Breaking: Major UEFI Secure Boot Vulnerability Exposed – Could it Unlock a New Wave of Cyber Attacks?

In a shocking revelation, cybersecurity experts have uncovered a vulnerability that places users of Unified Extensible Firmware Interface (UEFI) systems at significant risk. This flaw, identified as CVE-2024-7344 with a CVSS score of 6.7, can potentially bypass the Secure Boot mechanism designed to protect devices from malicious software during startup.

A recent report from ESET, shared with The Hacker News, confirmed that the issue resides within a UEFI application signed by the "Microsoft Corporation UEFI CA 2011." The exploitation of this vulnerability could allow attackers to execute untrusted code directly during the boot process, enabling the deployment of dangerous UEFI bootkits, even when Secure Boot is enabled, regardless of the operating system in use.

What is Secure Boot?

Secure Boot acts as a gatekeeper for a computer's startup process, ensuring that the system only boots using trusted software provided by the Original Equipment Manufacturer (OEM). By relying on digital signatures, Secure Boot verifies the authenticity, source, and integrity of the loaded code. However, this vulnerability raises serious questions about the robustness of this security feature.

The affected UEFI application is embedded in various recovery software solutions from companies including Howyar Technologies, Greenware Technologies, Radix Technologies, Sanfong, Wasay Software, Computer Education System, and Signal Computer. Specific versions of their products are now flagged as vulnerable, including versions of Howyar SysReturn, GreenGuard, SmartRecovery, and others.

Exploitation Potential: A Cybersecurity Nightmare

ESET researcher Martin Smolár explained that this vulnerability arises from the application using a non-standard PE loader, which permits the loading of any UEFI binary—including unsigned ones—during boot by utilizing a crafted file named cloak.dat. This capability means attackers could gain persistent access to vulnerable systems, executing malicious code even before the operating system loads.

According to CERT/CC, once unauthorized code is executed in the early boot phase, it can persist across reboots and OS reinstalls. It raises alarms over whether the malicious kernel extensions surviving these processes could evade typical security measures based on the operating system.

Cybercriminals could also increase the scope of the attack by introducing their own variant of the vulnerable "reloader.efi" binary onto UEFI systems containing the respective Microsoft third-party UEFI certificate. However, they would require elevated privileges to deploy these malicious files on the EFI system partition, which means local administrator access on Windows or root access on Linux systems.

Action Taken – Is It Enough?

Following responsible disclosure in June 2024, the concerning findings were addressed by Howyar Technologies and its partners, with Microsoft officially revoking the vulnerable binaries during its Patch Tuesday update on January 14, 2025. Nevertheless, experts warn that beyond revocation, users must manage access to the EFI system partition and consider effective Secure Boot customization to safeguard against the deployment of malicious UEFI bootkits.

Smolár voiced a critical concern: "The emergence of numerous UEFI vulnerabilities in recent years and the inconsistent responses to patching or revoking risky binaries illustrate a troubling trend. Despite the security assurances of UEFI Secure Boot, it's clear that it should not be regarded as an unbreachable fortress."

What Lies Ahead?

As the digital landscape evolves, the presence of such dangerous vulnerabilities raises important questions about the security practices among third-party UEFI software vendors. With many users currently unaware of such risks, it’s essential for individuals and organizations alike to enhance their awareness and step up their cybersecurity measures. Will this revelation spark the necessary changes to enhance UEFI security protocols, or are we on the brink of a far more significant cyber threat? Stay informed and secure your devices—this is just the beginning of the conversation.