BitLocker Security Feature Bypass Vulnerability
Released: Oct 8, 2024
- Assigning CNA
- Microsoft
- CVE.org link
- CVE-2024-43513
- Impact
- Security Feature Bypass
- Max Severity
- Important
- Weakness
- CVSS Source
- Microsoft
- Vector String
CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
- Metrics
- CVSS:3.1 6.4 / 5.6Base score metrics: 6.4 / Temporal score metrics: 5.6
Attack Vector
Physical
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Exploit Code Maturity
Unproven
Remediation Level
Official Fix
Report Confidence
Confirmed
Please see Common Vulnerability Scoring System for more information on the definition of these metrics.
Exploitability
The following table provides an exploitability assessment for this vulnerability at the time of original publication.
- Publicly disclosed
- No
- Exploited
- No
- Exploitability assessment
- Exploitation Less Likely
FAQ
Is there a prerequisite for installing the security update?
Yes. For Windows Server 2012 R2 only, to apply this update, you must have KB2919355 installed.
Are there additional steps that I need to take to be protected from this vulnerability?
Depending on the version of Windows you are running, you might need to take additional steps to update Windows Recovery Environment (WinRE) to be protected from this vulnerability.
For the latest version of Windows the process of updating WinRE is now fully automated. The following versions of Windows require no additional steps as WinRE will be updated as a part of the Latest Cumulative Update if you are getting updates from Windows Update and WSUS:
- Windows 11 Version 24H2 for x64-based Systems
- Windows 11 Version 24H2 for ARM64-based Systems
- Windows 11 Version 23H2 for x64-based Systems
- Windows 11 Version 23H2 for ARM64-based Systems
- Windows 11 Version 22H2 for x64-based Systems
- Windows 11 Version 22H2 for ARM64-based Systems
For the following versions of Windows, the WinRE updates listed are available. These updates automatically apply the latest Safe OS Dynamic Update to WinRE from the running Windows OS:
- Windows Server 2022 (Server Core installation) (KB5046399: Windows Recovery Environment update for Azure Stack HCI, version 22H2 and Windows Server 2022: October 8, 2024)
- Windows Server 2022 (KB5046399: Windows Recovery Environment update for Azure Stack HCI, version 22H2 and Windows Server 2022: October 8, 2024)
- Windows Server 2022, 23H2 Edition (Server Core installation) (KB5046399: Windows Recovery Environment update for Azure Stack HCI, version 22H2 and Windows Server 2022: October 8, 2024)
- Windows 11 version 21H2 for x64-based Systems (KB5046398: Windows Recovery Environment update for Windows 11, version 21H2: October 8, 2024)
- Windows 10 Version 22H2 for x64-based Systems (KB5046400: Windows Recovery Environment update for Windows 10, version 21H2 and 22H2: October 8, 2024)
- Windows 10 Version 22H2 for 32-bit Systems (KB5046400: Windows Recovery Environment update for Windows 10, version 21H2 and 22H2: October 8, 2024)
- Windows 10 Version 21H2 for x64-based Systems (KB5046400: Windows Recovery Environment update for Windows 10, version 21H2 and 22H2: October 8, 2024)
- Windows 10 Version 21H2 for 32-bit Systems (KB5046400: Windows Recovery Environment update for Windows 10, version 21H2 and 22H2: October 8, 2024)
As an alternative to updates provided in the preceding list or if your version of Windows is not listed, you can download the latest Windows Safe OS Dynamic Update from the Microsoft Update Catalog then apply the WinRE update. For more information reference Add an update package to Windows RE. To automate your installation, Microsoft has developed a sample script that can help with updating WinRE from the running Windows OS. Please see KB5034957: Updating the WinRE partition on deployed devices to address security vulnerabilities in CVE-2024-20666 for more information.
How do I check whether WinRE has successfully updated?
Use DISM /Get-Packages on a mounted WinRE image to ensure the latest Safe OS Dynamic Update package is present. For more information, see Check the WinRE image version.
According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?
Successful exploitation of this vulnerability requires an attacker to physically access the target device. To gain access, an attacker must acquire the device after being unlocked by a legitimate user (target of opportunity) or possess the ability to pass device authentication or password protection mechanisms.
Are there additional steps that I need to take to be protected from this vulnerability?
Yes. You must apply the applicable Windows security update to your Windows Recovery Environment (WinRE). For more information about how to apply the WinRE update, see Add an update package to Windows RE.
IMPORTANT: End users and enterprises who are updating Windows devices which are already deployed in their environment can instead use the latest Windows Safe OS Dynamic Updates to update WinRE when the partition is too small to install the full Windows update. You can download the latest Windows Safe OS Dynamic Update from the Microsoft Update Catalog.
Acknowledgements
- Maxim Suhanov with CICADA8
Security Updates
To determine the support lifecycle for your software, see the Microsoft Support Lifecycle.
- 6.3.9600.22221
- 6.3.9600.22221
- 10.0.14393.7428
- 10.0.14393.7428
- 10.0.14393.7428
- 10.0.14393.7428
- 10.0.10240.20796
- 10.0.10240.20796
- 10.0.26100.2033
- 10.0.26100.2033
- 10.0.20348.2751
- 10.0.22631.4317
- 10.0.22631.4317
- 10.0.19041.5000
- 10.0.19041.5000
- 10.0.19041.5000
- 10.0.22621.4317
- 10.0.22621.4317
- 10.0.19041.5000
- 10.0.19041.5000
- 10.0.19041.5000
- 10.0.22000.3250
- 10.0.22000.3250
- 10.0.20348.2751
- 10.0.20348.2751
- 10.0.17763.6414
- 10.0.17763.6414
- 10.0.17763.6414
- 10.0.17763.6414
Disclaimer
Revisions
Information published.