CVE-2020-0689: Microsoft Secure Boot Security Feature Bypass Vulnerability

Overview

Severity

High (CVSS 8.2)

CVSS Vector

CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:F/RL:O/RC:C

Category

Security Feature Bypass

Exploit Status

Not Exploited

Exploitation Likelihood

Less Likely

Publicly Disclosed

Yes

Patch Tuesday

2020-Feb

Released

2020-02-11

Last Updated

2022-11-15

EPSS Score

0.13% (percentile: 32.9%)

Description

A security feature bypass vulnerability exists in secure boot. An attacker who successfully exploited the vulnerability can bypass secure boot and load untrusted software. To exploit the vulnerability, an attacker could run a specially crafted application. The security update addresses the vulnerability by blocking vulnerable third-party bootloaders. For further information see Security update for Secure Boot DBX: January 12, 2021.

FAQ

Why are there different security update packages for this CVE? These are standalone security updates. These packages must be installed in addition to the normal security updates to be protected from this vulnerability. Are there any prerequisites to these security updates? These security updates have a Servicing Stack Update prerequisite for specific KB numbers. The packages have a built in pre-requisite logic to ensure the ordering. Customer should ensure that they have the following Servicing Stack Update installed before installing these standalone security updates: Product SSU Package Date Released Windows Server 2012 4566426 July 2020 Windows 8.1/Server 2012 R2 4524445 July 2020 Windows 10 4565911 July 2020 Windows 10 Version 1607/Server 2016 4576750 September 2020 Windows 10 1803/Windows Server, version 1803 4580398 October 2020 Windows 10 1809/Server 2019 4598480 January 2021 Windows 10 1909/Windows Server, version 1909 4598479 January 2021 If I need to manually install these standalone updates, a Servicing Stack Update, and a January 2021 Security Update, in what order should they be installed? Customers who need to manually install these three updates should install them in the following order: Servicing Stack Update Standalone Secure Boot Update listed in this CVE January 2021 Security Update Customers whose systems are configured to receive automatic updates will automatically receive these updates in the correct order. Is there anything else that I should know about these updates? If Windows Defender Credential Guard (Virtual Secure Mode) is enabled, two additional reboots will be required. Why have the x86 and ARM64 versions of Windows been removed from the Security Updates table? The x86 and ARM64 versions of Windows have been removed because these architectures are not affected by this vulnerability.

Affected Products (16)

Windows

• Windows 10 Version 1803 for x64-based Systems
• Windows Server, version 1803 (Server Core Installation)
• Windows 10 Version 1809 for x64-based Systems
• Windows Server 2019
• Windows Server 2019 (Server Core installation)
• Windows 10 for x64-based Systems
• Windows 10 Version 1607 for x64-based Systems
• Windows Server 2016
• Windows Server 2016 (Server Core installation)
• Windows 8.1 for x64-based systems
• Windows Server 2012
• Windows Server 2012 (Server Core installation)
• Windows Server 2012 R2
• Windows Server 2012 R2 (Server Core installation)
• Windows 10 Version 1909 for x64-based Systems
• Windows Server, version 1909 (Server Core installation)

Security Updates (2)

• 4535680
• 5012170

Revision History

• 2020-02-11: Information published.
• 2020-02-12: Updated the FAQ to include order of installation for Servicing Stack, standalone updates for this vulnerability, and February Security updates. This is an informational change only.
• 2021-01-12: To comprehensively address CVE-2020-0689, Microsoft has released Security Update 4535680 for all affected versions of Windows 10; Windows 8.1 and Server 2012 R2, and Windows Server 2012. In addition, the following revisions have been made: 1) Updated Servicing Stack Updates (SSU) to reflect the most recent SSU for affected Windows versions. 2) Removed all 32-bit and ARM64-based versions of Windows from the Security Updates table as these architectures are not affected by the vulnerability. 3) Removed versions of Windows that are no longer in support from the Security Updates table as there is no update available for them.
• 2022-11-15: In the Security Updates table, updated the Download and Article links to provide links to standalone security update KB5012170 for Secure Boot. This update supersedes previous updates KB4535680 and KB4524244, which have been expired as of November 2022. Microsoft recommends that customers install KB5012170 to be fully protected from this vulnerability. Customers whose systems are configured to receive automatic updates do not need to take any further action. Please note that KB5012170 is not available for Windows 10 version 1803 and Windows 10 version 1909 as these versions are no longer in support. For more information see KB5012170.