So, now that CVE-2023-21563 and CVE-2023-21560 got patched:

I initially saw the fixes for these two land in bootmgfw.efi of rs_prerelease build 25236, which was released on 2022-11-02.

The underlying issue for CVE-2023-21563 is easily deduced from bindiffing.

Patch, and make sure your osdevice BitLocker is configured securely. (This means legacy integrity validation set to PCRs 0, 2, 4, 7, 11. If you use Secure Boot as integrity validation - the default setting - then you're still vulnerable to downgrade attacks.)

Also, just to be clear, CVE-2023-21560 - named "Windows Boot Manager Security Feature Bypass Vulnerability", is mentioned in its FAQs as being a bitlocker bypass. It can also be used to bypass Secure Boot.

#infosec #BitLocker #CVE_2023_21560 #CVE_2023_21563 #PatchTuesday