A zero-day exploit circulating on-line permits folks with bodily entry to a Home windows 11 system to bypass default BitLocker protections and acquire full entry to an encrypted drive inside seconds.
The exploit, named YellowKey, was printed earlier this week by a researcher who goes by the alias Nightmare-Eclipse. It reliably bypasses default Home windows 11 deployments of BitLocker, the full-volume encryption safety Microsoft offers to make disk contents off-limits to anybody with out the decryption key, which is saved in a secured piece of {hardware} often known as a trusted platform module (TPM). BitLocker is a compulsory safety for a lot of organizations, together with those who contract with governments.
When one disk quantity manipulates one other
The core of the YellowKey exploit is a custom-made FsTx folder. On-line documentation of this folder is difficult to search out. As defined later, the listing related to the file fstx.dll seems to contain what Microsoft calls the transactional NTFS, which permits builders to have “transactional atomicity” for file operations in transactions with a single file, a number of recordsdata, or ones that span a number of sources.
The steps for finishing up the bypass are easy:
- Copy the {custom} FsTx folder from the Nightmare-Eclipse exploit web page to an NTFS- or FAT-formatted USB drive
- Join the USB drive to the BitLocker-protected machine
- Boot up the machine and instantly press and maintain down the [Ctrl] key
- Enter Home windows restoration
There are not less than two methods to perform the third step. A method is besides into Home windows, maintain down the [Shift] key, click on on the facility icon, and click on restart. One other is to energy on the machine and restart it as quickly as Home windows begins booting.
In both case, a command (CMD.EXE) immediate seems. The immediate has full entry to all the drive contents, permitting an attacker to repeat, modify, or delete them. In a traditional Home windows Restoration movement, the attacker would wish to enter a BitLocker restoration key. In some way, the YellowKey exploit bypasses this safeguard. A number of researchers, together with Kevin Beaumont and Will Dormann, have confirmed the exploit works as described right here.
It’s unclear what within the {custom} FsTx folder causes the bypass. Dormann mentioned that it seems to be associated to Transactional NTFS, which itself makes use of command-log file system underneath the hood. Dormann additional famous that by trying on the Home windows fstx.dll, one will see code that explicitly seems for System Quantity InformationFsTx within the FsTxFindSessions() perform.”
