ESET details UEFI Secure Boot bypass vulnerability

ESET discovered a new bootloader vulnerability that the antimalware vendor said speaks to a larger issue regarding Unified Extensible Firmware Interfaces security practices.

ESET published a blog post on Thursday titled, "Under the cloak of UEFI Secure Boot: Introducing CVE-2024-7344," detailing a vulnerability that was first disclosed on Patch Tuesday this week. ESET researchers found the flaw in a UEFI application signed by Microsoft's third-party certificate and used by Howyar's Technology, Inc. Exploitation could allow an attacker to deploy malicious UEFI bootkits "even on systems with UEFI Secure Boot enabled," ESET said.

ESET reported the vulnerability to the CERT Coordination Center in June and coordinated with affected vendors then rolled out a fix with Microsoft during January Patch Tuesday. CVE-2024-7344 affects recovery software suites developed by several vendors including Howyar Technologies Inc., Greenware Technologies and Radix Technologies Ltd.

ESET researchers warned that CVE-2024-7344 affects most UEFI-based systems and all UEFI systems with Microsoft third-party UEFI signing enabled. They initially discovered the vulnerability while examining a Howyar's Sysreturn software package last year. Analysis revealed the software contained an unsigned binary in a UEFI application called reloader.efi. Additionally, researchers found that the vulnerable bootloader did not perform any Secure Boot-related integrity checks.

"Exploitation of this vulnerability is not limited to systems with the affected recovery software installed, as attackers can bring their own copy of the vulnerable reloader.efi binary to any UEFI system with the Microsoft third-party UEFI certificate enrolled. Also, elevated privileges are required to deploy the vulnerable and malicious files to the EFI system partition (local administrator on Windows; root on Linux)," ESET wrote in the blog post.

While the UEFI secure boot bypass vulnerability was addressed, ESET researchers warned that it indicates a broader problem across the threat landscape. For example, Eclypsium researchers reported similar issues during a Def Con 30 presentation in 2022 that discussed three vulnerabilities in third-party bootloaders, which could be used to bypass the Secure Boot process.

ESET anticipates bootloader security could become an increasing problem.

"The number of UEFI vulnerabilities discovered in recent years and the failures in patching them or revoking vulnerable binaries within a reasonable time window shows that even such an essential feature as UEFI Secure Boot should not be considered an impenetrable barrier," the blog post said. "However, what concerns us the most in the case of the vulnerability reported in this blogpost is not the time it took to fix and revoke the binary, which was quite good compared to similar cases, but the fact that this isn't the first time that such an obviously unsafe signed UEFI binary has been discovered."

ESET referenced Eclypsium's research and said such vulnerabilities raise questions about the security of third-party UEFI software vendors and how many vulnerable signed bootloaders may exist.

The researchers said CVE-2024-7344 can be mitigated by applying the latest UEFI revocations from Microsoft and that Windows systems should be updated automatically.

Call for transparency

While reloader.efi contained a hidden, unsigned binary, the UEFI application itself was signed with a Microsoft certificate. The blog post highlighted two Microsoft UEFI certificates that typically indicate a trusted device: Microsoft Windows Production PCA 2011 and Microsoft Corporation UEFI CA 2011. ESET researchers said that the former, which is used to sign third-party UEFI applications like reloader.efi, should be revoked and replaced with the Windows UEFI CA 2023 certificate by Microsoft soon.

ESET researchers said they are optimistic about Microsoft's rollout for the new UEFI certificates in hopes that it will increase transparency around UEFI security problems. However, ESET said there's more to be done.

"We reached out to Microsoft about the situation, hoping it could bring more transparency into what third-party UEFI applications they sign, so that anyone can quickly discover and report such obviously unsafe UEFI applications if they mistakenly pass (or passed a long time ago) Microsoft's UEFI third-party code-signing review," the blog post said.

Martin Smolár, malware researcher at ESET, expanded on the response his company received from Microsoft regarding increased transparency and UEFI security.

"They told us that this is a topic that they plan to discuss further in the new year for further consideration," he told Informa TechTarget.

Smolár called for the cybersecurity community, technology companies and journalists to raise awareness about the importance of UEFI security and the affect UEFI threats can have on systems. He stressed that it's important for all parties involved in the UEFI firmware supply chain to remain motivated in improving the level of security in their products.

"Developers involved in UEFI development should follow the best practices and create their own products with security in mind. More transparency should be brought into what UEFI binaries are being signed by OEMs [Original Equipment Manufacturer] and Microsoft, and their review processes should be improved every time a new problem is discovered in such binaries," Smolár said.

Arielle Waldman is a news writer for Informa TechTarget covering enterprise security.