Dealing With CVE-2023-24932, aka Remediating BlackLotus

CVE-2023-24932. 2023 feels like so long ago, and yet, this is still an issue. Why? Because it’s quite frankly a mess to deal with and has multiple moving parts. I highly recommend reading though the following Microsoft articles in order to have a full understanding of the issues and resolutions:

My scripts, as well as an additional ReadMe are published to GitHub: https://github.com/ajf8729/BlackLotus

Also be sure to check out other posts about this topic, as the more information out there about it, the better:

My Solution – Remediation Scripts, But With a Twist

So i decided to build somewhat universal scripts that could be deployed via Intune Remediations, ConfigMgr CIs, or run ad-hoc/as a run script. This proved to be a bit of a challenge at first, as my remediation scripts were designed to exit at multiple places, sort of a “choose your own adventure” story. But this doesn’t play nice with the traditional detection/remediation method used by Intune Remediations and ConfigMgr CIs.

The answer? Put all of the code in the detection script!

This seemed both odd and “not right” to me at first, but I’ve heard of others doing it before, and it let me combine detection and remediation in once script, handling all of the edge cases and failure scenarios that I could come up with and test/validate.

Phase 1 – The Easy Part

Based of the guidance, I decided to break this work down into 2 logical phases. Phase 1 consists of steps 1 and 2 in the published guidance, which will install the updated certificate definitions to the secure boot DB, and update the boot loader on the device to one signed by the new 2023 CA. After phase 1 is complete, a device will still boot to older boot loaders, and still must go through phase 2 to completely mitigate the BlackLotus vulnerability. Phase 1 can be completed safely on devices with no direct impact.

The most up to date version of my phase 1 remediation script is published to my GitHub: https://github.com/ajf8729/BlackLotus/blob/main/BlackLotusPhase1Remediation.ps1

Remediation script configuration in Intune:

CI configuration in ConfigMgr:

Phase 2 – The “Breaking” Part

Phase 2 is where the breaking changes will occur. In phase 2, steps 3 and 4 from the published guidance are performed, which will enable the revocation of the 2011 CA, and apply a Secure Version Number (SVN) update to the firmware in order to prevent rollbacks. Once phase 2 is complete, the device will no longer boot to any media signed with the old CA.

Configure this script as a Remediation or CI in the same fashion as the above screenshots.

The most up to date version of my phase 2 remediation script is published to my GitHub: https://github.com/ajf8729/BlackLotus/blob/main/BlackLotusPhase2Remediation.ps1

Updating Bootable Media, and PXE Support (?)

Microsoft has provided a script (https://support.microsoft.com/en-us/topic/updating-windows-bootable-media-to-use-the-pca2023-signed-boot-manager-d4064779-0e4e-43ac-b2ce-24f434fcfa0f) to update bootable media to use a newer boot loader. However, as documented in the guidance, you will no longer be able to PXE boot device using ConfigMgr, as documentation will be provided later:

Lastly…

I’ll likely be updating these scripts a bit more in the near future, I’d like to expand the logging a bit further and there will likely be an issue that pops up somewhere. As my buddy Johannes says, this is an MVP (Minimum Viable Product)!

Hopefully there is a solution to the PXE problem soon. If you decide to give these scripts a whirl, please let me know if you run into issues or have any feedback. Comments here, issues on GitHub, or just ping me in the WinAdmins Discord Community (@krbtgt), all options are welcome!

Related Posts

Leave a Reply

AJ's Tech Chatter
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.