In a significant security breach, two unpatched vulnerabilities in Windows BitLocker have been discovered, threatening the integrity of Microsoft’s ecosystem. These zero-day exploits, identified as YellowKey and GreenPlasma, pose serious risks to encrypted drives and system privileges.
YellowKey Bypass Unveiled
The YellowKey exploit is particularly concerning as it allows attackers to bypass BitLocker encryption entirely. This vulnerability provides unauthorized access to protected system drives, specifically targeting Windows 11 and Windows Server editions 2022 and 2025. The exploit leverages the Windows Recovery Environment (WinRE), enabling attackers with physical access to circumvent encryption in a matter of minutes.
By utilizing a USB device with a specially named FsTx folder, attackers can exploit this weakness. Alternatively, they can directly manipulate the EFI partition by extracting and remounting the target drive. The system can then be rebooted into a recovery mode, where WinRE components grant shell access to the encrypted volume.
GreenPlasma Exploit Details
Alongside YellowKey, the GreenPlasma vulnerability poses a severe threat as a local privilege escalation exploit. By manipulating the Windows CTFMON service, attackers can create arbitrary memory sections, gaining unauthorized access to elevated privileges. Although the current proof-of-concept requires further development for silent execution, it remains a formidable challenge for security teams.
GreenPlasma targets the Windows 11 and Windows Server 2022/2025 systems and, if combined with initial access vectors, could enable persistent access to the core system functionalities.
Implications and Recommendations
At present, Microsoft has not released an official patch to address these critical vulnerabilities. Security experts advise immediate defensive measures, including setting a custom BitLocker PIN and securing BIOS passwords to mitigate potential threats. Despite claims that these measures might be bypassed, they remain crucial interim solutions.
Security professionals are urged to monitor physical access to devices closely and restrict unauthorized changes to WinRE until a Microsoft fix is available. These proactive steps are essential to safeguard against potential exploitation.
Stay updated with the latest security news by following us on Google News, LinkedIn, and X.
