New UEFI Secure Boot bypass vulnerability discovered (CVE-2024-7344)
ESET researchers have identified a vulnerability (CVE-2024-7344) impacting most UEFI-based systems, which allows attackers to bypass UEFI Secure Boot.
The issue was found in a UEFI application signed with Microsoft’s “Microsoft Corporation UEFI CA 2011” third-party certificate. Exploiting this vulnerability enables the execution of untrusted code during system boot, allowing attackers to deploy malicious UEFI bootkits, such as Bootkitty or BlackLotus, even on systems with UEFI Secure Boot enabled, regardless of the operating system.
Impacted vendors
The affected UEFI application is part of several real-time system recovery software suites developed by Howyar Technologies, Greenware Technologies, Radix Technologies, SANFONG, Wasay Software Technology, Computer Education System, and Signal Computer.
List of vulnerable software products:
- Howyar SysReturn before version 10.2.023_20240919
- Greenware GreenGuard before version 10.2.023-20240927
- Radix SmartRecovery before version 11.2.023-20240927
- Sanfong EZ-back System before version 10.3.024-20241127
- WASAY eRecoveryRX before version 8.4.022-20241127
- CES NeoImpact before version 10.1.024-20241127
- SignalComputer HDD King before version 10.3.021-20241127
“The number of UEFI vulnerabilities discovered in recent years and the failures in patching them or revoking vulnerable binaries within a reasonable time window shows that even such an essential feature as UEFI Secure Boot should not be considered an impenetrable barrier,” says ESET researcher Martin Smolár, who discovered the vulnerability. “However, what concerns us the most with respect to the vulnerability is not the time it took to fix and revoke the binary, which was quite good compared to similar cases, but the fact that this isn’t the first time that such an obviously unsafe signed UEFI binary has been discovered. This raises questions of how common the use of such unsafe techniques is among third-party UEFI software vendors, and how many other similar obscure, but signed, bootloaders there might be out there.”
Exploitation
Exploitation of this vulnerability is not restricted to systems with the affected recovery software installed; attackers can introduce their own copy of the vulnerable binary on any UEFI system with the Microsoft third-party UEFI certificate enrolled. However, deploying the vulnerable and malicious files to the EFI system partition requires elevated privileges (local administrator on Windows or root on Linux).
The vulnerability is caused by the use of a custom PE loader instead of using the standard and secure UEFI functions LoadImage and StartImage. All UEFI systems with Microsoft third-party UEFI signing enabled are affected (Windows 11 Secured-core PCs should have this option disabled by default).
Mitigation
ESET reported the vulnerability to CERT/CC in June 2024, which contacted the impacted vendors. The issue has since been resolved in the affected products, and Microsoft revoked the old, vulnerable binaries in January 2025 Patch Tuesday.
The vulnerability can be mitigated by applying the latest UEFI revocations from Microsoft. Windows systems should be updated automatically. Microsoft’s information for the CVE-2024-7344 vulnerability can be found here. For Linux systems, updates should be available through the Linux Vendor Firmware Service.