Hello all,
Has anyone tried addressing the Windows Boothole vulnerability by following Microsoft’s guidance and running a few PowerShell scripts on the machines (https://support.microsoft.com/en-us/help/4575994/microsoft-guidance-for-applying-secure-boot-dbx-update)?
I created a fixlet to address this vulnerability. The SplitDB script seems to be working but the second command to run the command to update the certificates in the boot loader seems to be failing.
I’ve tried running the same commands in a “SYSTEM” powershell via psexec and they work. Just curious how other folks have skinned (or not skinned) Boothole.
The fixlet content (note, I’ve been playing around with different versions of this fixlet so there might be a few lines that don’t fit/make sense (like deleting a file that is not later used) is below:
// Download files from Cloud Storage
download as dbxupdate_x64.bin "http://SuperAwesomeCloudStorageURL/filename"
download as SplitDbxContent.ps1 "http://SuperAwesomeCloudStorageURL/filename"
download as bootHoleFix.ps1 “http://SuperAwesomeCloudStorageURL/filename”
//Delete any existing files that may cause a conflict
delete "c:\temp\boot.ps1"
delete"c:\temp\SplitDbxContent.ps1"
delete "c:\temp\signature.p7"
delete "c:\temp\content.bin"
delete "c:\temp\dbxupdate_x64.bin"
delete "c:\temp\bootHoleFix.ps1"
delete __createfile
delete __appendfile
//Check if temp folder exists
if {not exists folder “C:\temp”}
folder create "c:\temp"
endif
//Move files to temp
move __Download\dbxupdate_x64.bin "c:\temp\dbxupdate_x64.bin"
move __Download\SplitDbxContent.ps1 "c:\temp\SplitDbxContent.ps1"
move __Download\bootHoleFix.ps1 “c:\temp\bootHoleFix.ps1”
waithidden { pathname of file ((it as string) of value “Path” of key “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell” of native registry) } -ExecutionPolicy Bypass -File “c:\temp\SplitDbxContent.ps1” “c:\temp\dbxupdate_x64.bin”
waithidden { pathname of file ((it as string) of value “Path” of key “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell” of native registry) } -ExecutionPolicy Bypass -File “c:\temp\bootHoleFix.ps1”
//cleanup
delete "c:\temp\boot.ps1"
delete "c:\temp\SplitDbxContent.ps1"
delete "c:\temp\signature.p7"
delete "c:\temp\content.bin"
delete "c:\temp\dbxupdate_x64.bin"
delete “c:\temp\bootHoleFix.ps1”
//Pending Restart
action requires restart “BootHole Fix”