Bootloaders present in a majority of computers made in the past 10 years are affected by Secure Boot bypass vulnerabilities, according to firmware security company Eclypsium.
Secure Boot is a mechanism designed to protect a device’s boot process from attacks, and bypassing it can allow an attacker to execute arbitrary code before the operating system loads. This can be useful for installing stealthy and persistent malware.
Eclypsium has identified Secure Boot bypass vulnerabilities in the Eurosoft (CVE-2022-34301) CVE-2022-34303, New Horizon Datasys (CVE-2022-34302), and CryptoPro Secure Disk for BitLocker (CVE-2022-34303) bootloaders. The company said these bootloaders are present in nearly all devices made in the past decade, including ARM and x86-64 devices.
The Eurosoft and CryptoPro Secure Disk bootloader bugs involve signed UEFI shells, with attackers being able to bypass Secure Boot by abusing built-in capabilities. For these security holes, exploitation can easily be automated using startup scripts, Eclypsium said.
The company noted, however, that these shells have a visual component that could be seen by a user on a monitor — although that might not be a problem on servers and industrial systems, which often run without a monitor.
Exploitation of the New Horizon Datasys vulnerability is easy and stealthy, which makes it a more likely candidate for exploitation in the wild.
“This bootloader contains a built-in bypass for Secure Boot that leaves Secure Boot on but disables the Secure Boot checks. This bypass can further enable even more complex evasions such as disabling security handlers. In this case, an attacker would not need scripting commands, and could directly run arbitrary unsigned code,” Eclypsium explained.
In order to exploit any of these vulnerabilities, an attacker needs to have admin or root privileges on the targeted Windows or Linux system. However, the company noted that there are many ways to obtain these permissions on a device.
The vulnerable bootloaders are signed by Microsoft. According to an advisory released by the CERT/CC at Carnegie Mellon University, the tech giant has worked with vendors to address the vulnerabilities and it has blocked the certificates associated with the impacted bootloaders.
The CERT/CC advisory lists many UEFI makers that could be affected by the vulnerabilities, but their current status is ‘unknown’. Red Hat and Phoenix Technologies claim they are not impacted.
Addressing these types of vulnerabilities is often not an easy task. In addition to installing patched bootloaders provided by the vendors, users will need to update their DBX database, which contains a list of signatures associated with prohibited code.
In 2020, Eclypsium disclosed the existence of a vulnerability named BootHole, which affected all operating systems that used the GRUB2 bootloader with Secure Boot. Some vendors rushed to release patches in response to BootHole, but they caused many systems to become unbootable.