CVE-2021-28447: 
vulnerability analysis and mitigation

Windows Early Launch Antimalware Driver Security Feature Bypass Vulnerability (CVE-2021-28447) is a security flaw discovered in the Windows loader's measured boot implementation. The vulnerability was disclosed in April 2021 and affects various versions of Windows operating systems including Windows 10, Windows Server 2016, Windows Server 2019, and Windows 8.1 (NVD).

The vulnerability exists in the Windows loader's handling of Early Launch Anti-Malware (ELAM) signatures during the measured boot process. When measuring ELAM values with data larger than 16344 bytes, the Windows loader fails to properly parse big data records. Instead of measuring the actual value data, it measures registry file internals, starting from the big data record. This implementation flaw allows for potential manipulation of ELAM signatures without affecting their measurements (BI.ZONE). The vulnerability has been assigned a CVSS v3.1 base score of 4.4 (Medium) with vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N (NVD).

The vulnerability could allow an attacker with administrator privileges to corrupt, downgrade, or delete ELAM signatures without affecting the measured boot process. This could potentially bypass security features designed to protect the system during the boot process (BI.ZONE).

Microsoft has addressed this vulnerability by implementing support for the big data record case in the Windows loader. The fix was released as part of Microsoft's security updates (MSRC).