Microsoft\Windows\PI\Secure-Boot-Update` scheduled task to perform step 2, "Update the Boot Manager on your device"
6. Validate step 2 is complete
Validation is done between each step, and will be logged to `$env:TEMP\BlackLotusPhase1Remediation.log`, as well as returned to Intune (if running the script as a Remediation).
## Phase 2: Enabling the revocation and applying the SVN update to the firmware
Process Flowchart:
<img src="https://raw.githubusercontent.com/ajf8729/BlackLotus/refs/heads/main/images/phase2.svg">
The Phase 2 script will perform steps 3 & 4 from the [guidance published by Microsoft](https://support.microsoft.com/en-us/topic/how-to-manage-the-windows-boot-manager-revocations-for-secure-boot-changes-associated-with-cve-2023-24932-41a975df-beb2-40c1-99a3-b3ff139f832d), by doing the following:
1. Set the `AvailableUpdates` registry value to `0x80`
2. Start the `\Microsoft\Windows\PI\Secure-Boot-Update` scheduled task to perform step 3, "Enable the revocation"
3. Validate step 3 is complete
4. Set the `AvailableUpdates` registry value to `0x200`
5. Start the `\Microsoft\Windows\PI\Secure-Boot-Update` scheduled task to perform step 4, "Apply the SVN update to the firmware"
6. Validate step 4 is complete
文件快照
[4.0K] /data/pocs/56737f998b99df24fde647a48d111b0fc37f2327
├── [8.5K] BlackLotusPhase1Remediation.ps1
├── [7.8K] BlackLotusPhase2Remediation.ps1
├── [4.0K] images
│ ├── [7.9K] phase1.svg
│ └── [9.2K] phase2.svg
├── [ 34K] LICENSE
└── [3.0K] README.md
1 directory, 6 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。