FlagThis - #Bootkit

A new UEFI Secure Boot bypass vulnerability, identified as CVE-2024-7344, has been discovered, posing a significant threat to a wide range of UEFI-based systems. This flaw resides within a signed UEFI application, specifically the Howyar Reloader bootloader, and allows attackers to execute unsigned code during the boot process. The vulnerability stems from the bootloader's failure to use UEFI’s standard BootServices LoadImage API, instead utilizing a custom PE loader that does not verify signatures of loaded software. This oversight allows for the loading of any UEFI binary, including malicious ones, from a specifically named file, even on systems with Secure Boot enabled.

The exploitation of CVE-2024-7344 enables attackers to deploy malicious UEFI bootkits, granting them persistent access to compromised machines. Malicious code executed during this early phase can persist through system reboots and even OS reinstallations. Attackers can also load malicious kernel extensions, achieving long-term control and potentially evading endpoint detection and response tools and other security measures. This vulnerability affects various system recovery software suites from vendors including Howyar Technologies, Greenware Technologies, Radix Technologies, SANFONG, Wasay Software Technology, Computer Education System, and Signal Computer. To mitigate this risk, users are urged to install updated versions of the vulnerable bootloaders and update the UEFI Secure Boot Forbidden Signature Database (DBX).


References :

• securityonline.info: CVE-2024-7344: Howyar Reloader Vulnerability Exposes UEFI Systems to Unsigned Software Threats
• The Hacker News: New UEFI Secure Boot Vulnerability Could Allow Attackers to Load Malicious Bootkits
• securityonline.info: CVE-2024-7344: Howyar Reloader Vulnerability Exposes UEFI Systems to Unsigned Software Threats
• Pyrzout :vm:: New UEFI Secure Boot Vulnerability Could Allow Attackers to Load Malicious Bootkits
• Help Net Security: New UEFI Secure Boot bypass vulnerability discovered (CVE-2024-7344)
• www.welivesecurity.com: The story of a signed UEFI application allowing a UEFI Secure Boot bypass
• securityaffairs.com: ESET detailed a flaw that could allow a bypass of the Secure Boot in UEFI systems
• Security Risk Advisors: UEFI Vulnerability May allow Malicious Actors to load BootKits
• : ESET discovered a vulnerability that allows bypassing Unified Extensible Firmware Interface (UEFI) Secure Boot on most UEFI-based systems.
• www.bleepingcomputer.com: New UEFI Secure Boot Flaw Exposes Systems to Bootkits, Patch Now
• ciso2ciso.com: ESET detailed a flaw that could allow a bypass of the Secure Boot in UEFI systems – Source: securityaffairs.com
• ciso2ciso.com: CISO2CISO: ESET detailed a flaw that could allow a bypass of the Secure Boot in UEFI systems
• Security Affairs: ESET detailed a flaw that could allow a bypass of the Secure Boot in UEFI systems
• ciso2ciso.com: thehackernews article about new UEFI Secure Boot vulnerability
• bsky.app: ESET has discovered a new UEFI Secure Boot bypass in a legitimate UEFI application used by several real-time system recovery software suites
• Security Affairs: SecurityAffairs reports on a flaw allowing a bypass of Secure Boot in UEFI systems.

Classification:

• HashTags: #UEFI #SecureBoot #Bootkit
• Company: UEFI
• Target: UEFI systems
• Product: UEFI
• Feature: Secure Boot bypass
• Malware: Howyar Reloader
• Type: Vulnerability
• Severity: Major