Exploiting this vulnerability allows untrusted code execution during system boot, allowing installation of malicious UEFI bootkits. Thanks to the intervention of ESET, the problem was resolved with the Microsoft update on January 14th
Researchers of ESET, a global European leader in the cybersecurity market, have discovered a vulnerability affecting the majority of UEFI-based systems and allowing UEFI Secure Boot to be bypassed. This bug, named CVE-2024-7344, was discovered in a UEFI application signed by the third-party certificate “Microsoft Corporation UEFI CA 2011”. Exploitation of the vulnerability can lead to the execution of untrusted code during system startup, allowing potential attackers to easily install malicious UEFI bootkits (such as Bootkitty or BlackLotus) even on systems with UEFI Secure Boot enabled, regardless of the installed operating system.
ESET reported the discovery to the CERT Coordination Center (CERT/CC) in June 2024, which managed to contact the affected providers. The problem has now been resolved in the affected products and the vulnerable executable files have been revoked by Microsoft in the January 14 update.
The affected UEFI application is part of several real-time system recovery suites developed by Howyar Technologies Inc., Greenware Technologies, Radix Technologies Ltd., SANFONG Inc., Wasay Software Technology Inc., Computer Education System Inc. and Signal Computer GmbH.
“The number of UEFI vulnerabilities discovered in recent years and the difficulties in patching them or revoking executables in a reasonable time shows that even an essential function like UEFI Secure Boot should not be considered an impenetrable barrier,” says Martin Smolár, the ESET researcher who discovered the vulnerability. "However, what concerns us most about this vulnerability is not the time it took to patch and revoke it, which was relatively short compared to similar cases, but the fact that this is not the first time a signed but clearly insecure UEFI executable has been discovered. This raises questions about how widespread these techniques are among third-party UEFI software vendors and how many other similar, albeit obscure, but signed bootloaders might exist."
Exploitation of this bug is not limited to systems with vulnerable recovery software installed, as attackers can use their own copy of the vulnerable code on any UEFI system with Microsoft's third-party certificate enabled. Furthermore, elevated privileges are required to place vulnerable and malicious files into the system's EFI partition (local administrator on Windows; root on Linux). The vulnerability is caused by using a custom PE loader instead of using the standard and secure UEFI LoadImage and StartImage functions. All UEFI systems with third-party signing enabled are affected (Secured-core PCs running Windows 11 should have this option disabled by default).
The vulnerability can be mitigated by applying the latest UEFI revocations from Microsoft. Windows systems should update automatically. Microsoft's advisory regarding the CVE-2024-7344 vulnerability is available here. For Linux systems, updates should be provided via the Linux Vendor Firmware Service.
For a more detailed analysis and technical explanation of the UEFI vulnerability, please see the most recent ESET Research blog post: “Under the cloak of UEFI Secure Boot: Introducing CVE-2024-7344” on WeLiveSecurity.com and follow ESET Research On Twitter (now X) for updates on the latest news of the ESET search.
