Ethical Hacking News
A newly discovered vulnerability in UEFI systems, identified as CVE-2024-7344, can be exploited to bypass Secure Boot mechanisms and deploy malicious UEFI bootkits. The Slovakian cybersecurity firm ESET responsibly disclosed the findings, which were later addressed by Howyar Technologies and Microsoft. This discovery underscores the importance of continuous monitoring and patching of vulnerabilities in firmware and UEFI systems.
CVE-2024-7344 is a newly discovered vulnerability in Unified Extensible Firmware Interface (UEFI) systems that can bypass Secure Boot. The affected application resides in several real-time system recovery software suites developed by various companies. Attackers can load unsigned UEFI binaries during system start, sidestepping UEFI Secure Boot protections. The vulnerability allows for covert, persistent access to the host and may evade detection by OS-based security measures. Patch was released in January 2025 after Microsoft revoked the old, vulnerable binaries as part of its Patch Tuesday update.
CVE-2024-7344, a newly discovered vulnerability in Unified Extensible Firmware Interface (UEFI) systems, has raised significant concerns among cybersecurity experts and organizations worldwide. This vulnerability, identified by the Slovakian cybersecurity firm ESET, can be exploited to bypass the Secure Boot mechanism, allowing malicious actors to load untrusted code during system boot and deploy UEFI bootkits on machines with Secure Boot enabled.
The affected application, signed with Microsoft's "Microsoft Corporation UEFI CA 2011" third-party UEFI certificate, resides in several real-time system recovery software suites developed by Howyar Technologies Inc., Greenware Technologies, Radix Technologies Ltd., SANFONG Inc., Wasay Software Technology Inc., Computer Education System Inc., and Signal Computer GmbH. The vulnerability was discovered by ESET researcher Martin Smolár, who noted that the application uses a custom PE loader instead of using the standard and secure UEFI functions LoadImage and StartImage.
As a result, attackers can load any UEFI binary – even an unsigned one – from a specially crafted file named cloak.dat during system start, regardless of the UEFI Secure Boot state. This allows them to sidestep UEFI Secure Boot protections and execute unsigned code during the boot process in the UEFI context even before the operating system loads, granting them covert, persistent access to the host.
Code executed in this early boot phase can persist on the system, potentially loading malicious kernel extensions that survive both reboots and OS reinstallation. Additionally, it may evade detection by OS-based and endpoint detection and response (EDR) security measures. Malicious actors could further expand the scope of exploitation by bringing their own copy of the vulnerable "reloader.efi" binary to any UEFI system with the Microsoft third-party UEFI certificate enrolled.
However, elevated privileges are required to deploy the vulnerable and malicious files to the EFI system partition: local administrator on Windows and root on Linux. To mitigate this vulnerability, Howyar Technologies and their partners addressed the issue in the concerned products after ESET responsibly disclosed the findings in June 2024. On January 14, 2025, Microsoft revoked the old, vulnerable binaries as part of its Patch Tuesday update.
The Slovakian cybersecurity firm emphasized that even such an essential feature as UEFI Secure Boot should not be considered an impenetrable barrier. The fact that this isn't the first time that such an obviously unsafe signed UEFI binary has been discovered raises questions about how common the use of such techniques is among third-party UEFI software vendors, and how many other similar obscure, but signed, bootloaders there might be out there.
Experts recommend managing access to files located on the EFI system partition, Secure Boot customization, and remote attestation with a Trusted Platform Module (TPM) as additional ways to protect against exploitation of unknown vulnerable signed UEFI bootloaders and deployment of UEFI bootkits. The discovery of CVE-2024-7344 highlights the importance of continuous monitoring and patching of vulnerabilities in firmware and UEFI systems.
Related Information:
https://thehackernews.com/2025/01/new-uefi-secure-boot-vulnerability.html
https://nvd.nist.gov/vuln/detail/CVE-2024-7344
https://www.cvedetails.com/cve/CVE-2024-7344/
Published: Thu Jan 16 09:33:05 2025 by llama3.2 3B Q4_K_M
