Full Report
Around 200,000 Linux computer systems from American computer maker Framework were shipped with signed UEFI shell components that could be exploited to bypass Secure Boot protections. [...]
Analysis Summary
# Vulnerability: Secure Boot Bypass via Signed UEFI Shell Command on Framework Laptops
## CVE Details
- CVE ID: Not explicitly provided in the context. (This is a firmware/vendor-specific issue disclosed by Eclypsium).
- CVSS Score: Not explicitly provided in the context.
- CWE: CWE-235 (Improper Limitation of Pathname to a Component of a Pathname) or CWE-427 (Use of Hard-coded Pathname) might be conceptually related, but a direct CWE classification isn't given. The core issue is a weakness in signature verification logic enabled by a legitimate utility.
## Affected Systems
- Products: Framework Laptops and Framework Desktop systems shipped with Linux (running with UEFI Secure Boot enabled).
- Versions: Approximately 200,000 systems were shipped with susceptible firmware builds. Specific vulnerable versions are linked to the remediation versions below:
- Framework 13 (11th Gen Intel)
- Framework 13 (12th Gen Intel)
- Framework 13 (13th Gen Intel)
- Framework 13 (Intel Core Ultra)
- Framework 13 (AMD Ryzen 7040)
- Framework 13 (AMD Ryzen AI 300)
- Framework 16 (AMD Ryzen 7040)
- Framework Desktop (AMD Ryzen AI 300 MAX)
- Configurations: Systems utilizing UEFI Secure Boot where the vulnerable UEFI shell components are present.
## Vulnerability Description
The vulnerability arises from the presence of a legitimate, signed UEFI shell component that includes a powerful 'memory modify' (`_mm_`) command. This command allows for direct read/write access to system memory, intended for low-level debugging. An attacker can leverage the `_mm_` command to target and overwrite the `gSecurity2` variable. Overwriting this variable with NULL effectively disables signature verification for all subsequent UEFI module loads, thereby breaking the Secure Boot trust chain and allowing the loading of malicious bootkits (like BlackLotus or HybridPetya) that can persist across OS reinstalls and evade OS-level security controls.
## Exploitation
- Status: PoC available (implied by the detailed technical description and researcher disclosure). Exploitation involves using the legitimate signed tool to disable security checks.
- Complexity: Low to Medium. Utilizing a built-in, signed command simplifies the process of disabling the critical security handler.
- Attack Vector: Local (requires access to boot the system or execute the shell script during boot).
## Impact
- Confidentiality: High (If a persistent bootkit is loaded, it can compromise secrets before the OS loads).
- Integrity: High (Attacker gains full control over the boot process and can modify the OS loader/kernel).
- Availability: Medium to High (Persistent compromise can lead to system unavailability or ransomware).
## Remediation
### Patches
Fixes are applied via firmware updates (BIOS/UEFI). Specific versions achieving remediation:
- Framework 13 (11th Gen Intel): Fix expected in 3.24
- Framework 13 (12th Gen Intel): Fixed in 3.18 (DBX update planned in 3.19)
- Framework 13 (13th Gen Intel): Fixed in 3.08 (DBX update issued in 3.09)
- Framework 13 (Intel Core Ultra): Fixed in 3.06
- Framework 13 (AMD Ryzen 7040): Fixed in 3.16
- Framework 13 (AMD Ryzen AI 300): Fixed in 3.04 (DBX update planned in 3.05)
- Framework 16 (AMD Ryzen 7040): Fixed in 3.06 (Beta) (DBX update issued in 3.07)
- Framework Desktop (AMD Ryzen AI 300 MAX): Fixed in 3.01 (DBX update planned in 3.03)
### Workarounds
1. **Physical Access Prevention:** Crucial where official security updates are not yet available, as the attack requires local execution to exploit the shell.
2. **Delete Framework's DB key:** Users can manually delete the vendor's DB key via the BIOS settings as a temporary mitigation.
## Detection
- Indicators of compromise: Unsigned or modified UEFI modules loading during boot, or unexpected changes to the `gSecurity2` variable persistence (only observable via deep firmware analysis).
- Detection methods and tools: Monitoring for the execution of the UEFI shell, specifically commands related to memory modification (`_mm_`) during the boot sequence prior to OS loading. Due to the nature of Secure Boot bypass, runtime detection is difficult once the exploit succeeds.
## References
- Vendor Advisories: Eclypsium blog post regarding "Bombshell: The Signed Backdoor Hiding in Plain Sight on Framework Devices" (Searching for "Eclypsium Bombshell Framework" should locate the advisory).
- Relevant links: bleepingcomputer dot com/news/security/secure-boot-bypass-risk-on-nearly-200-000-linux-framework-sytems/