Researchers have discovered a flaw in three signed third-party UEFI boot loaders that allow bypassing the UEFI Secure Boot feature.
Researchers from hardware security firm Eclypsium have discovered a vulnerability in three third-party Unified Extensible Firmware Interface (UEFI) signed boot loaders that can be exploited to bypass the UEFI Secure Boot feature.
Secure Boot is a security feature of the latest Unified Extensible Firmware Interface (UEFI) 2.3.1 designed to detect tampering with unauthorized boot loaders, operating system key files, and option ROMs by validating their signatures digital. “Detections are blocked before they can attack or infect the system specification.”
According to experts, these three new bootloader vulnerabilities affect most devices released in the past 10 years, including x86-64 and ARM devices.
“These vulnerabilities could be used by an attacker to easily evade Secure Boot protections and compromise the integrity of the boot process; allowing the attacker to modify the operating system as it loads, install backdoors, and disable the operating system’s security controls. reads the post published by the experts. “Much like our previous GRUB2 BootHole searches, these new vulnerable boot loaders are signed by the third-party certificate authority Microsoft UEFI. By default, this certificate authority is trusted by virtually all mainstream Windows and Linux systems such as laptops. , desktops, servers, tablets and all-in-one systems.
Experts have pointed out that these bootloaders are signed by Microsoft’s UEFI third-party certificate authority, the good news is that the computing giant has already patched this flaw with the release of Patch Tuesday security updates. for August 2020.
The defects identified by the experts were noted as follows:
- CVE-2022-34301 – Eurosoft (UK) Ltd
- CVE-2022-34302 – New Horizon Datasys Inc.
- CVE-2022-34303 – CryptoPro Secure Disk for BitLocker
Both CVE-2022-34301 and CVE-2022-34303 are similar in how they involve signed UEFI shells, the first signed shell is esdiags.efi while for the third (CryptoPro Secure Disk), the shell is Shell_Full.efi.
Threat actors can abuse built-in capabilities such as the ability to read and write memory, list descriptors, and mapping memory, to allow the shell to evade secure boot. Experts warn that the exploitation could be easily automated using startup scripts, for this reason, it is likely that threat actors will try to exploit it in the wild.
“Exploitation of these vulnerabilities requires an attacker to have elevated privileges (Administrator on Windows or root on Linux). However, local privilege escalation is a common problem on both platforms. In particular, Microsoft does not view UAC bypass as a defensible security boundary and often fails to fix reported bypasses. So there are many mechanisms in Windows that can be used to elevate the privileges of an unprivileged user to administrator. continues the ticket.
Exploiting the New Horizon Datasys vulnerability (CVE-2022-34302) is stealthier, system owners cannot detect the exploit. The bootloader contains a built-in Secure Boot bypass that can be exploited to disable Secure Boot checks while keeping Secure Boot enabled.
“This bypass can additionally allow even more complex evasions such as disabling security managers. In this case, an attacker would not need script commands and could directly execute arbitrary unsigned code. The simplicity of exploitation makes it very likely that adversaries will attempt to exploit this particular vulnerability in the wild. continues the ticket.
Experts point out that exploiting these vulnerabilities requires an attacker to have administrator privileges, which can be obtained in a number of ways.
“Like BootHole, these vulnerabilities highlight the challenges of ensuring the boot integrity of devices that rely on a complex supply chain of vendors and code working together,” the post concludes. “These issues highlight how simple vulnerabilities in third-party code can undermine the entire process.”
Follow me on Twitter: @securityaffairs and Facebook
(Security cases – hacking, UEFI secure boot)