Security researcher Chaotic Eclipse has disclosed two zero-day exploits targeting Microsoft BitLocker encryption. The first vulnerability, named YellowKey, allows attackers to bypass BitLocker protection entirely. This exploit grants full access to a locked drive without requiring the encryption keys or passwords. Eclipse claims the vulnerability works even when users have configured TPM-and-PIN security measures.
Security researcher discloses zero-day bypassing encryption on Windows Server
YellowKey is triggered by copying specific files to a USB stick and rebooting the system into the Windows Recovery Environment. The exploit reportedly affects Windows Server 2022 and Windows Server 25. It does not appear to work on Windows 10. Testing by Tom's Hardware suggests that the exploit files disappear from the USB stick after a single use, which may hinder forensic analysis.

The second disclosed vulnerability is GreenPlasma, which performs a local privilege escalation. This exploit targets the CTFMon process on Windows systems. Eclipse has not published a complete proof-of-concept for GreenPlasma. Security Online and Cyderes have analyzed the claims, though the incomplete nature of the proof-of-concept leaves some details unverified.
Eclipse previously published two other zero-day exploits named BlueHammer and RedSun. Microsoft has patched BlueHammer, and Eclipse claims the company silently patched RedSun without official confirmation. No official response from Microsoft regarding YellowKey or GreenPlasma has been confirmed as of the publication date.

Eclipse stated that they could have made significant money selling these vulnerabilities but chose to disclose them publicly. The researcher cited a determination against Microsoft as the primary motivation for the disclosure. The security community continues to monitor the situation as patching efforts may vary across different Windows Server versions.



Discussion
0 comments
Log in to join the thread with a thoughtful take, question, or correction.