ESET Researchers uncover critical UEFI Secure Boot Bypass Vulnerability
January 17, 2025 – In a groundbreaking revelation, ESET researchers have identified a severe vulnerability in the UEFI Secure Boot mechanism, allowing attackers to bypass this critical security feature. The flaw, tracked as CVE-2024-7344, was found in a UEFI submission signed by Microsoft’s third-party certificate, “microsoft corporation UEFI CA 2011.” This vulnerability enables the execution of untrusted code during system startup, paving the way for malicious UEFI bootkits like Bootkitty or BlackLotus to infiltrate systems, regardless of the operating system installed.
the issue was first reported to the Computer Emergency Response Team (CERT) coordination Center in June 2024, prompting Microsoft to address it in their Patch Tuesday update on January 14, 2025. The vulnerable binaries,part of real-time system recovery software developed by companies such as Howyar Technologies Inc., Greenware Technologies, and Radix Technologies Ltd., were afterward removed.
Martin Smolár, the ESET researcher behind the discovery, emphasized the gravity of the situation: “The UEFI vulnerabilities discovered in recent years and the failures to patch or remove vulnerable binaries within a reasonable time frame show that such an essential feature as UEFI Secure Boot should not be considered an insurmountable barrier.” He added, “What worries us most is not how long it took to patch and revoke the binary—pretty good compared to similar cases—but the fact that this is not the first time such a perilous UEFI binary has been discovered. This raises questions about how common these dangerous techniques are among third-party UEFI software vendors.”
How the Vulnerability Works
The exploit stems from the use of a custom PE loader instead of the standard and secure UEFI LoadImage and StartImage functions. attackers can deploy their own copy of the vulnerable binary on any UEFI system with the third-party Microsoft UEFI certificate, provided they have elevated privileges (local administrator on Windows or root on Linux). This means the threat is not limited to systems using the affected recovery software.
Mitigation and Updates
To mitigate the risk, users are urged to apply the latest updates to Microsoft’s UEFI revocation lists. Windows systems should update automatically, while Linux users can access patches through the Linux Vendor Firmware Service. Microsoft has also issued an advisory detailing the steps to address CVE-2024-7344.
Key Takeaways
| Aspect | Details |
|————————–|—————————————————————————–|
| Vulnerability | CVE-2024-7344 |
| Affected Systems | UEFI-based systems with Microsoft third-party UEFI signing enabled |
| Impact | Bypass of UEFI Secure Boot, execution of untrusted code at startup |
| Mitigation | Apply updates to Microsoft’s UEFI revocation lists |
| discovery | ESET researchers |
| patch release | January 14, 2025 (Patch Tuesday) |
For a deeper dive into the technical aspects of this vulnerability, visit ESET Research’s latest blog, “Under the cloak of UEFI Secure Boot: Introducing CVE-2024-7344” on WeLiveSecurity.com.This discovery underscores the importance of vigilance in cybersecurity. As ESET continues to lead the charge in identifying and mitigating emerging threats, users and businesses must stay proactive in applying updates and securing their systems. for more information on ESET’s cutting-edge security solutions, visit www.eset.com.stay informed, stay secure.
