The Cybersecurity and Infrastructure Security Agency (CISA) is urging the computer industry to prioritize the security of Unified Extensible Firmware Interface (UEFI) update mechanisms. In a blog post, CISA called for a secure-by-design approach to enhance the overall security of UEFI, which is responsible for a system’s booting-up routine. This includes various components such as security and platform initializers, drivers, bootloaders, and a power management interface.
UEFI has become a popular attack surface for threat actors because if it is loaded with malicious code, they can achieve a high level of persistence on a system. This code launches before the operating system or any security software, making it invisible to most incident response tactics and defense mechanisms. As a result, CISA is demanding a standardized approach to neutralize threats to UEFI by developing inherently hardened software and update pathways.
The ongoing threat related to the BlackLotus bootkit serves as an example of the vulnerabilities in UEFI update mechanisms. BlackLotus is the first malware to successfully bypass Microsoft’s UEFI Secure Boot implementation. In order to protect against it, users currently need to manually apply patches issued by Microsoft. However, the National Security Agency (NSA) has warned that these patches are not sufficient to fully address the problem. Microsoft did not issue patches to revoke trust in unpatched boot loaders, allowing bad actors to replace fully patched loaders with vulnerable versions and execute BlackLotus.
BlackLotus exploits a failure in secure update distribution, making the update distribution channel for UEFI updates on Windows insufficiently resilient or secure. If Microsoft had used a more secure-by-design public key infrastructure (PKI) approach for UEFI along with an automated update system, the issue might have been resolved already. However, due to the current PKI management practices, revoking the key used in Windows PKI would cause collateral damage in other parts of the operating system. According to Jonathan Spring, senior technical advisor at CISA, this demonstrates that public key infrastructure should not be signed in such a manner.
The NSA has recommended additional manual steps to harden systems against BlackLotus, such as tightening user executable policies and monitoring the integrity of the boot partition. Microsoft is planning an automated and comprehensive fix for BlackLotus in early 2024. However, CISA hopes to build a future where manual security fixes are not the norm.
CISA outlined specific efforts to improve UEFI update cybersecurity. System owners should be able to audit, manage, and update UEFI components just like any other software. Operational teams should have the capability to collect, analyze, and respond to UEFI-related activities through event logs. UEFI component developers should adopt secure development environments and best practices. The UEFI vendor community should provide uninterrupted and reliable update capabilities. Additionally, the UEFI community should expand the adoption of best practices for Product Security Incident Response Team (PSIRT) operations.
CISA referred to a publication by the Software Engineering Institute at Carnegie Mellon University titled “Securing UEFI: An Underpinning Technology for Computing” for further guidance on implementing these strategies.
Overall, CISA’s call to action highlights the need for improved security in UEFI update mechanisms and the importance of a secure-by-design approach. By addressing these vulnerabilities, the computer industry can enhance the overall security and resilience of systems against persistent malware threats such as BlackLotus.