ESET’s recent discovery of a new boot loader vulnerability has shed light on a larger issue surrounding Unified Extensible Firmware Interface (UEFI) security practices. The vulnerability, identified as CVE-2024-7344, was detailed in a blog post titled “Under the Cloak of UEFI Secure Boot: Introducing CVE-2024-7344,” published by ESET on Thursday following its disclosure on Patch Tuesday.
The flaw was found in a UEFI application signed by Microsoft’s third-party certificate and used by Howyar Technologies Inc. This vulnerability could allow attackers to deploy malicious UEFI bootkits, even on systems with UEFI Secure Boot enabled. ESET researchers reported the vulnerability to the CERT Coordination Center and worked with affected vendors, including Howyar Technologies, Greenware Technologies, and Radix Technologies, to roll out a fix as part of January Patch Tuesday.
The vulnerability, which affects most UEFI-based systems and all UEFI systems with Microsoft third-party UEFI signing enabled, highlights a critical security issue. The researchers initially came across the vulnerability while analyzing a Howyar SysReturn software package, which contained an unsigned binary in a UEFI application called reloader.efi. The vulnerable boot loader in question did not perform any Secure Boot-related integrity checks, making it susceptible to exploitation.
While the UEFI Secure Boot bypass vulnerability has been addressed, ESET researchers caution that it points to a broader problem within the threat landscape. Similar issues were reported by Eclypsium researchers during a DEF CON 30 presentation in 2022, highlighting vulnerabilities in third-party boot loaders that could bypass the Secure Boot process. ESET anticipates that boot loader security could pose an increasing problem in the future.
To mitigate CVE-2024-7344, users are advised to apply the latest UEFI revocations from Microsoft, with Windows systems set to receive automatic updates. In response to the discovery, ESET called for transparency in UEFI security practices, particularly in the signing of third-party UEFI applications by vendors like Microsoft.
Microsoft, in turn, acknowledged the need for increased transparency and pledged to discuss the issue further in the new year. Martin Smolár, a malware researcher at ESET, emphasized the importance of collaboration among the cybersecurity community, technology companies, and journalists to raise awareness about UEFI security and drive improvements in product security across the UEFI firmware supply chain.
Moving forward, developers involved in UEFI development are urged to prioritize security best practices and remain vigilant in addressing any vulnerabilities in their products. More transparency is needed in the signing of UEFI binaries by OEMs and Microsoft, along with continuous improvements to the review processes to enhance overall security.
In a statement provided to Informa TechTarget, Microsoft outlined its commitment to evolving the vetting process for third-party binary code to enhance ecosystem security amid growing threats. The company stressed the importance of collaboration in addressing security challenges and adapting to the ever-changing threat landscape.
As the cybersecurity community continues to address UEFI security challenges, it is crucial for all stakeholders to work together in enhancing security measures and promoting transparency in software development practices. The discovery of CVE-2024-7344 underscores the importance of proactive security measures in safeguarding systems against emerging threats.