New UEFI Secure Boot Vulnerability Could Allow Attackers to Load Malicious Bootkits
UEFI Secure Boot Vulnerability CVE-2024-7344: Detailed Analysis
A recent discovery by ESET researchers has unveiled a significant vulnerability in UEFI-based systems, identified as CVE-2024-7344. This vulnerability allows attackers to bypass the UEFI Secure Boot mechanism, enabling the execution of untrusted code during system boot.
Affected Systems and Software
The vulnerability affects a wide range of UEFI-based systems, particularly those with Microsoft’s third-party UEFI signing enabled. The impacted UEFI application is part of several real-time system recovery software suites developed by various vendors, including:
- Howyar Technologies Inc. (SysReturn before version 10.2.023_20240919)
- Greenware Technologies (GreenGuard before version 10.2.023-20240927)
- Radix Technologies Ltd. (SmartRecovery before version 11.2.023-20240927)
- SANFONG Inc. (EZ-back System before version 10.3.024-20241127)
- Wasay Software Technology Inc. (eRecoveryRX before version 8.4.022-20241127)
- Computer Education System Inc. (NeoImpact before version 10.1.024-20241127)
- Signal Computer GmbH (HDD King before version 10.3.021-20241127)134.
Vulnerability Details
The vulnerability is caused by the use of a custom PE loader instead of the standard and secure UEFI functions LoadImage and StartImage. This custom loader allows the loading of any UEFI binary, even an unsigned one, from a specially crafted file named cloak.dat during system start, regardless of the UEFI Secure Boot state. The vulnerable bootloader, reloader.efi, does not perform any Secure Boot-related integrity checks after decrypting the PE image from the cloak.dat file, thus enabling the execution of untrusted code134.
Exploitation and Impact
Exploiting CVE-2024-7344 allows attackers to deploy malicious UEFI bootkits, such as Bootkitty or BlackLotus, even on systems with UEFI Secure Boot enabled. This can be done on any UEFI system with the Microsoft third-party UEFI certificate enrolled, not just those with the affected recovery software installed. However, elevated privileges (local administrator on Windows or root on Linux) are required to deploy the vulnerable and malicious files to the EFI system partition135.
The exploitation process involves:
- Replacing the default OS bootloader binary on the EFI system partition (ESP) with the vulnerable
reloader.efi. - Copying a specially crafted
cloak.datfile containing a malicious UEFI application to one of the supported paths on the ESP. - Rebooting the system134.
Mitigation and Patch
ESET researchers reported the vulnerability to the CERT Coordination Center (CERT/CC) in June 2024, which facilitated communication with the affected vendors. The issue has been resolved in the affected products, and Microsoft revoked the old, vulnerable binaries in the January 14, 2025, Patch Tuesday update135.
To mitigate this vulnerability, users should apply the latest UEFI revocations from Microsoft. Windows systems should be updated automatically, while Linux systems should receive updates through the Linux Vendor Firmware Service134.
Broader Security Implications
This vulnerability highlights a broader issue with UEFI security practices. ESET researchers note that the number of UEFI vulnerabilities discovered in recent years and the delays in patching or revoking vulnerable binaries suggest that UEFI Secure Boot should not be considered an impenetrable barrier. The repeated discovery of obviously unsafe signed UEFI binaries raises concerns about the prevalence of such insecure practices among third-party UEFI software vendors135.
Protection and Detection
To protect against similar vulnerabilities, it is recommended to:
- Apply the latest UEFI revocations from Microsoft.
- Manage access to files located on the EFI system partition.
- Customize Secure Boot settings.
- Use remote attestation with a Trusted Platform Module (TPM)4.
ESET also calls for greater transparency from Microsoft regarding the signing of third-party UEFI applications to facilitate quicker discovery and reporting of unsafe UEFI applications5.
Conclusion
The CVE-2024-7344 vulnerability underscores the importance of vigilant monitoring and robust security measures in the UEFI ecosystem. While the immediate issue has been addressed through patches and revocations, the broader implications suggest a need for enhanced security practices and transparency in the signing and deployment of UEFI applications.
For more detailed information, refer to the ESET blog post and Microsoft’s advisory on the vulnerability: