Signed third party UEFI bootloaders are vulnerable to Secure Boot bypass

Overview

A security feature bypass vulnerability exists in signed 3rd party UEFI bootloaders that allows bypass of the UEFI Secure Boot feature. An attacker who successfully exploits this vulnerability can bypass the UEFI Secure Boot feature and execute unsigned code during the boot process.

Description

UEFI firmware is software written by vendors in the UEFI ecosystem to provide capabilities in the early start up phases of a computer. Secure Boot is a UEFI standard that can be enabled and used to verify firmware and to protect a system against malicious code being loaded and executed early in the boot process, prior to the loading of the operating system.

Security researchers at Eclypsium have found three specific UEFI bootloaders that are signed and authenticated by Microsoft to be vulnerable to a security feature bypass vulnerability allowing an attacker to bypass Secure Boot when it is enabled. The vulnerable bootloaders can be tricked to bypass Secure Boot via a custom installer (CVE-2022-34302) or an EFI shell (CVE-2022-34301 and CVE-2022-34303). As a vulnerable bootloader executes unsigned code prior to initialization of the the Operating System’s (OS) boot process, it cannot be easily monitored by the OS or common Endpoint Detection and Response (EDR) tools.

The following vendor-specific bootloaders were found vulnerable:

• Inherently vulnerable bootloader to bypass Secure Boot
  • New Horizon Datasys Inc (CVE-2022-34302)
• UEFI Shell execution to bypass Secure Boot
  • CryptoPro Secure Disk (CVE-2022-34301)
  • Eurosoft (UK) Ltd (CVE-2022-34303)

Impact

An attacker can bypass a system’s Secure Boot feature at startup and execute arbitrary code before the operating system (OS) loads. Code executed in these early boot phases can provide persistence to an attacker, potentially loading arbitrary kernel extensions that survive both reboot and re-installation of an OS. It may also evade common OS-based and EDR security defenses.

Solution

Apply a patch

Apply your vendor-provided security updates that address these vulnerabilities to block vulnerable firmware from bypassing Secure Boot. Microsoft has provided details with their KB5012170 article released on August 9th 2022. Note, these updates can be delivered from your OEM vendor or the OS vendor to install an updated Secure Boot Forbidden Signature Database (DBX) .

Enterprise and Product Developers

As DBX file changes can cause a system to become unstable, Vendors are urged to verify the DBX updates do not cause the machine to be unusable. Enterprises and Cloud Providers that manage large number of computers are also urged to do the required security updates and ensure DBX files are implemented reliably without any risk of boot failure.

Acknowledgements

Thanks to Mickey Shkatov and Jesse Michael of Eclypsium who researched and reported these vulnerabilities.

This document was written by Brad Runyon & Vijay Sarvepalli.

Vendor Information

309662

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Microsoft __ Affected

Notified: 2022-05-24 Updated: 2022-08-11

Statement Date: June 01, 2022

CVE-2022-34301	Affected
Vendor Statement:
Microsoft has worked closely with the vendor, Eurosoft (UK) to remedy the vulnerable bootloader issue, and has blocked the certificate previously issued with the July 2022 Security Update Release.
CVE-2022-34302	Affected Vendor Statement:
Microsoft has blocked the certificate previously issued to New Horizon Datasys Inc. with the July 2022 Security Update Release.
CVE-2022-34303	Affected Vendor Statement:
Microsoft has worked closely with the vendor, CryptoPro Secure Disk (CPSD) to remedy the vulnerable bootloader issue, and has blocked the certificate previously issued with the July 2022 Security Update Release.

Red Hat __ Affected

Notified: 2022-08-02 Updated: 2022-08-25

Statement Date: August 16, 2022

CVE-2022-34301	Affected
CVE-2022-34302	Affected CVE-2022-34303

Vendor Statement

Red Hat has evaluated this issue and determined we are affected by this vulnerability. Although Red Hat doesn’t ship any of the affected shim versions, it would still be bootable in machines installed with Red Hat Enterprise Linux as the shim signatures are still not listed in the DBX. Red Hat is working to provide a DBX update disallowing the affected shims to be booted.

