ADV230002 — Microsoft Guidance for Addressing Security Feature Bypass in Trend Micro EFI Modules
Executive Summary
Trend Micro has released CVE-2023-28005 to address a secure boot bypass. Subsequently Microsoft has released the July Windows security updates to block the vulnerable UEFI modules by using the DBX (UEFI Secure Boot Forbidden Signature Database) disallow list. To exploit this vulnerability, an attacker would need to have administrative privileges or physical access on a system where Secure Boot is configured to trust the Microsoft Unified Extensible Firmware Interface (UEFI) Certificate Authority (CA). CVEs released for this issue: CVE-2023-28005. Microsoft recommends that all customers install the latest Windows security updates. In 2012, Microsoft introduced the Secure Boot feature into the then-new, UEFI-based PC ecosystem. UEFI Secure Boot is an anti-rootkit feature that defends the boot process from untrusted code execution. As part of enabling this feature, Microsoft signs boot code both for Windows and 3rd-parties including Linux distributions. This boot code allows Linux systems to take advantage of Secure Boot. What is UEFI? UEFI (Unified Extensible Firmware Interface) defines the interactions between the operating system and the platform firmware. The Secure Boot feature of UEFI prevents the loading of operating system loaders and firmware drivers that are not signed by a trusted signature. What is DBX? DBX is the Forbidden Signature Database and tracks the revoked boot images.
Overview
EPSS Score
No EPSS score available for this CVE.
View on FIRST.orgAffected Products
| Product | KB Article | Severity | Impact | Restart Required |
|---|---|---|---|---|
| Windows 10 for 32-bit Systems | 5028186 (Security Update) |
Important | Security Feature Bypass | Yes |
| Windows 10 for x64-based Systems | 5028186 (Security Update) |
Important | Security Feature Bypass | Yes |
| Windows 10 Version 1607 for 32-bit Systems | 5028169 (Security Update) |
Important | Security Feature Bypass | Yes |
| Windows 10 Version 1607 for x64-based Systems | 5028169 (Security Update) |
Important | Security Feature Bypass | Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5028168 (Security Update) |
Important | Security Feature Bypass | Yes |
| Windows 10 Version 1809 for ARM64-based Systems | 5028168 (Security Update) |
Important | Security Feature Bypass | Yes |
| Windows 10 Version 1809 for x64-based Systems | 5028168 (Security Update) |
Important | Security Feature Bypass | Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5028166 (Security Update) |
Important | Security Feature Bypass | Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5028166 (Security Update) |
Important | Security Feature Bypass | Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5028166 (Security Update) |
Important | Security Feature Bypass | Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5028166 (Security Update) |
Important | Security Feature Bypass | Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5028166 (Security Update) |
Important | Security Feature Bypass | Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5028166 (Security Update) |
Important | Security Feature Bypass | Yes |
| Windows 11 version 21H2 for ARM64-based Systems | 5028182 (Security Update) |
Important | Security Feature Bypass | Yes |
| Windows 11 version 21H2 for x64-based Systems | 5028182 (Security Update) |
Important | Security Feature Bypass | Yes |
| Windows 11 Version 22H2 for ARM64-based Systems | 5028185 (Security Update) |
Important | Security Feature Bypass | Yes |
| Windows 11 Version 22H2 for x64-based Systems | 5028185 (Security Update) |
Important | Security Feature Bypass | Yes |
| Windows Server 2012 5028232 (Monthly Rollup) 5028233 (Security Only) Important Security Feature Bypass 5027283 Base: N/A Temporal: N/A Vector: N/A 6.2.9200.24374 Yes None Windows Server 2012 (Server Core installation) 5028232 (Monthly Rollup) 5028233 (Security Only) Important Security Feature Bypass 5027283 Base: N/A Temporal: N/A Vector: N/A 6.2.9200.24374 Yes None Windows Server 2012 R2 5028228 (Monthly Rollup) 5028223 (Security Only) Important Security Feature Bypass 5027271 Base: N/A Temporal: N/A Vector: N/A 6.3.9600.21063 6.3.9600.21075 Yes None Windows Server 2012 R2 (Server Core installation) 5028228 (Monthly Rollup) 5028223 (Security Only) Important Security Feature Bypass 5027271 Base: N/A Temporal: N/A Vector: N/A 6.3.9600.21063 6.3.9600.21075 Yes None Windows Server 2016 | 5028169 (Security Update) |
Important | Security Feature Bypass | Yes |
| Windows Server 2016 (Server Core installation) | 5028169 (Security Update) |
Important | Security Feature Bypass | Yes |
| Windows Server 2019 | 5028168 (Security Update) |
Important | Security Feature Bypass | Yes |
| Windows Server 2019 (Server Core installation) | 5028168 (Security Update) |
Important | Security Feature Bypass | Yes |
| Windows Server 2022 | 5028171 (Security Update) |
Important | Security Feature Bypass | Yes |
| Windows Server 2022 (Server Core installation) | 5028171 (Security Update) |
Important | Security Feature Bypass | Yes |
Patches
| Article | Type | Restart |
|---|---|---|
5028186 |
Security Update | Yes |
5028169 |
Security Update | Yes |
5028168 |
Security Update | Yes |
5028166 |
Security Update | Yes |
5028182 |
Security Update | Yes |
5028185 |
Security Update | Yes |
5028171 |
Security Update | Yes |
Known Exploits
Acknowledgments
Zammis Clark