Worklet: Windows-Security-Mitigate Black Lotus [IMPORTANT ZERO-DAY May 2023]

  • 12 May 2023
  • 1 reply
  • 159 views

Userlevel 4
Badge

CVE-2023-29336 is an important and actively exploited zero-day vulnerability in Win32k that scores a CVSS 7.8, from Patch Tuesday on May 9, 2023

We’ve written a script to help administrators automatically find the vulnerability and ensure that the May 2023 updates from Microsoft have been applied prior to remediation. If the device meets that criteria, then we’ll remediate it. All that’s left for the administrators is to reboot the device after the script has run successfully or grab a worklet to reboot the endpoints you ran the script on at scale.

If you’re an Automox customer, or on a free trial, grab the script directly from the Worklet Catalog. 

 

IMPORTANT: If you plan to use the Worklet or script provided, we strongly recommend testing a subset of impacted devices and following any required change control processes prior to applying the script at scale in your organization. 

 

Remember - for the scripts to take effect, you’ll need to reboot all of the endpoints where remediation was applied. You can do that manually via the device page if you’re an Automox customer, or run at scale with a reboot script. If you reboot from a script, but sure to target only the group of endpoints where remediation was applied so you don’t interrupt other users or systems.


1 reply

Userlevel 3

The code for this worklet can be found below:
 

Evaluation Code

<#

.SYNOPSIS
Windows - Security - Mitigate BlackLotus

.PREREQUISITES
Microsoft's May 2023 Security Updates must be installed on the device.
Only devices with Secure Boot enabled are applicable to this mitigation.

For eligible devices, the remediation code will trigger a restart after the mitigation has been applied.
Per Microsoft, a second restart is then required to finalize the revocation steps.
The second restart will not be triggered via this worklet, and should be performed by another worklet or by manual intervention.

.WARNING
Per Microsoft:
Once the mitigation for this issue is enabled on a device, meaning the revocations have been applied, it cannot be reverted if you continue to use Secure Boot on that device.
Even reformatting of the disk will not remove the revocations if they have already been applied.
You should not remove the SKUSiPolicy.p7b revocation file after it is deployed. Your device might no longer be able to start if the file is removed.
Please be aware of all the possible implications and test thoroughly before applying the revocations that are outlined in this article to your device.

.DESCRIPTION
This worklet mitigates the BlackLotus vulnerability (CVE-2023-24932) by applying Microsoft's guided revocation steps.
Source: https://support.microsoft.com/en-us/topic/kb5025885-how-to-manage-the-windows-boot-manager-revocations-for-secure-boot-changes-associated-with-cve-2023-24932-41a975df-beb2-40c1-99a3-b3ff139f832d

The worklet consists of three primary functions:
1. Get-DeviceEligibility - Determines whether or not the device is in scope for the BlackLotus mitigation.
2. Get-MitigationEvent - Determines whether the mitigation has already been applied or not.
3. Initialize-Migitation - Applies the mitigation.

The evaluation code will run the Get-DeviceEligibility function.
If the device is in scope for the mitigation and requires it, it will flag the device for remediation.
If the device is not in scope for the mitigation or does not require it, the script run will end.

The remediation code will re-run the Get-DeviceEligibility function to confirm the device is eligible for the mitigation.
It will then run the Get-MitigationEvent function to determine whether the device already has the mitigation applied.
If the device is not compliant with these two functions, it will run the Initialize-Mitigation function to apply the revocation steps.
The device will automatically reboot within 60 seconds after the revocation steps are applied.

