Windows has long had a troubleshooting feature that can be used during installs: SHIFT+F10 brings up a command prompt. While this has many advantages, it can be abused. For example, during the more frequent feature updates in Windows 10 (as opposed to the old practice of providing a distinct new OS version), pressing SHIFT+F10 gives the user admin privileges while BitLocker is disabled.
Windows expert Sami Laiho blogged about the issue yesterday. “There is a small but CRAZY bug in the way the ‘Feature Update’ (previously known as “Upgrade”) is installed,” he wrote. This includes the troubleshooting feature that allows you to press SHIFT+F10 to get a Command Prompt. “This sadly,” he says, “allows for access to the hard disk as during the upgrade Microsoft disables BitLocker.”
It is the ability to bypass BitLocker that makes this a serious if not a major issue. The attacker almost certainly needs physical access to the target machine during a relatively short time frame. Nevertheless, “The real issue here is the Elevation of Privilege that takes a non-admin to SYSTEM (the root of Windows) even on a BitLocker (Microsoft’s hard disk encryption) protected machine,” adds Laiho. “And of course that this doesn’t require any external hardware or additional software.”
Andy Patel, a security expert with F-Secure, has been considering how this could be used in a live attack. He considered whether a laptop could be stolen, and the system ‘tricked’ into assuming a feature update. While technically possible, if the attacker has ownership of the laptop, he would probably have easier methods of defeating BitLocker.
Nevertheless, Patel told SecurityWeek, “Microsoft does tend to telegraph the timing of its feature updates.” This would give a disgruntled but tech-savvy employee a window in which to obtain elevated access to the system, and do whatever he wishes. “The risk exists,” he said, “albeit a difficult one to exploit.”
Laiho adds that there is also the risk of an external threat with access to a computer that just “waits for it to start an upgrade to get into the system.” He is sufficiently concerned to have advised his customers to use Microsoft’s Long Time Servicing Branch (LTSB) for the time being. This (the Current Branch) forces Microsoft’s earlier update process rather than the newer, and vulnerable, feature update process. He also advises that companies should not allow unattended updates, and should “Keep very tight watch on the Insiders.”
While the SHIFT+F10 feature has existed with earlier versions of Windows, and could also be used to bypass BitLocker on Windows 7 & 8, it is only with the advent of Windows 10’s inplace upgrades that it has become a real vulnerability. Laiho himself notes that he used it as long ago as NT when he pressed SHIFT+F10 so that he could play solitaire while doing a new NT install.
His solution of staying on LTSB, however, has caused some disagreement among admins and others (in the blog comment stream). One suggested, “The LTSB isn’t designed for use as a daily driver. Full stop. Users will encounter significant usability issues.” He added, “The impact of this issue to any organization must be examined in the context of their threat model. Again: if bad actors have the freedom of access to wait for updates, then your organization has much bigger issues.”
Laiho countered that in his travels he had “seen hundreds of computers doing upgrades at airports so I agree there is a bigger problem but I don’t see how having a bigger problem would have prevented me from using this to access the machine rather than anything that is harder.”
There is a risk here. That cannot be denied. How individual companies respond to that risk will depend on their own risk appetite — but they should at least be aware of it. Laiho waited until Microsoft Product Groups confirmed to him that they “not only know about this but that they have begun working on a fix.” Any company confident that a fix is genuinely coming could use LTSB in the interim, switching back to the Current Branch of updates once the fix is in place.
Source: SANS ISC SecNewsFeed @ November 29, 2016 at 11:45AM