Endpoint/Device Security

Old Microsoft-signed UEFI applications can bypass Secure Boot

Header graphic features a laptop with a red warning triangle and alert icons, dark background with streaming green code. It suggests concepts of cybersecurity threats, hacking, and system errors.

Eleven outdated Microsoft-signed Unified Extensible Firmware Interface (UEFI) applications have been discovered that can be exploited to bypass Secure Boot on most systems, according to a recent report by The Hacker News.

These vulnerable UEFI applications, primarily older versions of the shim bootloader, can allow attackers to execute untrusted code during system startup, according to ESET researcher Martin Smolár. This enables the deployment of malicious UEFI bootkits or other malware, even when Secure Boot protections are active. The vulnerability stems from the fact that these older shims are signed with a Microsoft certificate authority (CA) that, while expired, has not been explicitly revoked for these specific applications. This allows attackers to leverage the "bring your own vulnerable driver" (BYOVD) technique to bypass security mechanisms and gain arbitrary code execution before the operating system loads.

The issue affects various Linux distributions and software from vendors like Red Hat, Oracle, and OpenSuse. The CERT Coordination Center noted that vendor-specific bootloaders were not updated to address known vulnerabilities, leaving a supply chain exposure. The bypass can evade detection by operating system security controls and endpoint detection and response (EDR) solutions, potentially allowing for persistent access that survives reboots and reinstallation.

Source: The Hacker News

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds