- ESET finds bug in a UEFI application allowing malicious actors to bypass UEFI Secure Boot
- The move grants criminals the ability to deploy bootkits to affected systems
- Microsoft addressed the bug in January 2025 Patch Tuesday update
An unnamed, but apparently popular, UEFI application, was signed with a vulnerable certificate, allowing threat actors to bypass UEFI Secure Boot and deploy bootkits to target endpoints.
Cybersecurity researchers at ESET discovered the bug and reported it to the CERT Coordination Center – Microsoft has issued a fix in this month’s Patch Tuesday cumulative update, which was released on January 14, 2025, but all Windows users are advised to apply the patch as soon as possible.
UEFI Secure Boot is a security feature that ensures a computer boots using only software trusted by the manufacturer, protecting against malware and unauthorized software at startup. The UEFI application in question is apparently part of “several real-time system recovery software suites,” including those built by Howyar Technologies Inc., Greenware Technologies, Radix Technologies Ltd., SANFONG Inc., Wasay Software Technology Inc., Computer Education System Inc., and Signal Computer GmbH.
Concerning findings
It was vulnerable to CVE-2024-7344, a bug caused by the use of a custom PE loader instead of using the standard and secure UEFI functions LoadImage and StartImage.
All UEFI systems with Microsoft third-party UEFI signing enabled were said to be affected. The bug can lead to the “execution of untrusted code during system boot, enabling potential attackers to easily deploy malicious UEFI bootkits” even on protected devices.
“The number of UEFI vulnerabilities discovered in recent years and the failures in patching them or revoking vulnerable binaries within a reasonable time window shows that even such an essential feature as UEFI Secure Boot should not be considered an impenetrable barrier,” says ESET researcher Martin Smolár, who discovered the vulnerability.
“However, what concerns us the most with respect to the vulnerability is not the time it took to fix and revoke the binary, which was quite good compared to similar cases, but the fact that this isn’t the first time that such an obviously unsafe signed UEFI binary has been discovered. This raises questions of how common the use of such unsafe techniques is among third-party UEFI software vendors, and how many other similar obscure, but signed, bootloaders there might be out there.”
ESET also stressed that the list of vulnerable devices extends beyond those with the affected recovery software installed, since crooks can bring their own copy of the vulnerable binary to any UEFI system with the Microsoft third-party UEFI certificate enrolled.
Leave a comment