KB4575994 – List of Secure Boot DBX revocation to invalidate vulnerable modules

New update KB4575994 having the List of Secure Boot DBX revocation and guide to invalidate vulnerable modules.

KB4575994

Windows 10 is going to receive an update in Spring 2022 to address the potential vulnerability in the Secure Boot configuration module. Currently, a list of Secure Boot DBX revocation with a guide to apply it is out in KB4575994.

You might have remembered that On 29/07/2020, security advisory 200011was published having the description of a new secure boot vulnerability. In this concern, Devices that trust the Microsoft third-party UEFI Certificate Authority in their Secure Boot configuration may be susceptible to an attacker who has administrative rights or physical access to the device.

Secure Boot DBX revocation – KB4575994

The Secure Boot update binaries are hosted on this UEFI webpage.

The posted files are as follows:

1] UEFI Revocation List File for x86 (32-bit)
2] UEFI Revocation List File for x64 (64-bit)
3] UEFI Revocation List File for ARM64

You can prevent the applications from loading by adding these hashes to the Secure Boot DBX.

Remark: The files are arranged here according to architecture. Every hosted file comprises only the hashes of applications that is applicable to the particular architecture and a user must apply a suitable file to his device respectively. Furthermore, you must install the update coming in the next few months according to architectures.

Attention: Go through the main advisory article about this vulnerability before you try any of these steps. Your machine may not boot after incorrect implementation of the method.

This method is applicable only when the below conditions are true:

You have already tested that the device trusts the third-party Unified Extensible Firmware Interface CA in your Secure Boot configuration. For this, –

  1. Press Windows and X.
  2. Select – Windows PowerShell (Admin).
  3. Click Yes on the UAC prompt.
  4. Copy-paste the following command –
[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Microsoft Corporation UEFI CA 2011'

If your boot app is blocked by this update then don’t rely on the application.

More information

Implementation of a DBX update on Windows –

After the verification is completed with a positive result, follow the steps to update the Secure Boot DBX:

1. Download the appropriate UEFI Revocation List File (Dbxupdate.bin) for your platform from this UEFI webpage as said in KB4575994.

2. You have to divide the Dbxupdate.bin file into the essential components to apply them by using PowerShell commands. For this, follow the steps:

a. Navigate to the PowerShell Gallery webpage and download the script.

b. Run the underneath PowerShell script on the Dbxupdate.bin file –

SplitDbxContent.ps1 “c:\path\to\file\dbxupdate.bin

c. Verify that the command created the following files:

Content.bin – update contents

Signature.p7 – signature authorizing the update process

3. In an administrative PowerShell session, execute the Set-SecureBootUefi cmdlet to apply the DBX update:

Set-SecureBootUefi -Name dbx -ContentFilePath .\content.bin -SignedFilePath .\signature.p7 -Time 2010-03-06T19:17:21Z -AppendWrite

Expected output

4. Reboot the machine to perform the update installation process.

To know detail about the Secure Boot configuration command and how to use it for DBX updates, read Set-Secure.

Verification of the successful update

Subsequent to successfully finishing the steps in the previous section and rebooting the machine, pursue these steps to ensure that the update was applied. After successful verification, your system will no longer be affected by the GRUB vulnerability.

  1. Go to the GitHub webpage then Download the DBX update verification scripts
  2. Unpack the scripts and binaries from the compressed file.

3. Execute the below PowerShell script within the folder that contains the expanded scripts and binaries to verify the DBX update

Check-Dbx.ps1 .\dbx-2021-April.bin'

Note: If a DBX update that matches the July 2020 or October 2020 versions from this revocation list file archive was applied, run the following appropriate command instead:

Check-Dbx.ps1 '.\dbx-2020-July.bin'
Check-Dbx.ps1 '.\dbx-2020-October.bin'

4. Finally, verify that the output matches the expected result:

Compatible versions –

Windows 10 for 32-bit
Windows 10 for x64-bit
Windows 10 2004 (32-bit)
Windows 10 2004 (ARM64)
Windows 10 2004 for x64-bit
Windows 10 1909 for 32-bit
Windows 10 1909 for ARM64
Windows 10 1909 for x64-bit
Windows 10 1903 for 32-bit
Windows 10 1903 for ARM64
Windows 10 1903 for x64-bit
Windows 10 1809 for 32-bit
Windows 10 1809 for ARM64
Windows 10 1809 for x64-bit
Windows 10 1803 for 32-bit
Windows 10 1803 for ARM64
Windows 10 1803 for x64-bit
Windows 10 1709 for 32-bit
Windows 10 1709 for ARM64
Windows 10 1709 for x64-bit
Windows 10 1607 for 32-bit
Windows 10 1607 for x64-bit
Windows 8.1 32-bit
Windows 8.1 x64-bit
Windows RT 8.1
Windows Server, 2004 (Server Core installation)
Windows Server, 1909 (Server Core installation)
Windows Server, 1903 (Server Core installation)
Windows Server 2019
Windows Server 2019 (Server Core installation)
Windows Server 2016
Windows Server 2016 (Server Core installation)
Windows Server 2012 R2
Windows Server 2012 R2 (Server Core installation)
Windows Server 2012
Windows Server 2012 (Server Core installation)

See –

  1. How to install Windows 11 without TPM and Secure Boot
  2. How to Find if Secure Boot is Turned on or Off in Windows 10

Source – Microsoft support

That’s all!!

  
About Sunita
Love to play with Windows 10. Suggestion - Going for Registry change or system files edit then remember to take a backup or create a restore point before Starting.