A security feature bypass vulnerability has been uncovered in
three signed third-party Unified Extensible Firmware Interface
(UEFI) boot loaders that allow bypass of the UEFI Secure Boot
feature.
“These vulnerabilities can be exploited by mounting the EFI
System Partition and replacing the existing bootloader with the
vulnerable one, or modifying a UEFI variable to load the vulnerable
loader instead of the existing one,” hardware security firm
Eclypsium said[1]
in a report shared with The Hacker News.
The following vendor-specific boot loaders[2], which were signed and
authenticated by Microsoft, have been found vulnerable to the
bypass and have been patched as part of the tech giant’s Patch Tuesday update[3]
released this week –
Secure Boot is a security standard[4]
designed to thwart malicious programs from loading when a computer
starts up (boots) and ensure only the software that is trusted by
the Original Equipment Manufacturer (OEM) is launched.
In other words, successful exploitation of the flaws could
permit an adversary to circumvent security guardrails at startup
and execute arbitrary unsigned code during the boot process.
This can have further knock-on effects, enabling a bad actor to
gain entrenched access and establish persistence[5]
on a host through in a manner that can survive operating system
reinstalls and hard drive replacements, not to mention completely
bypassing detection by security software.
Calling CVE-2022-34302 “far more stealthy,” Eclypsium noted the
New Horizon Datasys vulnerability is not only trivial to exploit in
the wild, but can also “enable even more complex evasions such as
disabling security handlers.”
Security handlers, for instance, can include[6]
Trusted Platform Module (TPM) measurements and signature checks,
Eclypsium researchers Mickey Shkatov and Jesse Michael said.
It’s worth noting that exploiting these vulnerabilities requires
an attacker to have administrator privileges, although gaining
local privilege escalation is not insurmountable.
“Much like BootHole[7], these vulnerabilities
highlight the challenges of ensuring the boot integrity of devices
that rely on a complex supply chain of vendors and code working
together,” the researchers concluded, adding “these issues
highlight how simple vulnerabilities in third-party code can
undermine the entire process.”
References
- ^
said
(eclypsium.com) - ^
vendor-specific boot loaders
(kb.cert.org) - ^
Patch
Tuesday update (thehackernews.com) - ^
security
standard (docs.microsoft.com) - ^
establish persistence
(thehackernews.com) - ^
include
(docs.microsoft.com) - ^
BootHole
(thehackernews.com)
Read more https://thehackernews.com/2022/08/researchers-uncover-uefi-secure-boot.html