VU#226679: Microsoft WinRE all... Note

VU#226679: Microsoft WinRE allows for bypass of UEFI/BIOS password enforcement

The Windows Recovery Environment (WinRE) in Windows 10 and 11 can be exploited to bypass UEFI/BIOS firmware security controls. Attackers with physical or administrative access can leverage WinRE's alternate boot path. This path may not enforce the same security measures applied during a normal boot. Specifically, administrative UEFI/BIOS passwords might not be enforced during certain recovery operations. This vulnerability is similar to "Evil Maid" attacks, where physical access is used to alter security settings. The UEFI BootNext variable, which can be set to override the standard boot order, is not authenticated and can be exploited. While Secure Boot validates signed applications, the UEFI specification doesn't mandate a full reset after BootNext is set. This allows bypassing pre-boot security like passwords and potentially BitLocker. Organizations with high security needs should implement additional controls beyond just UEFI/BIOS passwords. Microsoft has released advisories and mitigations for WinRE-related vulnerabilities. Recommended solutions include disabling WinRE if not needed, requiring administrative authorization for recovery, and enabling BitLocker with TPM and PIN or startup key. Restricting pluggable media, EFI System Partitions, and UEFI NVRAM modifications are also advised. Deploying EDR solutions for pre-boot security and implementing robust physical security controls are crucial for highly sensitive systems.