Windows vulnerabilities: BitLocker problem and privilege escalation

The IT security researcher, who had already demonstrated the vulnerabilities “RedSun”, “UnDefend” and “BlueHammer”, is following up with further disclosures of security vulnerabilities in Windows. “NightmareEclipse” (GitHub) or “Chaotic Eclipse” (Blogspot) has discovered “YellowKey”, a severe security vulnerability in Windows' BitLocker drive encryption. Additionally, he has discovered another privilege escalation vulnerability “MiniPlasma” in a Windows driver.

In “Windows Cloud Files Mini Filter”, Microsoft had already attempted in 2020 to patch a privilege escalation vulnerability (CVE-2020-17103, CVSS 7.0, Risk “high”). It is unclear whether the patch was ever withdrawn or if Microsoft simply did not distribute it. In any case, the vulnerability – which Google's Project Zero reported at the time – is still exploitable. The Proof-of-Concept Exploit (PoC) on GitHub is intended to demonstrate how attackers can gain SYSTEM privileges with it, but Google's old PoC also reportedly still works.

Unlock BitLocker arbitrarily with local access

The “YellowKey” vulnerability in BitLocker is causing a bit more trouble. As with the recently disclosed attack based on BitUnlocker, local access is required. However, a simple USB stick is sufficient for this. Attackers copy the folder “\System Volume Information\FsTx” to it. The file system must be compatible with Windows, such as FAT, FAT32, exFAT, or NTFS. This stick is then inserted into a computer with BitLocker enabled. By holding down the Shift key during startup, the system must boot into the Windows Recovery Environment. In there, attackers click Restart and, instead of the Shift key, hold down the Ctrl key. This starts a shell with unrestricted access to the drive actually protected by BitLocker. This is said to work on Windows 11 and Server 2022 and 2025; the Windows Recovery Environment of Windows 10 is not affected. What helps in BitUnlocker-derived attacks – an environment that relies on PIN entry before decryption and TPM protection – is apparently ineffective here, writes *Elipse in a blog post.

IT security expert Will Dormann has tested the exploit and reports on his findings on Mastodon. According to him, pressing and holding Ctrl is not necessary to gain access to the shell with BitLocker drive access. The exact mechanism is still unclear, but it appears that the contents of other drives can be unlocked using the “\System Volume Information\FsTx” folder of a drive (which belongs to Transactional NTFS). However, a user report under Dormann's post suggests that the C drive was released for him, but the D drive was not.

In the blog entry, *Eclipse also writes that Microsoft has apparently silently corrected one of the reported vulnerabilities. The “RedSun” vulnerability from mid-April grants attackers admin rights. This has apparently been fixed with the updates on last week's Patchday – without, for example, a CVE vulnerability entry.

(dmk)