New UEFI Secure Boot Vulnerability Could Allow Attackers to Load Malicious Bootkits
Summary:
A recently patched vulnerability, CVE-2024-7344 (CVSS 6.7), highlights a critical flaw in the Secure Boot mechanism for UEFI systems, potentially allowing attackers to bypass protections and execute unsigned malicious code during the boot process. This flaw, found in a UEFI application signed by Microsoft's "Microsoft Corporation UEFI CA 2011" certificate, affects system recovery software from vendors such as Howyar Technologies, Greenware, and Radix Technologies. Exploitation of this vulnerability enables attackers to load untrusted code early in the boot sequence using a specially crafted file named cloak.dat, bypassing the Secure Boot verification process. As a result, attackers can deploy persistent UEFI bootkits, evade OS-level security measures, and potentially compromise systems even after reboots or operating system reinstallations.
Security Officer Comments:
The vulnerability arises from the use of a custom PE loader instead of secure UEFI functions , allowing the execution of unsigned binaries. To exploit this flaw, attackers require elevated privileges, such as local administrator access on Windows or root on Linux, to place malicious files in the EFI system partition. Furthermore, an attacker could use a vulnerable UEFI loader binary to compromise any system with Microsoft's third-party UEFI certificate enrolled. ESET disclosed the flaw to CERT/CC in June 2024, and affected vendors addressed it through product updates. Microsoft also revoked the compromised binaries on January 14, 2025, during its Patch Tuesday.
Suggested Corrections:
The vulnerability can be mitigated by applying the latest UEFI revocations from Microsoft. Windows systems should be updated automatically. Microsoft’s advisory for the CVE-2024-7344 vulnerability can be found here.
While UEFI revocations effectively protect your system against CVE-2024-7344, there are other more or less effective ways of protecting against (or at least detecting) exploitation of unknown vulnerable signed UEFI bootloaders and deployment of UEFI bootkits, including:
https://thehackernews.com/2025/01/new-uefi-secure-boot-vulnerability.html
https://www.welivesecurity.com/en/e...k-uefi-secure-boot-introducing-cve-2024-7344/
A recently patched vulnerability, CVE-2024-7344 (CVSS 6.7), highlights a critical flaw in the Secure Boot mechanism for UEFI systems, potentially allowing attackers to bypass protections and execute unsigned malicious code during the boot process. This flaw, found in a UEFI application signed by Microsoft's "Microsoft Corporation UEFI CA 2011" certificate, affects system recovery software from vendors such as Howyar Technologies, Greenware, and Radix Technologies. Exploitation of this vulnerability enables attackers to load untrusted code early in the boot sequence using a specially crafted file named cloak.dat, bypassing the Secure Boot verification process. As a result, attackers can deploy persistent UEFI bootkits, evade OS-level security measures, and potentially compromise systems even after reboots or operating system reinstallations.
Security Officer Comments:
The vulnerability arises from the use of a custom PE loader instead of secure UEFI functions , allowing the execution of unsigned binaries. To exploit this flaw, attackers require elevated privileges, such as local administrator access on Windows or root on Linux, to place malicious files in the EFI system partition. Furthermore, an attacker could use a vulnerable UEFI loader binary to compromise any system with Microsoft's third-party UEFI certificate enrolled. ESET disclosed the flaw to CERT/CC in June 2024, and affected vendors addressed it through product updates. Microsoft also revoked the compromised binaries on January 14, 2025, during its Patch Tuesday.
Suggested Corrections:
The vulnerability can be mitigated by applying the latest UEFI revocations from Microsoft. Windows systems should be updated automatically. Microsoft’s advisory for the CVE-2024-7344 vulnerability can be found here.
While UEFI revocations effectively protect your system against CVE-2024-7344, there are other more or less effective ways of protecting against (or at least detecting) exploitation of unknown vulnerable signed UEFI bootloaders and deployment of UEFI bootkits, including:
- Managed access to files located on the EFI system partition. In most UEFI bootkit installation scenarios, an attacker needs to modify the contents of the EFI system partition in order to install a UEFI bootkit or to exploit a vulnerability in a signed UEFI bootloader on the targeted system. Most security products allow creation of custom user-defined file access rules that allow blocking access to specific files or directories on the system (e.g., here and here).
- UEFI Secure Boot customization. As detailed in the NSA’s UEFI Secure Boot Customization report, Secure Boot customization can be used to effectively protect against UEFI bootkits or, at least, to reduce the attack surface or allow faster revocations of vulnerable UEFI applications to system owners if official revocation updates take a longer time. While effective, it often requires experienced administrators (improper Secure Boot configurations can make systems temporarily unbootable) and it can be difficult to manage at scale.
- Remote attestation with TPM, where measurements of UEFI boot components and configuration can be validated against their known good values by a trusted remote server, and thus used to detect unauthorized boot modifications.
https://thehackernews.com/2025/01/new-uefi-secure-boot-vulnerability.html
https://www.welivesecurity.com/en/e...k-uefi-secure-boot-introducing-cve-2024-7344/