Fujitsu Europe __ Not Affected

Notified: 2022-09-21 Updated: 2022-09-28

Statement Date: September 23, 2022

CVE-2022-34301	Not Affected
CVE-2022-34302	Not Affected CVE-2022-34303

Vendor Statement

Fujitsu is aware of the vulnerabilities in third party UEFI bootloaders by New Horizon Datasys Inc, CryptoPro Secure Disk and Eurosoft (UK) Ltd.

Fujitsu commenced an analysis, inquired manufacturer Insyde, and simultaneously resorted to CERT/CC intelligence.

Based on that, UEFI-BIOS manufacturers will provide a Secure Boot Forbidden Signature Database (DBX) update, along with future firmware releases. These updates will be integrated timely into Fujitsu UEFI-BIOS firmware.

The Fujitsu PSIRT has no plans to issue a dedicated Security Notice or similar. Due to the mitigation by OEM vendors and OS vendors at the same time, the issue is therefore considered resolved.

In case of questions, please contact the Fujitsu PSIRT ([email protected]).

Insyde Software Corporation Not Affected

Notified: 2022-08-09 Updated: 2022-08-25

Statement Date: August 17, 2022

CVE-2022-34301	Not Affected
CVE-2022-34302	Not Affected CVE-2022-34303

Vendor Statement

We have not received a statement from the vendor.

Phoenix Technologies Not Affected

Notified: 2022-08-09 Updated: 2022-08-11

Statement Date: August 09, 2022

CVE-2022-34301	Not Affected
CVE-2022-34302	Not Affected CVE-2022-34303

Vendor Statement

We have not received a statement from the vendor.

Toshiba Corporation Not Affected

Notified: 2022-08-02 Updated: 2022-08-25

Statement Date: August 16, 2022

CVE-2022-34301	Not Affected
CVE-2022-34302	Not Affected CVE-2022-34303

Vendor Statement

We have not received a statement from the vendor.

Intel __ Unknown

Notified: 2022-08-02 Updated: 2022-09-12

Statement Date: August 26, 2022

CVE-2022-34301	Unknown
Vendor Statement:
Intel is aware of reports around a vulnerability within signed bootloaders and is actively investigating if our products are impacted. If products are found to be impacted, a security advisory will be published coordinated with our ecosystem partners.
CVE-2022-34302	Unknown Vendor Statement:
Intel is aware of reports around a vulnerability within signed bootloaders and is actively investigating if our products are impacted. If products are found to be impacted, a security advisory will be published coordinated with our ecosystem partners.
CVE-2022-34303	Unknown Vendor Statement:
Intel is aware of reports around a vulnerability within signed bootloaders and is actively investigating if our products are impacted. If products are found to be impacted, a security advisory will be published coordinated with our ecosystem partners.

Vendor Statement

Intel is aware of reports around a vulnerability within signed bootloaders and is actively investigating if our products are impacted. If products are found to be impacted, a security advisory will be published coordinated with our ecosystem partners.

Acer Unknown

Notified: 2022-08-02 Updated: 2022-08-11 CVE-2022-34301	Unknown
CVE-2022-34302	Unknown CVE-2022-34303

Vendor Statement

We have not received a statement from the vendor.

Amazon Unknown

Updated: 2022-08-11 CVE-2022-34301	Unknown
CVE-2022-34302	Unknown CVE-2022-34303

Vendor Statement

We have not received a statement from the vendor.

AMD Unknown

Notified: 2022-08-11 Updated: 2022-08-11 CVE-2022-34301	Unknown
CVE-2022-34302	Unknown CVE-2022-34303

Vendor Statement

We have not received a statement from the vendor.

American Megatrends Incorporated (AMI) Unknown

Notified: 2022-08-09 Updated: 2022-08-11 CVE-2022-34301	Unknown
CVE-2022-34302	Unknown CVE-2022-34303

Vendor Statement

We have not received a statement from the vendor.

ASUSTeK Computer Inc. Unknown

Notified: 2022-08-02 Updated: 2022-08-11 CVE-2022-34301	Unknown
CVE-2022-34302	Unknown CVE-2022-34303

Vendor Statement

We have not received a statement from the vendor.

Debian GNU/Linux Unknown

Notified: 2022-08-02 Updated: 2022-08-11 CVE-2022-34301	Unknown
CVE-2022-34302	Unknown CVE-2022-34303

Vendor Statement

We have not received a statement from the vendor.

