Microsoft have recently announced CVE-2024-20666 for BitLocker Device Encryption. As we start to understand the severity of the CVE and unpick the guidance from Microsoft, I am hoping to document what I understand and have learnt so far.
Last Updated: 09/02/2024.
Information:
CVE ID: CVE-2024-20666
CVE Severity: Medium
CVSS Base Score: 6.6
CVE Description: A successful attacker could bypass the BitLocker Device Encryption feature on the system storage device. An attacker with physical access to the target could exploit this vulnerability to gain access to encrypted data.
Products Affected: ["Systems with Bitlocker enabled, Windows 10, Windows 11"]
Exploit Publicly Disclosed: No
Exploit Publicly Available: No
CVE reference URL:https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-20666
Assumptions:
This article assumes:
Disclaimer:
The information on CVE-2024-20666 provided here is based on my research as of February 8, 2024, and is shared for informational purposes only. While I aim to offer helpful insights, I make no guarantees about the accuracy or completeness of this information. Users should consult official Microsoft documentation for guidance and verify any suggested remediation steps against their specific system configurations. This post is independent of Microsoft and is not endorsed by them. Use the information at your own risk.
Remediation:
NOTE: The script in remediation step #2.2 is from 2022 and references older version numbers - e.g. ($fileRevision -ge 2247). Whilst this script will work for WinRE environments that have never been updated, the latest WinRE update does not update this file so an alternative detection method should be used if WinRE has been patched for CVE-2022-41099, to ensure WinRE.wim is at ServicePack Build >=3920.
If you would like an example of an updated detection method, please see the end of this article.
Single Line PowerShell Command to check the current Windows RE Service Pack Build Version Number:
Thanks & credit to Jordan Mc Connell for the below single line PS:
& { $WinReLocation=((reagentc /info | Select-String " Windows RE Location:").Line -replace "Windows RE Location:\s+", "").trim(); $WinReBuild = ((dism /get-imageinfo /ImageFile:$WinReLocation\winre.wim /index:1 | Select-String "ServicePack Build :")); $WinReBuild}
Recommended by LinkedIn
Detailed Method to check the current Windows RE Service Pack Build Version Number:
Invoking "reagentc /info" will give you the path of the WinRE Environment.
EXAMPLE:C:\WINDOWS\system32>reagentc /infoWindows Recovery Environment (Windows RE) and system reset configurationInformation: Windows RE status: Enabled Windows RE location: \\?\GLOBALROOT\device\harddisk0\partition4\Recovery\WindowsRE<redacted>
This path can then be used with the DISM command below to determine the version numbers of the WinRE environment.
DISM /Get-ImageInfo /ImageFile:<windows_re_location>\winre.wim /index:1EXAMPLE:DISM /Get-ImageInfo /ImageFile:\\?\GLOBALROOT\device\harddisk0\partition4\Recovery\WindowsRE\winre.wim /index:1
Updating WinRE to Remediate CVE-2024-20666:
Invoke the script to update the WinRE environment.
.\PatchWinREScript_2004plus -packagePath <path_to_kb5034232.cab>
Example:
.\PatchWinREScript_2004plus -packagePath "C:\users\*\Desktop\windows10.0-kb5034232-x64_ff4651e9e031bad04f7fa645dc3dee1fe1435f38.cab"
Use the same command from earlier OR the single line PowerShell command to check the current Windows RE Service Pack Build Version Number:
# Single Line PowerShell Command (Kudos JM):& { $WinReLocation=((reagentc /info | Select-String " Windows RE Location:").Line -replace "Windows RE Location:\s+", "").trim(); $WinReBuild = ((dism /get-imageinfo /ImageFile:$WinReLocation\winre.wim /index:1 | Select-String "ServicePack Build :")); $WinReBuild}
# Detailed Method:DISM /Get-ImageInfo /ImageFile:<windows_re_location>\winre.wim /index:1EXAMPLE:DISM /Get-ImageInfo /ImageFile:\\?\GLOBALROOT\device\harddisk0\partition4\Recovery\WindowsRE\winre.wim /index:1
Updated Detection Method for PatchWinREScript_2004plus.ps1
Replace the following sections of code:
Line #215: Change $targetBinary to look at "winload.exe", which has actually been updated in KB5034232.
$targetBinary=$mountDir + "\Windows\System32\winload.exe" #KB5034232
Line #313-317: Change $fileRevision to >= new "winload.exe" version.
if ($fileRevision -ge 3920) #KB5034232{LogMessage("Windows 10, version 2004 with revision " + $fileRevision + " >= 3920, updates have been applied")
Please note the below has not been tested but file versions for older Windows 10 versions appear to be:
#Windows 10, version 1507 10240.20400 #KB5034233#Windows 10, version 1607 14393.6610 #KB5034230#Windows 10, version 1809 17763.5322 #KB5034231#Windows 10, version 2004 1904X.3920 #KB5034232
These can be updated in the same manner as above for each respective Windows version within the script.