A critical security flaw in the Secure Boot process has been discovered, allowing attackers to bypass the security protocols on millions of Intel and ARM-based devices. This flaw stems from the exposure of a cryptographic key, known as the Platform Key (PK), from American Megatrends International (AMI), which is used to verify the authenticity and integrity of a device’s firmware and boot software during startup.

The PKFail Secure Boot Issue, as it has been dubbed, was uncovered by researchers from firmware security vendor Binarly. It appears that an original equipment manufacturer (OEM) inadvertently used the compromised AMI test key in firmware produced for various device makers, including industry giants like Lenovo, HP, Asus, and SuperMicro. This means that potentially millions of consumer and enterprise devices worldwide are currently vulnerable to exploitation.

According to Alex Matrosov, CEO and founder of Binarly, an attacker with access to the private part of the compromised PK can easily manipulate key databases and bypass the Secure Boot process. This vulnerability opens the door for attackers to deploy UEFI bootkits, such as last year’s BlackLotus, which enable persistent kernel access and privileges.

The fix for this issue is relatively straightforward: device vendors need to replace the compromised key and issue firmware updates to secure affected devices. While some vendors have already taken steps to address the problem, updating firmware on critical systems, like data center servers, may take some time. In the meantime, Matrosov advises organizations to disconnect devices using the leaked AMI PK from critical networks until updates can be deployed.

Rogier Fischer, CEO of Hadrian, highlighted the gravity of the situation, likening the PKFail issue to having a master key that can unlock many systems. This widespread impact is due to the reuse of the same keys across different devices, making a single breach potentially devastating for numerous systems.

The PKFail vulnerability underscores a long-standing issue in the tech industry of using non-production and test cryptographic keys in production devices. This misuse of keys has been a problem for over a decade, with incidents like the 2016 discovery of multiple Lenovo devices sharing the same compromised AMI test key (CVE-2016-5247) serving as cautionary tales. Binarly’s report attributed the PKFail flaw to poor cryptographic key management practices in the device supply chain, emphasizing the urgent need for better security measures.

In conclusion, the PKFail Secure Boot Issue represents a significant threat to the security and integrity of millions of devices worldwide. Addressing this vulnerability requires immediate action from device vendors to replace compromised keys and issue firmware updates. Failure to do so could leave devices exposed to exploitation and compromise, posing severe risks to both individual users and organizations.

Source link