A recent discovery by ESET has shed light on a critical vulnerability in trusted system recovery programs that put UEFI devices at risk. This vulnerability could allow malicious actors with privileged access to inject malware directly into the system startup process, bypassing UEFI Secure Boot.
The issue stems from the use of a Microsoft-signed Extensible Firmware Interface (EFI) file called “reloader.efi” by seven real-time recovery products, including Howyar SysReturn, Greenware GreenGuard, and Radix SmartRecovery, among others. The custom loader in reloader.efi enables the execution of unsigned binaries during the boot process, creating a backdoor for attackers to infiltrate the system startup.
According to ESET’s report, the custom loader implemented in reloader.efi deviates from the standard autological LoadImage and StartImage functions used to load UEFI images in system memory. This unique mechanism allows for the loading of any binary, regardless of its trustworthiness, during system startup.
Malware researcher Martin Smolár speculates that the developers may have introduced this custom loader out of convenience, as it eliminates the need to re-sign the program with Microsoft every time an update is made. However, this convenience comes at a significant security cost, as it opens the door for potential exploitation by attackers.
The custom loader in reloader.efi loads binaries from an encrypted file called “cloak.dat.” ESET’s investigation revealed that cloak.dat contains an unsigned executable designed for classroom environments, aimed at facilitating real-time system recovery for students. While the intent of this software may be benign, attackers could leverage this vulnerability to substitute the executable with malicious code, effectively compromising the system.
UEFI vulnerabilities are particularly concerning due to the privileged access they provide to attackers. Malware injected at such a low level in the system can persist across reboots, evading detection by security programs. Additionally, UEFI malware can subvert critical security measures like UEFI Secure Boot, giving attackers a significant advantage in compromising the system.
To address this issue, the UEFI Boot Manager verifies boot application binaries against lists of signed and forbidden programs. However, the signing process for UEFI binaries remains somewhat opaque, raising questions about the effectiveness of current verification mechanisms.
ESET initially discovered the vulnerability (CVE-2024-7344) in July 2024 and promptly notified the affected vendors. Subsequent updates have addressed the issue, with Microsoft revoking the old, vulnerable binaries in its January 14, 2025, Patch Tuesday update.
Overall, the incident underscores the importance of robust security practices in the development and deployment of system recovery programs to prevent similar vulnerabilities in the future. By strengthening verification processes and bolstering security controls, organizations can mitigate the risk posed by malicious actors seeking to exploit UEFI vulnerabilities for nefarious purposes.