.NOTES
Author: John Guarracino
Date: May 11, 2023

.USAGE
All variables are predefined.
The device will automatically restart per the remediation code, and restart should therefore be turned off within the worklet.
#>

# Using scriptblock to relaunch in native environment for 64bit detection.
$scriptBlock = {

#Predefined variables
$RevocationFileSource = 'C:\Windows\System32\SecureBootUpdates\SKUSiPolicy.p7b'
$RevocationFileTarget = 'q:\EFI\Microsoft\Boot\SKUSiPolicy.p7b'
$eventlog = Get-EventLog -LogName System | Where-Object { $_.Message -like "*Secure Boot Dbx update applied successfully*" }

#Declaring functions
function Get-DeviceEligibility
{
#Validate device eligibility
if ((Confirm-SecureBootUEFI) -eq $true)
{
#Secure Boot is enabled.
#Checking to see if the May 2023 Security Updates are applied.
if ((Test-Path $RevocationFileSource) -ne $true)
{
#The revocation payload was not found on this device.
#Ensure that the device has the May 2023 Security Updates installed and try again.
#The device is not in scope for this worklet. Now exiting.
return 0
}

#Checking to see if the mitigation has already ran against this device.
if ($eventlog)
{
#Secure Boot Dbx events were found.
#Mounting EFI partition to check for revocation files.
mountvol Q: /S | Out-Null
if (Test-Path $RevocationFileTarget)
{
#The revocation files are already applied.
#This device already has the BlackLotus mitigation in place and is compliant. Now Exiting.
return 0
}

else
{
#The revocation files are not applied.
#Flagging for remediation.
return 1
}
}

else
{
#No event for the Secure Boot Dbx update was found.
#Flagging for remediation.
return 1
}
}

if ((Confirm-SecureBootUEFI) -eq $false)
{
#Secure Boot is not enabled. The device is not in scope for this worklet.
return 0
}
}

#Initiating Evaluation
Get-DeviceEligibility
}

# Execution of $scriptBlock
$exitCode = & "$env:SystemRoot\sysnative\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -NonInteractive -Command $scriptblock

# Exit with value provided by evaluation.
Exit $exitCode

 

 

Remediation Code

<#

.SYNOPSIS
Windows - Security - Mitigate BlackLotus

.PREREQUISITES
Microsoft's May 2023 Security Updates must be installed on the device.
Only devices with Secure Boot enabled are applicable to this mitigation.

For eligible devices, the remediation code will trigger a restart after the mitigation has been applied.
Per Microsoft, a second restart is then required to finalize the revocation steps.
The second restart will not be triggered via this worklet, and should be performed by another worklet or by manual intervention.

.WARNING
Per Microsoft:
Once the mitigation for this issue is enabled on a device, meaning the revocations have been applied, it cannot be reverted if you continue to use Secure Boot on that device.
Even reformatting of the disk will not remove the revocations if they have already been applied.
You should not remove the SKUSiPolicy.p7b revocation file after it is deployed. Your device might no longer be able to start if the file is removed.
Please be aware of all the possible implications and test thoroughly before applying the revocations that are outlined in this article to your device.

.DESCRIPTION
This worklet mitigates the BlackLotus vulnerability (CVE-2023-24932) by applying Microsoft's guided revocation steps.
Source: https://support.microsoft.com/en-us/topic/kb5025885-how-to-manage-the-windows-boot-manager-revocations-for-secure-boot-changes-associated-with-cve-2023-24932-41a975df-beb2-40c1-99a3-b3ff139f832d

The worklet consists of three primary functions:
1. Get-DeviceEligibility - Determines whether or not the device is in scope for the BlackLotus mitigation.
2. Get-MitigationEvent - Determines whether the mitigation has already been applied or not.
3. Initialize-Migitation - Applies the mitigation.

The evaluation code will run the Get-DeviceEligibility function.
If the device is in scope for the mitigation and requires it, it will flag the device for remediation.
If the device is not in scope for the mitigation or does not require it, the script run will end.

The remediation code will re-run the Get-DeviceEligibility function to confirm the device is eligible for the mitigation.
It will then run the Get-MitigationEvent function to determine whether the device already has the mitigation applied.
If the device is not compliant with these two functions, it will run the Initialize-Mitigation function to apply the revocation steps.
The device will automatically reboot within 60 seconds after the revocation steps are applied.

