6.7 - VU#309662

Executive Summary

Summary
Title	Signed third party UEFI bootloaders are vulnerable to Secure Boot bypass

Informations
Name	VU#309662	First vendor Publication	2022-08-11
Vendor	VU-CERT	Last vendor Modification	2022-09-28
Severity (Vendor)	N/A	Revision	M

Security-Database Scoring CVSS v3

Cvss vector : CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Overall CVSS Score	6.7
Base Score	6.7	Environmental Score	6.7
impact SubScore	5.9	Temporal Score	6.7
Exploitabality Sub Score	0.8

Attack Vector	Local	Attack Complexity	Low
Privileges Required	High	User Interaction	None
Scope	Unchanged	Confidentiality Impact	High
Integrity Impact	High	Availability Impact	High
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector :
Cvss Base Score	N/A	Attack Range	N/A
Cvss Impact Score	N/A	Attack Complexity	N/A
Cvss Expoit Score	N/A	Authentication	N/A
Calculate full CVSS 2.0 Vectors scores

Detail

Overview

A security feature bypass vulnerability exists in signed 3rd party UEFI bootloaders that allows bypass of the UEFI Secure Boot feature. An attacker who successfully exploits this vulnerability can bypass the UEFI Secure Boot feature and execute unsigned code during the boot process.

Description

UEFI firmware is software written by vendors in the UEFI ecosystem to provide capabilities in the early start up phases of a computer. Secure Boot is a UEFI standard that can be enabled and used to verify firmware and to protect a system against malicious code being loaded and executed early in the boot process, prior to the loading of the operating system.

Security researchers at Eclypsium have found three specific UEFI bootloaders that are signed and authenticated by Microsoft to be vulnerable to a security feature bypass vulnerability allowing an attacker to bypass Secure Boot when it is enabled. The vulnerable bootloaders can be tricked to bypass Secure Boot via a custom installer (CVE-2022-34302) or an EFI shell (CVE-2022-34301 and CVE-2022-34303). As a vulnerable bootloader executes unsigned code prior to initialization of the the Operating System's (OS) boot process, it cannot be easily monitored by the OS or common Endpoint Detection and Response (EDR) tools.

The following vendor-specific bootloaders were found vulnerable:

Inherently vulnerable bootloader to bypass Secure Boot
- New Horizon Datasys Inc (CVE-2022-34302)
UEFI Shell execution to bypass Secure Boot
- CryptoPro Secure Disk (CVE-2022-34301)
- Eurosoft (UK) Ltd (CVE-2022-34303)

Impact

An attacker can bypass a system's Secure Boot feature at startup and execute arbitrary code before the operating system (OS) loads. Code executed in these early boot phases can provide persistence to an attacker, potentially loading arbitrary kernel extensions that survive both reboot and re-installation of an OS. It may also evade common OS-based and EDR security defenses.

Solution

Apply a patch

Apply your vendor-provided security updates that address these vulnerabilities to block vulnerable firmware from bypassing Secure Boot. Microsoft has provided details with their KB5012170 article released on August 9th 2022. Note, these updates can be delivered from your OEM vendor or the OS vendor to install an updated Secure Boot Forbidden Signature Database (DBX) .

Enterprise and Product Developers

As DBX file changes can cause a system to become unstable, Vendors are urged to verify the DBX updates do not cause the machine to be unusable. Enterprises and Cloud Providers that manage large number of computers are also urged to do the required security updates and ensure DBX files are implemented reliably without any risk of boot failure.

Acknowledgements

Thanks to Mickey Shkatov and Jesse Michael of Eclypsium who researched and reported these vulnerabilities.

This document was written by Brad Runyon & Vijay Sarvepalli.

Original Source

Url : https://kb.cert.org/vuls/id/309662

CPE : Common Platform Enumeration

Type	Description	Count
Os	Eurosoft-Uk Uefi Bootloader cpe:2.3:o:eurosoft-uk:uefi_bootloader::::::::	1
Os	Horizondatasys Uefi Bootloader cpe:2.3:o:horizondatasys:uefi_bootloader::::::::	1
Os	Kidan Cryptopro Securedisk For Bitlocker cpe:2.3:o:kidan:cryptopro_securedisk_for_bitlocker::::::::	1
Os	Microsoft Windows 10 1507 cpe:2.3:o:microsoft:windows_10_1507:-::::::x86:	1
Os	Microsoft Windows 10 1607 cpe:2.3:o:microsoft:windows_10_1607:-::::::x86:	1
Os	Microsoft Windows 10 1809 cpe:2.3:o:microsoft:windows_10_1809:-::::::x86:	1
Os	Microsoft Windows 10 20H2 cpe:2.3:o:microsoft:windows_10_20h2:-::::::arm64:	1
Os	Microsoft Windows 10 21H1 cpe:2.3:o:microsoft:windows_10_21h1:-::::::arm64:	1
Os	Microsoft Windows 10 21H2 cpe:2.3:o:microsoft:windows_10_21h2:-::::::arm64:	1
Os	Microsoft Windows 11 cpe:2.3:o:microsoft:windows_11:-:::::::*	1
Os	Microsoft Windows 8.1 cpe:2.3:o:microsoft:windows_8.1:-:::::::*	1
Os	Microsoft Windows Rt 8.1 cpe:2.3:o:microsoft:windows_rt_8.1:-:::::::*	1
Os	Microsoft Windows Server 2012 cpe:2.3:o:microsoft:windows_server_2012:r2:::::::* cpe:2.3:o:microsoft:windows_server_2012:-:::::::*	2
Os	Microsoft Windows Server 2016 cpe:2.3:o:microsoft:windows_server_2016:-:::::::*	1
Os	Microsoft Windows Server 2019 cpe:2.3:o:microsoft:windows_server_2019:-:::::::*	1
Os	Microsoft Windows Server 2022 cpe:2.3:o:microsoft:windows_server_2022:-:::::::*	1
Os	Microsoft Windows Server 20H2 cpe:2.3:o:microsoft:windows_server_20h2:-::::::x64:	1
Os	Redhat Enterprise Linux cpe:2.3:o:redhat:enterprise_linux:9.0:::::::* cpe:2.3:o:redhat:enterprise_linux:8.0:::::::* cpe:2.3:o:redhat:enterprise_linux:7.0:::::::*	3

Alert History

If you want to see full details history, please login or register.

Date	Informations
2022-09-28 21:21:59	Multiple Updates
2022-09-12 21:22:13	Multiple Updates
2022-08-25 21:22:05	Multiple Updates
2022-08-12 00:22:01	Multiple Updates
2022-08-11 21:21:58	First insertion

Global Informations

Type	Count
CPE ID(s)	21

	Related
6.7	CVE-2022-34303
6.7	CVE-2022-34302
6.7	CVE-2022-34301
Info : listing not affected by your CVSS Env Score

Same Subject	Severity
Login to view 3 more Alert(s)