Hi
I have executed the fixlet/task ID 656 “Probe for Secure Boot changes associated with CVE-2023-24932 - KB5025885” on my endpoints (using PowerShell).
I ran successfully and I see the ExitCode all being 0 (which I presume is OK -or- is there another way of discovering if it is relevant?).
Even after running the task, endpoints are still showing as relevant. Is that expected?
The Fixlet/Task ID 656 is designed to determine whether a system is vulnerable to CVE-2023-24932, it does not perform any remediation.
Yes, its expected behavior. The task is intended to collect and report system state, not to fix it. It remains relevant so that it can be re-run if needed.
For validation, you can review the output JSON file generated on the endpoint:
C:\Program Files (x86)\BigFix Enterprise\BES Client\CVE-2023-24932-Probe.json
Thanks for the reply. I need to check each endpoint one-by-one?
And what is expected in that file? I have opened one for example and it gives me this:
I found that I have applied fixlet ID 502588501 back in 2023 (also related to KB5025885). Does that means that I need to reapply it? I still see my endpoints as relevant to this fixlet.
No, you can create an RP using below relevance, it will fetch results.
values of keys of json of file (pathname of storage folder of client & "\CVE-2023-24932-Probe.json")
True
True
False
Yes!
Thanks for your reply.
I created an analysis to report the content of the probe result file.
If you say that I should expect True/True/False, does that mean that I only need to execute Action 1 and 2 from the fixlet 502588501 ?
On this image, you see the result of after running the first 3 actions from the fixlet and re-ran the probe (fixlet ID 656).
Apologies for the late reply on this.
The Secure Boot DBX update is a very complex thing to detect. The UEFI areas involved are not generally visible in a standard way, and requires running a probe action to detect whether the system is vulnerable / whether the update can be applied.
The Task you are looking at, Task 656, runs an action to check whether the machine is vulnerable.
The output of that task is not something you should need to check yourself - we already have a fixlet checking for that output. There is a related Fixlet
502588501 5025885: Manage of the Windows Boot Manager revocations for Secure Boot changes associated with (CVE-2023-24932) - KB5025885
If your systems are not relevant for Fixlet 502588501 they should not be vulnerable. There is a condition though where the probe result file can be deleted or the UEFI update could be applied outside of BigFix - so the update Fixlet is relevant, a false-positive case. Running the Probe Task 656 will re-evaluate the UEFI configuration and update the probe result file, clearing the false-positive condition and making Fixlet 502588501 non-relevant again.
Thanks Jason for making the relation between the 2 fixlets very clear