ESET researchers have reported a new vulnerability, referred to as a UEFI Secure Boot bypass, that can potentially affect Microsoft-signed applications.

Known as CVE-2024-7344, this vulnerability can be exploited to install bootkits, even if Secure Boot is enabled on the system.

It affects a UEFI application present in several real-time system recovery tools.

What Makes Bootkits Dangerous

These bootkits pose a critical cybersecurity risk that cannot be easily identified since they can take action before the operating system starts loading. According to the CERT Coordination Center, “The code executed during the early boot phase can persist on the system and survive both reboots and re-installations.”

How This Vulnerability Arises

The vulnerability emerges from a UEFI application that uses a custom PE loader, enabling it to load any UEFI binary, including unsigned binaries. 

While standard UEFI functions can validate binaries, this application bypasses the verification processes. Threat actors can exploit this vulnerability by replacing the bootloader with a malicious version known as ‘reloader.efi.’

When the computer starts, the custom loader reads and runs the script without verifying its safety. This allows cybercriminals to weaponize CVE-2024-7344 by bypassing UEFI Secure Boot protections and executing malicious code during the boot process.

CVE-2024-7344: Potential Scope of the Impact

UEFI has been designed to assist in system recovery and disk maintenance, or data backup. They serve a specific purpose.

 As reported by ESET, here is a list of the products and versions that have been found vulnerable: 

  • Howyar SysReturn before version 10.2.023_20240919
  • Greenware GreenGuard before version 10.2.023-20240927
  • Radix SmartRecovery before version 11.2.023-20240927
  • Sanfong EZ-back System before version 10.3.024-20241127
  • WASAY eRecoveryRX before version 8.4.022-20241127
  • CES NeoImpact before version 10.1.024-20241127
  • SignalComputer HDD King before version 10.3.021-20241127

Fixing the Vulnerability

Vendors affected by the vulnerability can fix the issue in their products using a patch released by Microsoft on January 14th. ESET will work with impacted vendors in the coming months. Microsoft has already revoked the certificates of vulnerable UEFI applications.

Final Thoughts 

On a final note, what is particularly concerning is the fact that it’s not the first time such an unsafe UEFI binary has come to notice. It is still not clear how many signed bootloaders are already in systems.

Source:

  1. https://www.bleepingcomputer.com/news/security/new-uefi-secure-boot-flaw-exposes-systems-to-bootkits-patch-now/amp/