A critical vulnerability that allows bypassing UEFI Secure Boot, impacting the majority of UEFI-based systems, has been uncovered by ESET researchers. Designated as CVE-2024-7344, this vulnerability was detected in a UEFI application signed by Microsoft’s third-party UEFI certificate, known as “Microsoft Corporation UEFI CA 2011.” The exploitation of this vulnerability enables the execution of untrusted code during the system boot process, allowing potential attackers to deploy malicious UEFI bootkits such as Bootkitty or BlackLotus on systems with UEFI Secure Boot enabled, irrespective of the operating system in use.
The vulnerable UEFI application is a part of various real-time system recovery software suites developed by multiple companies, including Howyar Technologies Inc., Greenware Technologies, Radix Technologies Ltd., SANFONG Inc., Wasay Software Technology Inc., Computer Education System Inc., and Signal Computer GmbH. Several software products that are affected by this vulnerability include Howyar SysReturn, Greenware GreenGuard, Radix SmartRecovery, Sanfong EZ-back System, WASAY eRecoveryRX, CES NeoImpact, and SignalComputer HDD King, among others.
The root cause of the vulnerability lies in the use of a custom PE loader instead of the standard and secure UEFI functions LoadImage and StartImage. This flaw allows the loading of any UEFI binary, even an unsigned one, from a specifically crafted file named cloak.dat during system startup, regardless of the UEFI Secure Boot status.
After identifying the vulnerability, ESET researchers promptly reported their findings to the CERT Coordination Center (CERT/CC) in June 2024. Following successful collaboration, the affected vendors were contacted, leading to the resolution of the issue in their products. The vulnerable binaries were subsequently revoked by Microsoft in the January 14th, 2025 Patch Tuesday update.
The coordinated disclosure timeline highlights the diligence and timely action taken by all parties involved, including ESET researchers, CERT/CC, and the affected vendors. By following established procedures, the vulnerability was addressed and remediated effectively.
The real-world implications of UEFI Secure Boot verification mechanisms are discussed, shedding light on the processes and responsibilities associated with managing UEFI Secure Boot databases on devices. The importance of Microsoft’s UEFI certificates in securing UEFI-based systems is emphasized, underscoring the need for vigilance and transparency in the signing of UEFI applications.
The specifics of the CVE-2024-7344 vulnerability, including the discovery of the unsigned UEFI application in the Howyar SysReturn software package, are detailed. The exploitation of the vulnerability, typically requiring elevated privileges, is outlined, along with the potential impact on UEFI-based systems.
Recommendations for protection and detection against the vulnerability are provided, including instructions for verifying system status and applying necessary revocations. Additional measures, such as file access rules and UEFI Secure Boot customization, are suggested to enhance security and mitigate the risk of exploitation.
In conclusion, the discovery of vulnerabilities in UEFI systems highlights ongoing challenges in maintaining system integrity and security. The need for proactive measures, transparency in UEFI application signing, and continuous vigilance to address potential threats are emphasized as essential components of a robust cybersecurity strategy.