Is CVE-2024-20666 Bitlocker vulnerability mitigated by disabling Windows RE or removing the recovery parition?
Taking Microsoft's page on CVE-2024-20666 at face value, that Bitlocker vulnerability is darn serious in an "evil maid" attack:
A successful attacker could bypass the BitLocker Device Encryption feature on the system storage device.
Attack Vector | Physical. The attack requires the attacker to physically touch or manipulate the vulnerable component. |
Attack Complexity | Low. Specialized access conditions or extenuating circumstances do not exist. An attacker can expect repeatable success against the vulnerable component. |
Privileges Required | Low. The attacker is authorized with (i.e., requires) privileges that provide basic user capabilities that could normally affect only settings and files owned by a user. Alternatively, an attacker with Low privileges may have the ability to cause an impact only to non-sensitive resources. |
User Interaction: | None. |
Confidentiality (impact) | High. |
Integrity (impact) | High. |
Report Confidence | Confirmed. |
Publicly disclosed | No. |
Remediation Level | Official Fix. |
The official fix is a Windows Recovery Environment update. Unfortunately it fails to install on some machines. Reasons include too small a recovery partition, something with a semi-official remedy. But there are others, like missing Winre.wim
, and then there are several versions of that, including one updated December 2023. Update: did not yet try that later near-official remedy.
Questions
Are machines where WinRE is disabled (e.g. by reagentc /disable
) vulnerable?
If yes, are machines where further the recovery partition is deleted and it's space reclaimed vulnerable?