6.7 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
7.2 High
AI Score
Confidence
High
4 Medium
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
MULTIPLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:L/AC:L/Au:M/C:P/I:P/A:P
0.001 Low
EPSS
Percentile
27.4%
A security feature bypass vulnerability exists in signed 3rd party UEFI bootloaders that allows bypass of the UEFI Secure Boot feature. An attacker who successfully exploits this vulnerability can bypass the UEFI Secure Boot feature and execute unsigned code during the boot process.
UEFI firmware is software written by vendors in the UEFI ecosystem to provide capabilities in the early start up phases of a computer. Secure Boot is a UEFI standard that can be enabled and used to verify firmware and to protect a system against malicious code being loaded and executed early in the boot process, prior to the loading of the operating system.
Security researchers at Eclypsium have found three specific UEFI bootloaders that are signed and authenticated by Microsoft to be vulnerable to a security feature bypass vulnerability allowing an attacker to bypass Secure Boot when it is enabled. The vulnerable bootloaders can be tricked to bypass Secure Boot via a custom installer (CVE-2022-34302) or an EFI shell (CVE-2022-34301 and CVE-2022-34303). As a vulnerable bootloader executes unsigned code prior to initialization of the the Operating Systemโs (OS) boot process, it cannot be easily monitored by the OS or common Endpoint Detection and Response (EDR) tools.
The following vendor-specific bootloaders were found vulnerable:
An attacker can bypass a systemโs Secure Boot feature at startup and execute arbitrary code before the operating system (OS) loads. Code executed in these early boot phases can provide persistence to an attacker, potentially loading arbitrary kernel extensions that survive both reboot and re-installation of an OS. It may also evade common OS-based and EDR security defenses.
Apply your vendor-provided security updates that address these vulnerabilities to block vulnerable firmware from bypassing Secure Boot. Microsoft has provided details with their KB5012170 article released on August 9th 2022. Note, these updates can be delivered from your OEM vendor or the OS vendor to install an updated Secure Boot Forbidden Signature Database (DBX) .
As DBX file changes can cause a system to become unstable, Vendors are urged to verify the DBX updates do not cause the machine to be unusable. Enterprises and Cloud Providers that manage large number of computers are also urged to do the required security updates and ensure DBX files are implemented reliably without any risk of boot failure.
Thanks to Mickey Shkatov and Jesse Michael of Eclypsium who researched and reported these vulnerabilities.
This document was written by Brad Runyon & Vijay Sarvepalli.
309662
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Notified: 2022-05-24 Updated: 2022-08-11
Statement Date: June 01, 2022
CVE-2022-34301 | Affected |
---|---|
Vendor Statement: | |
Microsoft has worked closely with the vendor, Eurosoft (UK) to remedy the vulnerable bootloader issue, and has blocked the certificate previously issued with the July 2022 Security Update Release. | |
CVE-2022-34302 | Affected Vendor Statement: |
Microsoft has blocked the certificate previously issued to New Horizon Datasys Inc. with the July 2022 Security Update Release. | |
CVE-2022-34303 | Affected Vendor Statement: |
Microsoft has worked closely with the vendor, CryptoPro Secure Disk (CPSD) to remedy the vulnerable bootloader issue, and has blocked the certificate previously issued with the July 2022 Security Update Release. |
Notified: 2022-08-02 Updated: 2022-08-25
Statement Date: August 16, 2022
CVE-2022-34301 | Affected |
---|---|
CVE-2022-34302 | Affected CVE-2022-34303 |
Red Hat has evaluated this issue and determined we are affected by this vulnerability. Although Red Hat doesnโt ship any of the affected shim versions, it would still be bootable in machines installed with Red Hat Enterprise Linux as the shim signatures are still not listed in the DBX. Red Hat is working to provide a DBX update disallowing the affected shims to be booted.
