Some CrowdStrike customers encountered an unexpected roadblock during their recovery process this week due to BitLocker encryption, following a defective update from CrowdStrike that triggered mass IT outages.

In the aftermath of the IT outage caused by a faulty CrowdStrike update, organizations were left scrambling to restore their Windows systems through a manual process that involved restarting machines in safe mode to remove the problematic file. However, some organizations faced complications due to BitLocker, Microsoft’s encryption feature designed to safeguard hard drives.

Systems protected by BitLocker require encryption keys to access hard drives, and unfortunately, some organizations were unable to access these keys during the mass IT outage.

Fortunately, a potential workaround for the BitLocker key prompt started circulating on social media platforms. On July 20, CrowdStrike released guidance outlining a similar recovery process to the workaround shared on social media. The guidance provided instructions on accessing the disk in Windows Recovery mode to delete the problematic file when BitLocker recovery keys were unavailable.

The suggested workaround involved restarting systems and navigating through blue screen of death error messages until reaching the recovery screen, then selecting the troubleshoot option in “Advanced Options” to restart the affected systems. Following the outlined steps using the command prompt, users could bypass the BitLocker requirement and restart the system in safe mode to remove the defective file.

Reports from infosec professionals who tested the workaround indicated that the recovery method was successful. Independent researcher Pascal Gujer confirmed that the workaround worked without issues when tested on a virtual machine.

The guidance from CrowdStrike noted that the workaround may require changing the system’s storage controllers from RAID to AHCI, as Windows safe mode lacks the necessary drivers to interact with RAID configurations. Additionally, the workaround may necessitate the presence of a Trusted Platform Module (TPM) for affected systems.

Gujer clarified that the workaround does not exploit a vulnerability in BitLocker or serve as a bypass for encryption. Instead, it allows users to skip the BitLocker key prompts and enter safe mode without decrypting the drive unnecessarily. The security of BitLocker remains intact during this process, as safe mode still requires user credentials for login.

For systems using TPM with a PIN for additional authentication, users must input the PIN to boot Windows in safe mode.

Looking ahead, Gujer and his colleague Joel Frie from Popp Schweiz AG will be presenting training sessions at Black Hat USA 2024 in Las Vegas on defeating Microsoft’s default BitLocker implementation. The training will showcase techniques for bypassing BitLocker and TPM-only configurations, including hardware hacks that intercept communications between the CPU and the TPM bus.

While the training sessions are primarily aimed at penetration testers, red teams, and forensic examiners, they will also benefit system administrators needing to navigate BitLocker and TPM-only setups. The sessions will delve into BitLocker key handling complexities and explore ways to access key material in different locations while mitigating potential vulnerabilities.

In conclusion, the guidance provided by CrowdStrike offers a workaround for organizations struggling with BitLocker encryption issues following the recent IT outage. By following the outlined steps, users can successfully recover their systems while maintaining the security of BitLocker-protected drives.

Source link