Unsigned third-party Unified Extensible Firmware Interface (UEFI) boot loaders that allow bypassing of the UEFI Secure Boot feature have been found to have a security feature bypass vulnerability.
Hardware security company Eclypsium stated in a report shared with The Hacker News that “these vulnerabilities can be exploited by mounting the EFI System Partition and replacing the existing bootloader with the vulnerable one, or modifying a UEFI variable to load the vulnerable loader instead of the existing one.”
This week’s Patch Tuesday update from the tech giant included a fix for the bypass that affects the following vendor-specific boot loaders that were signed and authenticated by Microsoft:
- Eurosoft Boot Loader (CVE-2022-34301)
- New Horizon Data Systems Inc Boot Loader (CVE-2022-34302), and
- Crypto Pro Boot Loader (CVE-20220-34303)
A security standard called Secure Boot prevents malicious software from launching when a computer boots up (starts up), and it makes sure that only OEM-approved software is launched.
In other words, if the holes are successfully exploited, an attacker may be able to bypass startup security restrictions and run any unsigned code they choose.
This can have further knock-on effects, allowing a bad actor to develop persistence on a host and get entrenched access in a way that can withstand hard drive replacements and operating system reinstall, not to mention totally evade detection by security tools.
Eclypsium described CVE-2022-34302 as “much more subtle,” but also pointed out that the New Horizon Datasys vulnerability can “allow even more intricate evasions such as disabling security handlers” in addition to being easy to exploit in the wild.
Consider the Trusted Platform Module (TPM) measurements and signature checks as an example of a security handler. Mickey Shkatov and Jesse Michael are Elypsium researchers.
It should be noted that in order to exploit these flaws, an attacker needs administrator privileges, albeit obtaining local privilege escalation is not impossible.
According to the researchers, “much like BootHole, these vulnerabilities highlight the difficulties in ensuring the boot integrity of devices that rely on a complex supply chain of vendors and working together.” They also noted that “these issues highlight how straightforward flaws in third-party code can undermine the entire process.”