Three flaws allow attackers to bypass UEFI Secure Boot feature

Three flaws allow attackers to bypass UEFI Secure Boot feature

Researchers discovered a flaw in three signed third-party UEFI boot loaders that allow bypass of the UEFI Secure Boot feature.

Researchers from hardware security firm Eclypsium have discovered a vulnerability in three signed third-party Unified Extensible Firmware Interface (UEFI) boot loaders that can be exploited to bypass the UEFI Secure Boot feature.

Secure Boot is a security feature of the latest Unified Extensible Firmware Interface (UEFI) 2.3.1 designed to detect tampering with boot loaders, key operating system files, and unauthorized option ROMs by validating their digital signatures. “Detections are blocked from running before they can attack or infect the system specification.”

UEFI Secure Boot

According to the experts, these three new bootloader vulnerabilities affect most of the devices released over the past 10 years, including x86-64 and ARM-based devices.

“These vulnerabilities could be used by an attacker to easily evade Secure Boot protections and compromise the integrity of the boot process;  enabling the attacker to modify the operating system as it loads, install backdoors, and disable operating system security controls.” reads the post published by the experts. “Much like our previous GRUB2 BootHole research, these new vulnerable bootloaders are signed by the Microsoft UEFI Third Party Certificate Authority. By default, this CA is trusted by virtually all traditional Windows and Linux-based systems such as laptops, desktops, servers, tablets, and all-in-one systems.”

Experts pointed out that these bootloaders are signed by the Microsoft UEFI Third Party Certificate Authority, the good news is that the IT giant has already addressed this flaw with the release of Patch Tuesday security updates for August 2020.

The flaws identified by the experts have been rated as:

  • CVE-2022-34301 – Eurosoft (UK) Ltd
  • CVE-2022-34302 – New Horizon Datasys Inc
  • CVE-2022-34303 – CryptoPro Secure Disk for BitLocker

The two CVE-2022-34301 and CVE-2022-34303 are similar in the way they involve signed UEFI shells, the first one the signed shell is esdiags.efi while for the third one (CryptoPro Secure Disk), the shell is Shell_Full.efi.

Threat actors can abuse built-in capabilities such as the ability to read and write to memory, list handles, and map memory, to allow the shell to evade Secure Boot. The experts warn that the exploitation could be easily automated using startup scripts, for this reason, it is likely that threat actors will attempt to exploit it in the wild.

“Exploiting these vulnerabilities requires an attacker to have elevated privileges (Administrator on Windows or root on Linux). However,  local privilege escalation is a common problem on both platforms. In particular, Microsoft does not consider UAC-bypass a defendable security boundary and often does not fix reported bypasses, so there are many mechanisms in Windows that can be used to elevate privileges from a non-privileged user to Administrator.” continues the post.

The exploitation of the New Horizon Datasys vulnerability (CVE-2022-34302) is more stealthy, system owners cannot detect the exploitation. The bootloader contains a built-in bypass for Secure Boot that can be exploited to disable the Secure Boot checks while maintaining the Secure Boot on.

“This bypass can further enable even more complex evasions such as disabling security handlers. In this case, an attacker would not need scripting commands, and could directly run arbitrary unsigned code. The simplicity of exploitation makes it highly likely that adversaries will attempt to exploit this particular vulnerability in the wild.” continues the post.

Experts highlighters that the exploitation of these vulnerabilities requires an attacker to have administrator privileges, which can be achieved in different ways.

“Much like BootHole, these vulnerabilities highlight the challenges of ensuring the boot integrity of devices that rely on a complex supply chain of vendors and code working together,” the post concludes. “these issues highlight how simple vulnerabilities in third-party code can undermine the entire process.”

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, UEFI Secure Boot)




Leave a Reply

Your email address will not be published.