A concerning zero-day exploit, dubbed YellowKey, has emerged that allows individuals with physical access to a Windows 11 system to bypass BitLocker’s default protections. This powerful exploit provides complete access to an encrypted drive within mere seconds, compromising vital data security measures put in place by Microsoft.
Understanding the YellowKey Exploit
Unveiled this week by the researcher known as Nightmare-Eclipse, the YellowKey exploit targets default Windows 11 deployments of BitLocker—Microsoft’s full-volume encryption solution designed to safeguard disk contents against unauthorized access. BitLocker is crucial for many organizations, particularly those that work closely with governmental entities, making this vulnerability especially alarming.
How the Exploit Works
The YellowKey exploit’s foundation lies in a custom-made FsTx folder. Information about this folder is scarce, as traditional documentation does not cover its use extensively. It seems to be associated with a feature known as transactional NTFS, which allows for “transactional atomicity” in operations spanning single or multiple files across various sources.
Steps to Execute the Bypass
The process to exploit this vulnerability is straightforward:
- Download the custom FsTx folder from the Nightmare-Eclipse exploit page and copy it to an NTFS- or FAT-formatted USB drive.
- Connect the USB drive to the BitLocker-protected system.
- Boot the system and immediately press and hold the [Ctrl] key.
- Access Windows recovery.
There are a couple of methods to execute the third step. One effective way involves booting into Windows, holding down the [Shift] key, clicking on the power icon, and then selecting restart. Alternatively, powering on the device and restarting before Windows begins loading is another option.
Potential Consequences
Upon successful access to the command (CMD.EXE) prompt, the attacker gains outright control over the entire drive contents. This access allows for copying, altering, or even deleting files without the need for the BitLocker recovery key, thus circumventing a significant security barrier. Experts, including Kevin Beaumont and Will Dormann, have verified the validity of this exploit and its operational mechanics.
As observed by Dormann, the specifics of what triggers the bypass remain unclear. However, it appears to coincide with functionalities of Transactional NTFS, which utilizes command-log file systems internally. Notably, the Windows fstx.dll file contains code searching for System Volume InformationFsTx within the FsTxFindSessions() function, hinting at its role in the exploit.
Overall, the YellowKey exploit poses serious risks to data integrity and security in environments relying on Windows 11 and BitLocker protections. Ongoing research and community awareness will be pivotal in addressing this vulnerability effectively.
For further details, refer to the original source Here.
Image Credit: arstechnica.com
