UEFI Secure Boot Vulnerability Exposes Systems to Bootkit Attacks

January 16, 2025

A severe security vulnerability in the Unified Extensible Firmware Interface (UEFI) systems, which could have allowed attackers to bypass the Secure Boot mechanism, has been patched. The flaw, designated as CVE-2024-7344 and rated with a CVSS score of 6.7, was found in a UEFI application signed by Microsoft's 'Microsoft Corporation UEFI CA 2011' third-party UEFI certificate, as per a report from cybersecurity firm ESET.

Successful exploitation of this vulnerability could have led to the execution of untrusted code during the booting of a system. This would have enabled threat actors to deploy malicious UEFI bootkits on machines that have Secure Boot enabled, irrespective of the operating system in use. Secure Boot is a firmware security standard designed to prevent malware from loading during a computer's startup. This standard checks that the device only boots using software trusted by the Original Equipment Manufacturer (OEM), using digital signatures to authenticate the code's source and integrity.

The UEFI application affected by the vulnerability is part of several real-time system recovery software suites developed by various technology companies. ESET researcher Martin Smolár stated, 'The vulnerability is caused by the use of a custom PE loader instead of using the standard and secure UEFI functions LoadImage and StartImage.' He added that the application allows the loading of any UEFI binary, even an unsigned one, from a specially crafted file named cloak.dat, during system start, regardless of the UEFI Secure Boot state.

An attacker could have weaponized CVE-2024-7344 to bypass UEFI Secure Boot protections and execute unsigned code during the boot process, even before the operating system loads. This could have provided them with covert, persistent access to the system. The CERT Coordination Center (CERT/CC) noted that code executed in this early boot phase could persist on the system, potentially loading malicious kernel extensions that survive both reboots and OS reinstallation. Furthermore, it could evade detection by OS-based and endpoint detection and response (EDR) security measures.

ESET disclosed the findings to the CERT/CC in June 2024, and the issue was addressed in the concerned products by Howyar Technologies and their partners. On January 14, 2025, Microsoft revoked the old, vulnerable binaries as part of its Patch Tuesday update. To protect against exploitation of unknown vulnerable signed UEFI bootloaders and deployment of UEFI bootkits, measures such as applying UEFI revocations, managing access to files located on the EFI system partition, Secure Boot customization, and remote attestation with a Trusted Platform Module (TPM) are recommended.

Latest News

• Urgent Call to Secure Systems Against Ongoing Attacks Exploiting Microsoft Outlook RCE Vulnerability
• Critical Authentication Bypass Vulnerability in SonicOS: Proof-of-Concept Revealed
• CISA Adds Apple's Flaw to Known Exploited Vulnerabilities Catalog
• Apple Patches First Actively Exploited Zero-Day Vulnerability of the Year
• Critical Security Flaw Identified in Meta's Llama Framework, Exposing AI Systems to Potential Remote Code Execution