Remediating CVE-2024-20666 - BitLocker Security Feature Bypass Vulnerability (2024)

Microsoft have recently announced CVE-2024-20666 for BitLocker Device Encryption. As we start to understand the severity of the CVE and unpick the guidance from Microsoft, I am hoping to document what I understand and have learnt so far.

Last Updated: 09/02/2024.

Information:

CVE ID: CVE-2024-20666

CVE Severity: Medium

CVSS Base Score: 6.6

CVE Description: A successful attacker could bypass the BitLocker Device Encryption feature on the system storage device. An attacker with physical access to the target could exploit this vulnerability to gain access to encrypted data.

Products Affected: ["Systems with Bitlocker enabled, Windows 10, Windows 11"]

Exploit Publicly Disclosed: No

Exploit Publicly Available: No

Assumptions:

This article assumes:

• You are running Windows 10, version 2004 or later.
• The WinRE (recovery partition) has 250 MB of free space.
• You have admin rights on the machine.

Disclaimer:

The information on CVE-2024-20666 provided here is based on my research as of February 8, 2024, and is shared for informational purposes only. While I aim to offer helpful insights, I make no guarantees about the accuracy or completeness of this information. Users should consult official Microsoft documentation for guidance and verify any suggested remediation steps against their specific system configurations. This post is independent of Microsoft and is not endorsed by them. Use the information at your own risk.

Remediation:

1. Install patch for Microsoft Windows 10 19045 (Workstation): Security Update KB5034122
2. Complete these remediation steps provided in the vendor advisories.

• Download KB5034232 (or latest Windows Safe OS Dynamic Update) as per KB article.These can be found at the Microsoft Update Catalog.
• Apply above KB/Windows Safe OS Dynamic Update as per this KB article,taking into considerationnotebelow.

NOTE: The script in remediation step #2.2 is from 2022 and references older version numbers - e.g. ($fileRevision -ge 2247). Whilst this script will work for WinRE environments that have never been updated, the latest WinRE update does not update this file so an alternative detection method should be used if WinRE has been patched for CVE-2022-41099, to ensure WinRE.wim is at ServicePack Build >=3920.

If you would like an example of an updated detection method, please see the end of this article.

Single Line PowerShell Command to check the current Windows RE Service Pack Build Version Number:

& { $WinReLocation=((reagentc /info | Select-String " Windows RE Location:").Line -replace "Windows RE Location:\s+", "").trim(); $WinReBuild = ((dism /get-imageinfo /ImageFile:$WinReLocation\winre.wim /index:1 | Select-String "ServicePack Build :")); $WinReBuild} 

Detailed Method to check the current Windows RE Service Pack Build Version Number:

Invoking "reagentc /info" will give you the path of the WinRE Environment.

EXAMPLE:C:\WINDOWS\system32>reagentc /infoWindows Recovery Environment (Windows RE) and system reset configurationInformation: Windows RE status: Enabled Windows RE location: \\?\GLOBALROOT\device\harddisk0\partition4\Recovery\WindowsRE<redacted> 

This path can then be used with the DISM command below to determine the version numbers of the WinRE environment.

DISM /Get-ImageInfo /ImageFile:<windows_re_location>\winre.wim /index:1EXAMPLE:DISM /Get-ImageInfo /ImageFile:\\?\GLOBALROOT\device\harddisk0\partition4\Recovery\WindowsRE\winre.wim /index:1 

Updating WinRE to Remediate CVE-2024-20666:

Invoke the script to update the WinRE environment.

.\PatchWinREScript_2004plus -packagePath <path_to_kb5034232.cab> 

Example:

.\PatchWinREScript_2004plus -packagePath "C:\users\*\Desktop\windows10.0-kb5034232-x64_ff4651e9e031bad04f7fa645dc3dee1fe1435f38.cab" 

Use the same command from earlier OR the single line PowerShell command to check the current Windows RE Service Pack Build Version Number:

# Single Line PowerShell Command (Kudos JM):& { $WinReLocation=((reagentc /info | Select-String " Windows RE Location:").Line -replace "Windows RE Location:\s+", "").trim(); $WinReBuild = ((dism /get-imageinfo /ImageFile:$WinReLocation\winre.wim /index:1 | Select-String "ServicePack Build :")); $WinReBuild} 

# Detailed Method:DISM /Get-ImageInfo /ImageFile:<windows_re_location>\winre.wim /index:1EXAMPLE:DISM /Get-ImageInfo /ImageFile:\\?\GLOBALROOT\device\harddisk0\partition4\Recovery\WindowsRE\winre.wim /index:1 

Updated Detection Method for PatchWinREScript_2004plus.ps1

Replace the following sections of code:

Line #215: Change $targetBinary to look at "winload.exe", which has actually been updated in KB5034232.

$targetBinary=$mountDir + "\Windows\System32\winload.exe" #KB5034232 

Line #313-317: Change $fileRevision to >= new "winload.exe" version.

if ($fileRevision -ge 3920) #KB5034232{LogMessage("Windows 10, version 2004 with revision " + $fileRevision + " >= 3920, updates have been applied") 

Please note the below has not been tested but file versions for older Windows 10 versions appear to be:

#Windows 10, version 1507 10240.20400 #KB5034233#Windows 10, version 1607 14393.6610 #KB5034230#Windows 10, version 1809 17763.5322 #KB5034231#Windows 10, version 2004 1904X.3920 #KB5034232 

These can be updated in the same manner as above for each respective Windows version within the script.