A significant vulnerability in the Unified Extensible Firmware Interface (UEFI) Secure Boot mechanism, identified as CVE-2024-7344, has been discovered, potentially allowing attackers to deploy bootkits even when Secure Boot is enabled.
Key Points:
- Nature of the Vulnerability: The flaw resides in a Microsoft-signed UEFI application utilized by several third-party real-time system recovery tools. This application employs a custom Portable Executable (PE) loader instead of standard UEFI functions like LoadImage and StartImage. Consequently, it can load any UEFI binary, including those that are unsigned, from a specially crafted file named cloak.dat during system startup, irrespective of the Secure Boot state.
- Potential Impact: Exploiting this vulnerability enables attackers to bypass UEFI Secure Boot protections, allowing the execution of unsigned code during the boot process. This can lead to the deployment of persistent and stealthy bootkits that operate below the operating system level, making detection and removal challenging.
- Affected Systems: All UEFI-based systems with Microsoft's third-party UEFI certificate authority, specifically those with the "Microsoft Corporation UEFI CA 2011" certificate, are susceptible to this vulnerability. This includes a wide range of devices across various manufacturers.
- Mitigation Measures: Microsoft has initiated the revocation of the affected UEFI application binaries to prevent their exploitation. Additionally, several vendors have released patches to address this security flaw. Users and administrators are strongly advised to apply these updates promptly to safeguard their systems against potential attacks.
Refernce:
%20Secure%20Boot%20mechanism?unique=9c1ef0a)