Full Report
ESET researchers uncover a vulnerability in a UEFI application that could enable attackers to deploy malicious bootkits on unpatched systems
Analysis Summary
# Vulnerability: UEFI Secure Boot Circumvention via Flaw in System Recovery Applications
## CVE Details
- CVE ID: **CVE-2024-7344**
- CVSS Score: **[Score not provided in the excerpt]** ([Severity not provided in the excerpt])
- CWE: [Weakness type not provided in the excerpt]
## Affected Systems
- Products: Most UEFI-based systems utilizing affected system recovery programs.
- Versions: Not specified, but affects systems running vulnerable firmware/recovery applications.
- Configurations: Systems where UEFI Secure Boot is enabled are specifically targeted, yet vulnerable to circumvention.
## Vulnerability Description
The vulnerability resides within a UEFI application component used across seven different system recovery programs. If exploited, this flaw allows an attacker to bypass the security checks enforced by UEFI Secure Boot. Successful exploitation enables the deployment of malicious UEFI bootkits (such as Bootkitty or BlackLotus) which execute untrusted code early in the system startup process, regardless of the operating system installed.
## Exploitation
- Status: Potential for exploitation exists, as the vulnerability affects the core boot process. (The article suggests the potential to deploy known bootkits.)
- Complexity: Likely **Medium or High**, as it requires interaction with the UEFI environment, although the severity suggests a deep impact if successful.
- Attack Vector: **Local/Adjacent** (Requires access to trigger the recovery environment or inject malicious code into the firmware update path, implied by the nature of bootkit deployment).
## Impact
- Confidentiality: High (Untrusted code running before the OS can compromise keys, credentials, and data).
- Integrity: High (Malicious code can alter OS files and system binaries).
- Availability: High (System compromise can lead to OS unavailability or persistent malware presence).
## Remediation
### Patches
- Patches are expected to be released by vendors of the affected UEFI firmware/system recovery programs. *Specific patch versions are not detailed in this excerpt.*
### Workarounds
- Monitoring and updating firmware is the critical next step once vendor advisories are released.
- No specific temporary workarounds were detailed in the provided text beyond the necessary mitigation being a patch.
## Detection
- Detection methods focus on the successful installation of known UEFI bootkits post-exploitation.
- Indicators of compromise include unauthorized changes to the EFI System Partition (ESP) or the Master Boot Record (MBR)/GUID Partition Table (GPT) hooks, and the presence of known bootkits like Bootkitty or BlackLotus.
- Detection tools should look for anomalies during the EFI or pre-boot environment initialization phase.
## References
- Vendor advisories for specific motherboard/OEM firmware updates.
- Full technical details are available in the ESET Research blogpost: [defanged link to ESET Research article on Bootkitty]
- ESET Research blogpost detailing BlackLotus: [defanged link to ESET Research article on BlackLotus]