A zero-day exploit circulating on-line permits folks with bodily entry to a Home windows 11 system to bypass default BitLocker protections and achieve full entry to an encrypted drive inside seconds.
The exploit, named YellowKey, was revealed earlier this week by a researcher who goes by the alias Nightmare-Eclipse. It reliably bypasses default Home windows 11 deployments of BitLocker, the full-volume encryption safety Microsoft supplies to make disk contents off-limits to anybody with out the decryption key, which is saved in a secured piece of {hardware} referred to as a trusted platform module (TPM). BitLocker is a compulsory safety for a lot of organizations, together with those who contract with governments.
When one disk quantity manipulates one other
The core of the YellowKey exploit is a custom-made FsTx folder. On-line documentation of this folder is difficult to seek out. As defined later, the listing related to the file fstx.dll seems to contain what Microsoft calls the transactional NTFS, which permits builders to have “transactional atomicity” for file operations in transactions with a single file, a number of recordsdata, or ones that span a number of sources.
The steps for finishing up the bypass are easy:
- Copy the {custom} FsTx folder from the Nightmare-Eclipse exploit web page to an NTFS- or FAT-formatted USB drive
- Join the USB drive to the BitLocker-protected system
- Boot up the system and instantly press and maintain down the [Ctrl] key
- Enter Home windows restoration
There are at the least two methods to perform the third step. A technique is as well into Home windows, maintain down the [Shift] key, click on on the facility icon, and click on restart. One other is to energy on the system and restart it as quickly as Home windows begins booting.
In both case, a command (CMD.EXE) immediate seems. The immediate has full entry to the complete drive contents, permitting an attacker to repeat, modify, or delete them. In a traditional Home windows Restoration stream, the attacker would wish to enter a BitLocker restoration key. One way or the other, the YellowKey exploit bypasses this safeguard. A number of researchers, together with Kevin Beaumont and Will Dormann, have confirmed the exploit works as described right here.
It’s unclear what within the {custom} FsTx folder causes the bypass. Dormann mentioned that it seems to be associated to Transactional NTFS, which itself makes use of command-log file system below the hood. Dormann additional famous that by trying on the Home windows fstx.dll, one will see code that explicitly seems for System Quantity InformationFsTx within the FsTxFindSessions() operate.”
