BitLocker Security Feature Bypass Vulnerability

Security Vulnerability

Released: Oct 8, 2024

Assigning CNA
Microsoft
CVE.org link
CVE-2024-43513
Impact
Security Feature Bypass
Max Severity
Important
Weakness
CVSS Source
Microsoft
Vector String
CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

Please see Common Vulnerability Scoring System for more information on the definition of these metrics.

Exploitability

The following table provides an exploitability assessment for this vulnerability at the time of original publication.

Publicly disclosed
No
Exploited
No
Exploitability assessment
Exploitation Less Likely

FAQ

Is there a prerequisite for installing the security update?

Yes. For Windows Server 2012 R2 only, to apply this update, you must have KB2919355 installed.

Are there additional steps that I need to take to be protected from this vulnerability?

Depending on the version of Windows you are running, you might need to take additional steps to update Windows Recovery Environment (WinRE) to be protected from this vulnerability.

For the latest version of Windows the process of updating WinRE is now fully automated. The following versions of Windows require no additional steps as WinRE will be updated as a part of the Latest Cumulative Update if you are getting updates from Windows Update and WSUS:

  • Windows 11 Version 24H2 for x64-based Systems
  • Windows 11 Version 24H2 for ARM64-based Systems
  • Windows 11 Version 23H2 for x64-based Systems
  • Windows 11 Version 23H2 for ARM64-based Systems
  • Windows 11 Version 22H2 for x64-based Systems
  • Windows 11 Version 22H2 for ARM64-based Systems

For the following versions of Windows, the WinRE updates listed are available. These updates automatically apply the latest Safe OS Dynamic Update to WinRE from the running Windows OS:

As an alternative to updates provided in the preceding list or if your version of Windows is not listed, you can download the latest Windows Safe OS Dynamic Update from the Microsoft Update Catalog then apply the WinRE update. For more information reference Add an update package to Windows RE. To automate your installation, Microsoft has developed a sample script that can help with updating WinRE from the running Windows OS. Please see KB5034957: Updating the WinRE partition on deployed devices to address security vulnerabilities in CVE-2024-20666 for more information.

How do I check whether WinRE has successfully updated?

Use DISM /Get-Packages on a mounted WinRE image to ensure the latest Safe OS Dynamic Update package is present. For more information, see Check the WinRE image version.

According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?

Successful exploitation of this vulnerability requires an attacker to physically access the target device. To gain access, an attacker must acquire the device after being unlocked by a legitimate user (target of opportunity) or possess the ability to pass device authentication or password protection mechanisms.

Are there additional steps that I need to take to be protected from this vulnerability?

Yes. You must apply the applicable Windows security update to your Windows Recovery Environment (WinRE). For more information about how to apply the WinRE update, see Add an update package to Windows RE.

IMPORTANT: End users and enterprises who are updating Windows devices which are already deployed in their environment can instead use the latest Windows Safe OS Dynamic Updates to update WinRE when the partition is too small to install the full Windows update. You can download the latest Windows Safe OS Dynamic Update from the Microsoft Update Catalog.

Acknowledgements

  • Maxim Suhanov with CICADA8
Microsoft recognizes the efforts of those in the security community who help us protect customers through coordinated vulnerability disclosure. See Acknowledgements for more information.

Security Updates

To determine the support lifecycle for your software, see the Microsoft Support Lifecycle.

Release date Descending

Disclaimer

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions

How satisfied are you with the MSRC Security Update Guide?