Notified: 2022-09-21 Updated: 2022-09-28
Statement Date: September 23, 2022
CVE-2022-34301 | Not Affected |
---|---|
CVE-2022-34302 | Not Affected CVE-2022-34303 |
Fujitsu is aware of the vulnerabilities in third party UEFI bootloaders by New Horizon Datasys Inc, CryptoPro Secure Disk and Eurosoft (UK) Ltd.
Fujitsu commenced an analysis, inquired manufacturer Insyde, and simultaneously resorted to CERT/CC intelligence.
Based on that, UEFI-BIOS manufacturers will provide a Secure Boot Forbidden Signature Database (DBX) update, along with future firmware releases. These updates will be integrated timely into Fujitsu UEFI-BIOS firmware.
The Fujitsu PSIRT has no plans to issue a dedicated Security Notice or similar. Due to the mitigation by OEM vendors and OS vendors at the same time, the issue is therefore considered resolved.
In case of questions, please contact the Fujitsu PSIRT ([email protected]).
Notified: 2022-08-09 Updated: 2022-08-25
Statement Date: August 17, 2022
CVE-2022-34301 | Not Affected |
---|---|
CVE-2022-34302 | Not Affected CVE-2022-34303 |
We have not received a statement from the vendor.
Notified: 2022-08-09 Updated: 2022-08-11
Statement Date: August 09, 2022
CVE-2022-34301 | Not Affected |
---|---|
CVE-2022-34302 | Not Affected CVE-2022-34303 |
We have not received a statement from the vendor.
Notified: 2022-08-02 Updated: 2022-08-25
Statement Date: August 16, 2022
CVE-2022-34301 | Not Affected |
---|---|
CVE-2022-34302 | Not Affected CVE-2022-34303 |
We have not received a statement from the vendor.
Notified: 2022-08-02 Updated: 2022-09-12
Statement Date: August 26, 2022
CVE-2022-34301 | Unknown |
---|---|
Vendor Statement: | |
Intel is aware of reports around a vulnerability within signed bootloaders and is actively investigating if our products are impacted. If products are found to be impacted, a security advisory will be published coordinated with our ecosystem partners. | |
CVE-2022-34302 | Unknown Vendor Statement: |
Intel is aware of reports around a vulnerability within signed bootloaders and is actively investigating if our products are impacted. If products are found to be impacted, a security advisory will be published coordinated with our ecosystem partners. | |
CVE-2022-34303 | Unknown Vendor Statement: |
Intel is aware of reports around a vulnerability within signed bootloaders and is actively investigating if our products are impacted. If products are found to be impacted, a security advisory will be published coordinated with our ecosystem partners. |
Intel is aware of reports around a vulnerability within signed bootloaders and is actively investigating if our products are impacted. If products are found to be impacted, a security advisory will be published coordinated with our ecosystem partners.
Notified: 2022-08-02 Updated: 2022-08-11 CVE-2022-34301 | Unknown |
---|---|
CVE-2022-34302 | Unknown CVE-2022-34303 |
We have not received a statement from the vendor.
Updated: 2022-08-11 CVE-2022-34301 | Unknown |
---|---|
CVE-2022-34302 | Unknown CVE-2022-34303 |
We have not received a statement from the vendor.
Notified: 2022-08-11 Updated: 2022-08-11 CVE-2022-34301 | Unknown |
---|---|
CVE-2022-34302 | Unknown CVE-2022-34303 |
We have not received a statement from the vendor.
Notified: 2022-08-09 Updated: 2022-08-11 CVE-2022-34301 | Unknown |
---|---|
CVE-2022-34302 | Unknown CVE-2022-34303 |
We have not received a statement from the vendor.
Notified: 2022-08-02 Updated: 2022-08-11 CVE-2022-34301 | Unknown |
---|---|
CVE-2022-34302 | Unknown CVE-2022-34303 |
We have not received a statement from the vendor.
Notified: 2022-08-02 Updated: 2022-08-11 CVE-2022-34301 | Unknown |
---|---|
CVE-2022-34302 | Unknown CVE-2022-34303 |
We have not received a statement from the vendor.