.NOTES
Author: John Guarracino
Date: May 11, 2023

.USAGE
All variables are predefined.
The device will automatically restart per the remediation code, and restart should therefore be turned off within the worklet.
#>

# Using scriptblock to relaunch in native environment for 64bit detection.
$scriptBlock = {

#Predefined variables
$RevocationFileSource = 'C:\Windows\System32\SecureBootUpdates\SKUSiPolicy.p7b'
$RevocationFileTarget = 'q:\EFI\Microsoft\Boot\SKUSiPolicy.p7b'
$regPath = "HKLM:\SYSTEM\CurrentControlSet\Control\Secureboot"
$regName = "AvailableUpdates"
$regValue = "10"
$exists = (Get-ItemProperty -Path "$regPath" -Name "$regName" -ErrorAction SilentlyContinue).$regName
$eventlog = Get-EventLog -LogName System | Where-Object { $_.Message -like "*Secure Boot Dbx update applied successfully*" }

#Declaring functions
function Get-MitigationEvent
{

if ($eventlog)
{
Write-Output "The following Secure Boot Dbx events were found:"
Write-Output $eventlog
Write-Output ""
Write-Output "Checking for revocation files."
mountvol Q: /S
if (Test-Path $RevocationFileTarget)
{
Write-Output "The revocation files are already applied."
Write-Output "This device already has the BlackLotus mitigation in place. Now Exiting."
Exit 0
}

else
{
Write-Output "The Revocation files were not found."
Write-Output "Proceeding with the mitigation."
Initialize-Migitation
}
}

else
{
Write-Output "No event for the Secure Boot Dbx update was found."
Write-Output "Proceeding with the mitigation."
Initialize-Migitation
}
}

function Initialize-Migitation
{

try
{
Write-Output "Mounting the EFI Partition."
mountvol Q: /S

if (Test-Path $RevocationFileSource)
{
Write-Output "Copying the revocation files to the EFI volume."
Copy-Item -Path $RevocationFileSource -Destination $RevocationFileTarget -Force
if (Test-Path $RevocationFileTarget)
{
Write-Output "Revocation file copied successfully."
}
else
{
Write-Output "Revocation failed to copy. Now exiting."
Exit 1
}
}

else
{
Write-Output "The revocation payload was not found on this device."
Write-Output "Ensure that the device has the May 2023 Security Updates installed and try again."
Write-Output "Now exiting."
Exit 1
}

#Setting Registry key
if ($exists -eq $regValue)
{
Write-Output "The SecureBooot UEFI Forbidden List Registry key is already set and is the correct value."
Write-Output "Proceeding with the remainder of the script run."
}

else
{
Write-Output "The registry key does not exist or is not equal to $regValue."
Write-Output "Creating the Secure Boot UEFI Forbidden List registry key with a value of $regValue."
Set-ItemProperty $regPath -Name $regName -Value $regValue -Type Dword | Out-Null
}

#Declare end of mitigation steps and restart the computer.
Write-Output "All actions performed. Restarting the computer in 60 seconds."
Shutdown /r /t 60 /d p:4:1 /c 'Your device will reboot in 60 seconds for a security update. Please save all of your work.'
}

catch
{
Write-Output "An error has occured:"
$Exception = $error[0].Exception.Message + "`nAt Line " + $error[0].InvocationInfo.ScriptLineNumber
Write-Output $Exception
Exit 1
}
}

function Get-DeviceEligibility
{
#Validate device eligibility
if ((Confirm-SecureBootUEFI) -eq $true)
{
Write-Output "Secure Boot is enabled. The device is in scope."
Write-Output "Checking to see if the May 2023 Security Updates are applied."
if ((Test-Path $RevocationFileSource) -ne $true)
{
Write-Output "The revocation payload was not found on this device."
Write-Output "Ensure that the device has the May 2023 Security Updates installed and try again."
Write-Output "Now exiting."
Exit 0
}

Write-Output "Checking to see if the mitigation has already ran against this device."
Get-MitigationEvent
}

if ((Confirm-SecureBootUEFI) -eq $false)
{
Write-Output "Secure Boot is not enabled. The device is not in scope for this worklet."
Exit 0
}
}

Get-DeviceEligibility
}

& "$env:SystemRoot\sysnative\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -NonInteractive -Command $scriptBlock

 

Reply