Dell Unknown

Notified: 2022-08-02 Updated: 2022-08-11 CVE-2022-34301	Unknown
CVE-2022-34302	Unknown CVE-2022-34303

Vendor Statement

We have not received a statement from the vendor.

Dynabook Inc. Unknown

Notified: 2022-08-24 Updated: 2022-08-25 CVE-2022-34301	Unknown
CVE-2022-34302	Unknown CVE-2022-34303

Vendor Statement

We have not received a statement from the vendor.

Gamma Tech Computer Corp. Unknown

Notified: 2022-08-02 Updated: 2022-08-11 CVE-2022-34301	Unknown
CVE-2022-34302	Unknown CVE-2022-34303

Vendor Statement

We have not received a statement from the vendor.

GETAC Inc. Unknown

Notified: 2022-08-02 Updated: 2022-08-11 CVE-2022-34301	Unknown
CVE-2022-34302	Unknown CVE-2022-34303

Vendor Statement

We have not received a statement from the vendor.

Google Unknown

Updated: 2022-08-11 CVE-2022-34301	Unknown
CVE-2022-34302	Unknown CVE-2022-34303

Vendor Statement

We have not received a statement from the vendor.

Hewlett Packard Enterprise Unknown

Notified: 2022-08-02 Updated: 2022-08-11 CVE-2022-34301	Unknown
CVE-2022-34302	Unknown CVE-2022-34303

Vendor Statement

We have not received a statement from the vendor.

HP Inc. Unknown

Notified: 2022-08-02 Updated: 2022-08-11 CVE-2022-34301	Unknown
CVE-2022-34302	Unknown CVE-2022-34303

Vendor Statement

We have not received a statement from the vendor.

Lenovo Unknown

Notified: 2022-08-02 Updated: 2022-08-11 CVE-2022-34301	Unknown
CVE-2022-34302	Unknown CVE-2022-34303

Vendor Statement

We have not received a statement from the vendor.

ReactOS Unknown

Notified: 2022-08-02 Updated: 2022-08-11 CVE-2022-34301	Unknown
CVE-2022-34302	Unknown CVE-2022-34303

Vendor Statement

We have not received a statement from the vendor.

Star Labs Online Limited Unknown

Notified: 2022-08-02 Updated: 2022-08-11 CVE-2022-34301	Unknown
CVE-2022-34302	Unknown CVE-2022-34303

Vendor Statement

We have not received a statement from the vendor.

UEFI Security Response Team Unknown

Notified: 2022-08-02 Updated: 2022-08-11 CVE-2022-34301	Unknown
CVE-2022-34302	Unknown CVE-2022-34303

Vendor Statement

We have not received a statement from the vendor.

VAIO Corporation Unknown

Notified: 2022-08-02 Updated: 2022-08-11 CVE-2022-34301	Unknown
CVE-2022-34302	Unknown CVE-2022-34303

Vendor Statement

We have not received a statement from the vendor.

View all 25 vendors __View less vendors __

References

• <https://eclypsium.com/2022/08/11/vulnerable-bootloaders-2022&gt;
• <https://support.microsoft.com/en-us/topic/kb5012170-security-update-for-secure-boot-dbx-august-9-2022-72ff5eed-25b4-47c7-be28-c42bd211bb15&gt;
• <https://tianocore-docs.github.io/Understanding_UEFI_Secure_Boot_Chain/draft/secure_boot_chain_in_uefi/uefi_secure_boot&gt;
• <https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-secure-boot&gt;
• <https://uefi.org/sites/default/files/resources/Insyde HPE NSA and UEFI Secure Boot Guidelines_FINAL v2.pdf&gt;
• <https://eclypsium.com/2022/07/26/firmware-security-realizations-part-1-secure-boot-and-dbx/&gt;
• <https://www.zdnet.com/article/microsoft-pulls-security-update-after-reports-of-issues-affecting-some-pcs/&gt;
• <https://uefi.org/revocationlistfile&gt;

Other Information

CVE IDs:	CVE-2022-34301 CVE-2022-34302 CVE-2022-34303
API URL:	VINCE JSON
Date Public:	2022-08-11 Date First Published: