Windows vulnerabilities: BitLocker problem and privilege escalation

The IT security researcher, who had already demonstrated the vulnerabilities “RedSun”, “UnDefend” and “BlueHammer”, is following up with further disclosures of security vulnerabilities in Windows. “NightmareEclipse” (GitHub) or “Chaotic Eclipse” (Blogspot) has discovered “YellowKey”, a severe security vulnerability in Windows' BitLocker drive encryption. Additionally, he has discovered another privilege escalation vulnerability “MiniPlasma” in a Windows driver.

In “Windows Cloud Files Mini Filter”, Microsoft had already attempted in 2020 to patch a privilege escalation vulnerability (CVE-2020-17103, CVSS 7.0, Risk “high”). It is unclear whether the patch was ever withdrawn or if Microsoft simply did not distribute it. In any case, the vulnerability – which Google's Project Zero reported at the time – is still exploitable. The Proof-of-Concept Exploit (PoC) on GitHub is intended to demonstrate how attackers can gain SYSTEM privileges with it, but Google's old PoC also reportedly still works.

Unlock BitLocker arbitrarily with local access

The “YellowKey” vulnerability in BitLocker is causing a bit more trouble. As with the recently disclosed attack based on BitUnlocker, local access is required. However, a simple USB stick is sufficient for this. Attackers copy the folder “\System Volume Information\FsTx” to it. The file system must be compatible with Windows, such as FAT, FAT32, exFAT, or NTFS. This stick is then inserted into a computer with BitLocker enabled. By holding down the Shift key during startup, the system must boot into the Windows Recovery Environment. In there, attackers click Restart and, instead of the Shift key, hold down the Ctrl key. This starts a shell with unrestricted access to the drive actually protected by BitLocker. This is said to work on Windows 11 and Server 2022 and 2025; the Windows Recovery Environment of Windows 10 is not affected. What helps in BitUnlocker-derived attacks – an environment that relies on PIN entry before decryption and TPM protection – is apparently ineffective here, writes *Elipse in a blog post.