A recently corrected vulnerability has come to light, highlighting a flaw in the Secure Boot mechanism of Unified Extensible Firmware Interface (UEFI) systems. This issue, tracked as CVE-2024-7344 with a CVSS score of 6.7, involves an application signed with Microsoft's third-party UEFI certificate from 2011, as reported by ESET.

Vulnerability Overview

The flaw enables attackers to execute unauthorized code during system startup, allowing the deployment of malicious UEFI bootkits on machines with Secure Boot enabled, regardless of the operating system in use. Secure Boot is a critical security measure that ensures only manufacturer-approved software is loaded during boot by using digital signatures to verify code integrity.

Affected Software

The vulnerability impacts several real-time system recovery software suites, including:

Howyar SysReturn before version 10.2.023_20240919

Greenware GreenGuard before version 10.2.023-20240927

Radix SmartRecovery before version 11.2.023-20240927

Sanfong EZ-back System before version 10.3.024-20241127

WASAY eRecoveryRX before version 8.4.022-20241127

CES NeoImpact before version 10.1.024-20241127

SignalComputer HDD King before version 10.3.021-20241127

Technical Details

ESET researcher Martin Smolár identified that the vulnerability is due to a custom PE loader bypassing standard secure UEFI functions like LoadImage and StartImage. This oversight facilitates the loading of unsigned UEFI binaries from a manipulated file named cloak.dat, bypassing UEFI Secure Boot protections.

Exploitation Risks

Exploiting CVE-2024-7344 allows attackers to execute unauthorized code early in the boot process, granting persistent and potentially undetectable access to the system even before the operating system starts. This code can load malicious kernel extensions that survive reboots and OS reinstallations, potentially evading OS-based security defenses. Attackers could also propagate the "reloader.efi" binary to any UEFI system registered with the Microsoft certificate, although deploying these files onto the EFI system partition requires elevated privileges, such as local administrator rights on Windows or root privileges on Linux.

Response and Mitigation

The vulnerability, first reported to the CERT Coordination Center (CERT/CC) by ESET in June 2024, was addressed by vendors with patches. On January 14, 2025, Microsoft invalidated the affected binaries during its Patch Tuesday security update. Besides applying UEFI revocations, security can be bolstered by controlling EFI system partition access, customizing Secure Boot settings, and using Trusted Platform Module (TPM) for remote attestation.

The frequency of UEFI vulnerabilities and the challenges in timely patching underscore that even Secure Boot is not foolproof. Smolár expressed concern over the discovery of such unsafe signed UEFI binaries, questioning how widespread such vulnerabilities might be among third-party UEFI software vendors. This situation calls for continuous improvement within the UEFI ecosystem.

The link has been copied!