Notified: 2022-08-02 Updated: 2022-08-11 CVE-2022-34301 | Unknown |
---|---|
CVE-2022-34302 | Unknown CVE-2022-34303 |
We have not received a statement from the vendor.
Notified: 2022-08-24 Updated: 2022-08-25 CVE-2022-34301 | Unknown |
---|---|
CVE-2022-34302 | Unknown CVE-2022-34303 |
We have not received a statement from the vendor.
Notified: 2022-08-02 Updated: 2022-08-11 CVE-2022-34301 | Unknown |
---|---|
CVE-2022-34302 | Unknown CVE-2022-34303 |
We have not received a statement from the vendor.
Notified: 2022-08-02 Updated: 2022-08-11 CVE-2022-34301 | Unknown |
---|---|
CVE-2022-34302 | Unknown CVE-2022-34303 |
We have not received a statement from the vendor.
Updated: 2022-08-11 CVE-2022-34301 | Unknown |
---|---|
CVE-2022-34302 | Unknown CVE-2022-34303 |
We have not received a statement from the vendor.
Notified: 2022-08-02 Updated: 2022-08-11 CVE-2022-34301 | Unknown |
---|---|
CVE-2022-34302 | Unknown CVE-2022-34303 |
We have not received a statement from the vendor.
Notified: 2022-08-02 Updated: 2022-08-11 CVE-2022-34301 | Unknown |
---|---|
CVE-2022-34302 | Unknown CVE-2022-34303 |
We have not received a statement from the vendor.
Notified: 2022-08-02 Updated: 2022-08-11 CVE-2022-34301 | Unknown |
---|---|
CVE-2022-34302 | Unknown CVE-2022-34303 |
We have not received a statement from the vendor.
Notified: 2022-08-02 Updated: 2022-08-11 CVE-2022-34301 | Unknown |
---|---|
CVE-2022-34302 | Unknown CVE-2022-34303 |
We have not received a statement from the vendor.
Notified: 2022-08-02 Updated: 2022-08-11 CVE-2022-34301 | Unknown |
---|---|
CVE-2022-34302 | Unknown CVE-2022-34303 |
We have not received a statement from the vendor.
Notified: 2022-08-02 Updated: 2022-08-11 CVE-2022-34301 | Unknown |
---|---|
CVE-2022-34302 | Unknown CVE-2022-34303 |
We have not received a statement from the vendor.
Notified: 2022-08-02 Updated: 2022-08-11 CVE-2022-34301 | Unknown |
---|---|
CVE-2022-34302 | Unknown CVE-2022-34303 |
We have not received a statement from the vendor.
View all 25 vendors __View less vendors __
CVE IDs: | CVE-2022-34301 CVE-2022-34302 CVE-2022-34303 |
---|---|
API URL: | VINCE JSON |
Date Public: | 2022-08-11 Date First Published: |
docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-secure-boot
eclypsium.com/2022/07/26/firmware-security-realizations-part-1-secure-boot-and-dbx/
eclypsium.com/2022/08/11/vulnerable-bootloaders-2022
support.microsoft.com/en-us/topic/kb5012170-security-update-for-secure-boot-dbx-august-9-2022-72ff5eed-25b4-47c7-be28-c42bd211bb15
tianocore-docs.github.io/Understanding_UEFI_Secure_Boot_Chain/draft/secure_boot_chain_in_uefi/uefi_secure_boot
uefi.org/revocationlistfile
uefi.org/sites/default/files/resources/Insyde%20HPE%20NSA%20and%20UEFI%20Secure%20Boot%20Guidelines_FINAL%20v2.pdf
www.zdnet.com/article/microsoft-pulls-security-update-after-reports-of-issues-affecting-some-pcs/
6.7 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
7.2 High
AI Score
Confidence
High
4 Medium
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
MULTIPLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:L/AC:L/Au:M/C:P/I:P/A:P
0.001 Low
EPSS
Percentile
27.4%