- ESET finds a bug in a UEFI application that allows malicious actors to bypass UEFI secure boot
- The move gives criminals the ability to deploy bootkits to affected systems.
- Microsoft fixed bug in January 2025 Patch Tuesday update
An unnamed but apparently popular UEFI application was signed with a vulnerable certificate, allowing threat actors to bypass UEFI secure boot and deploy bootkits to target endpoints.
ESET cybersecurity researchers discovered the bug and reported it to the CERT Coordination Center: Microsoft issued a fix in this month’s Patch Tuesday cumulative update, which was released on January 14, 2025, but is recommended to all Windows users to apply the patch as soon as possible. as much as possible.
UEFI Secure Boot is a security feature that ensures that a computer boots using only software trusted by the manufacturer, protecting against malware and unauthorized software at startup. The UEFI application in question is apparently part of “several real-time system recovery software suites,” including those created by Howyar Technologies Inc., Greenware Technologies, Radix Technologies Ltd., SANFONG Inc., Wasay Software Technology Inc., Computer Education System. Inc. and Signal Computer GmbH.
Regarding the findings
It was vulnerable to CVE-2024-7344, a bug caused by using a custom PE loader instead of using the standard and secure UEFI LoadImage and StartImage functions.
All UEFI systems with Microsoft’s third-party UEFI signing enabled were said to be affected. The bug can cause “untrusted code execution during system startup, allowing potential attackers to easily deploy malicious UEFI boot kits” even on protected devices.
“The number of UEFI vulnerabilities discovered in recent years and the failures to patch them or revoke vulnerable binaries within a reasonable period of time shows that even a feature as essential as UEFI Secure Boot should not be considered an impenetrable barrier,” says ESET researcher Martin Smolár. , who discovered the vulnerability.
“However, what concerns us most regarding the vulnerability is not the time it took to fix and revoke the binary, which was quite good compared to similar cases, but the fact that this is not the first time something so obvious An insecure signed UEFI binary has been discovered. “This raises questions about how common the use of such insecure techniques is among third-party UEFI software vendors and how many other similar, obscure but signed bootloaders might exist.”
ESET also emphasized that the list of vulnerable devices extends beyond those with the affected recovery software installed, as criminals can bring their own copy of the vulnerable binary to any UEFI system with Microsoft’s third-party UEFI certificate registered.
