Today's cybersecurity headlines are brought to you by ThreatPerspective

A Bypass of the Secure Boot Mechanism: A New Vulnerability in UEFI Systems

Researchers have discovered a now-patched vulnerability in UEFI systems that could allow a bypass of the Secure Boot mechanism, tracked as CVE-2024-7344. This vulnerability has significant implications for the security and integrity of these systems, particularly those developed by several real-time system recovery software suites.

On January 17, 2025, researchers from ESET detailed a now-patched vulnerability that could allow a bypass of the Secure Boot mechanism in UEFI systems. This vulnerability, tracked as CVE-2024-7344 and carrying a CVSS score of 6.7, has significant implications for the security and integrity of these systems.

The Unified Extensible Firmware Interface (UEFI) is a specification that defines a software interface between an operating system and platform firmware. UEFI replaces the legacy Basic Input/Output System (BIOS) firmware interface originally present in all IBM PC-compatible personal computers, with most UEFI firmware implementations providing support for legacy BIOS services. This new standard offers several advantages over its predecessor, including remote diagnostics and repair capabilities.

Over the years, experts have observed numerous attacks employing rootkits that are specifically designed to target the firmware of these systems in order to achieve persistence and bypass security solutions. The Secure Boot mechanism is designed to prevent this kind of exploitation by only allowing software that is trusted by the Original Equipment Manufacturer (OEM) to execute.

ESET experts discovered the vulnerability in a UEFI application signed by Microsoft Corporation's UEFI CA 2011 third-party UEFI certificate. This vulnerability allows attackers to execute untrusted code during system boot, enabling the deployment of UEFI bootkits like Bootkitty or BlackLotus and bypassing Secure Boot altogether.

The affected software products include several real-time system recovery software suites developed by Howyar Technologies Inc., Greenware Technologies, Radix Technologies Ltd., SANFONG Inc., Wasay Software Technology Inc., Computer Education System Inc., and Signal Computer GmbH. These software products, including Howyar SysReturn before version 10.2.023_20240919, Greenware GreenGuard before version 10.2.023-20240927, Radix SmartRecovery before version 11.2.023-20240927, Sanfong EZ-back System before version 10.3.024-20241127, WASAY eRecoveryRX before version 8.4.022-20241127, CES NeoImpact before version 10.1.024-20241127, and SignalComputer HDD King before version 10.3.021-20241127, are vulnerable to this exploitation.

ESET's discovery of this vulnerability is a stark reminder of the importance of keeping software up-to-date and patched. The fact that this vulnerability was discovered in UEFI applications signed by Microsoft Corporation highlights the need for vigilance and attention to detail when it comes to firmware security.

The Secure Boot mechanism plays a critical role in preventing malware from executing on a system, and any bypass of this mechanism can have significant consequences. This vulnerability has been patched, but it serves as a wake-up call for organizations to ensure that their UEFI systems are secure and up-to-date.