Researchers from both teams this week disclosed vulnerabilities in Unified Extensible Firmware Interface (UEFI) implementations and bootloaders that could allow attackers to defeat Secure Boot defenses on modern PCs and deploy highly persistent rootkits.
Researchers at firmware and hardware security company Eclipseium have published a report on vulnerabilities discovered in three third-party bootloaders digitally signed by Microsoft’s Root of Trust. It can be deployed on PCs to replace OS bootloaders to support pre-boot functions for specialized enterprise software such as PC hardware diagnostics, disk rollback or full disk encryption.
Earlier this week, in a presentation at the Black Hat USA Security Conference, researchers at firmware security company Binarly disclosed 12 vulnerabilities that could lead to pre-boot remote code execution in UEFI implementations of Intel, HP, and independent firmware vendor AMIs. The flaw has been demonstrated on recently released Intel CPUs, defeating the latest firmware defense technologies such as Intel BIOS Guard.
How the Vulnerability Bypasses Secure Boot
Secure Boot is a UEFI technology found in most modern PCs for cryptographically verifying the integrity of the code loaded by the CPU in the early stages of PC booting until the operating system is initialized. Most UEFI implementations come preloaded with certificates called Microsoft third-party UEFI Certificate Authorities (CAs) that establish a root of trust for the entire platform.
All subsequent components started by the firmware, including code known as the bootloader that initializes the OS kernel, must be signed with this root certificate or an intermediate certificate signed by this root certificate. Microsoft provides a service that allows third-party OS developers, such as Linux distributions, as well as specialized pre-boot software to sign bootloaders to work and deploy on systems with Secure Boot enabled in UEFI.
In July 2020, researchers at Eclysium discovered a serious vulnerability in the GRUB2 bootloader used by most Linux distributions. Tracked as CVE-2020-10713 and named BootHole, the flaw could allow an attacker to run malicious code inside the bootloader, giving them complete control over the OS before other security features were launched. Because GRUB2 can also initialize Windows, an attacker could also replace the Windows bootloader on a compromised system with a vulnerable version of GRUB2 and still pass Secure Boot validation. This meant that all vulnerable signed GRUB2 binaries had to be blacklisted to fully mitigate the attack. As a result, this is not easy.
At the DEF CON 30 conference on Friday, the Eclypsium team announced three similar vulnerabilities. One flaw, tracked as CVE-2022-34301, is in a signed bootloader developed by Eurosoft (UK) Ltd that sells a hardware diagnostic solution called Pc-Check UEFI that can run tests before the OS starts. The second flaw, CVE-2022-34302, affects a bootloader developed by a company called New Horizon Datasys, Inc., which develops data restore, disk snapshot, and rollback solutions. The third CVE-2022-34303 resides in a bootloader developed by a company called CryptWare IT Security GmbH and is associated with Microsoft’s software solution called CryptoPro Secure Disk for BitLocker, which provides a pre-boot authentication option for BitLocker disk encryption, such as: . Smart card with PIN and username with password.
Eurosoft and CryptoPro bootloaders provide a graphical user interface to the UEFI shell. By exploiting an identified vulnerability that could be automated by a startup script, an attacker could use the shell’s built-in features such as memory mapping, memory reads and writes, and handle listing to evade Secure Boot and execute malicious code. Malicious interactions with the shell can be seen on PCs, but are usually not visually detectable on servers or industrial computers that don’t have monitors attached.
Vulnerabilities in the New Horizon Datasys bootloader provide no visual indication to the system owner and are even more stealthy because the bootloader includes a built-in bypass that enables secure boot but disables checking.
“In this case, an attacker would not need any scripting commands and could directly execute arbitrary unsigned code,” the researchers said. “The simplicity of exploitation makes it very likely that attackers will exploit this particular vulnerability in the wild.”
As with the GRUB2 BootHole vulnerability, the mitigation includes adding the vulnerable bootloader to a blacklist built into UEFI known as the Secure Boot Prohibition Signature Database (DBX). This database can be updated through UEFI updates released by PC vendors, but can also be updated through special commands inside the operating system or through Windows Update. released by Microsoft security update We blacklisted these vulnerable bootloaders earlier this week, but be aware that some OEM firmware may block the installation of updates, and updates may fail on systems with BitLocker Group Policy enabled. by policy.
How Pre-EFI (PEI) Attacks Work
In addition to attacking the system’s bootloader, attackers can go deeper and deploy malicious implants inside UEFI components that run earlier. This can be achieved by exploiting vulnerabilities or misconfigurations in various UEFI implementations and has had many of these flaws over the years. One example of UEFI malware is a Chinese rootkit called CosmicStrand that has been around since 2016 and attacks systems with Gigabyte or ASUS motherboards with outdated firmware.
Because the vulnerabilities are PC OEM or UEFI vendor specific, UEFI attacks are inherently more targeted and therefore only work on a specific subset of PCs or servers. But there is no shortage of such flaws. Over the past nine months, Binarly’s research team discovered 42 critical vulnerabilities related to System Management Mode (SMM) and Driver Execution Environment (DXE) in firmware from different manufacturers. That said, more UEFI security mitigations have been added over the years, such as Intel BIOS Guard, which is part of the company’s Intel Hardware Shield technology and includes Intel Platform Attribute Assessment Module (PPAM) and Intel SMI Transport Monitor (STM). .
According to Binarly’s Black Hat talk, these techniques made some exploits more difficult, but increased the attack surface by adding code that could contain vulnerabilities. To prove this, the team demonstrated several recently discovered vulnerabilities that could enable what they call Pre-EFI (PEI) attacks. This is an attack that runs earlier in the boot phase before mitigations are applied.
“There is no security protection for SPI during most of the PEI phase. [the flash chip where UEFI is stored] It can be modified,” the researchers said. their presentation. Technologies such as BLE, SMM_BWP, PRx, or Intel BIOS Guard are not currently enabled.
Researchers have disclosed three PEI memory corruption vulnerabilities that affect firmware created by Intel and AMI and can lead to arbitrary code execution (CVE-2022-28858, CVE-2022-36372, CVE-2022-32579). One of these vulnerabilities could lead to DXE. Arbitrary Code Execution (CVE-2022-34345) and three SMM memory corruption defects (CVE-2022-27493 and CVE-2022-33209). Also discovered 6 SMM memory corruption issues that can lead to arbitrary code execution in HP firmware (CVE-2022-23930, CVE-2022-31644, CVE-2022-31645, CVE-2022-31646, CVE-2022-31640) and made it public. and CVE-2022-31641).
“Remember that complexity is the enemy of security,” said Alex Matrosov, CEO of Binarly, telling vendors that UEFI security features must be properly configured and consistent across the entire ecosystem, and that information stored in UEFI static storage has many important implications. Remind me that data is included. It should be viewed as a potential attack vector allowing an attacker to perform an easy bypass.
Copyright © 2022 IDG Communications, Inc.