Eclypsium security researchers have identified three Microsoft-approved UEFI bootloaders containing bugs allowing attackers to possibly execute unauthorised code before a computer’s operating system loads.
“As part of our continuing research into vulnerable and malicious bootloaders, we have identified three new bootloader vulnerabilities which affect the vast majority of devices released over the past 10 years, including x86-64 and ARM-based devices,” Eclypsium said.
“These vulnerabilities could be used by an attacker to easily evade Secure Boot protections and compromise the integrity of the boot process.”
“[This enables] the attacker to modify the operating system as it loads, install backdoors, and disable operating system security controls.”
The three different bootloaders with the associated vulnerabilities are as follows:
- Eurosoft (UK) Ltd — CVE-2022-34301
- New Horizon Datasys Inc — CVE-2022-34302
- CryptoPro Secure Disk for BitLocker — CVE-2022-34303
Eclypsium explained that The New Horizons Datasys vulnerability is far more sinister than the other two since it always remains invisible to the system owner.
“This bootloader contains a built-in bypass for Secure Boot that leaves Secure Boot on but disables the Secure Boot checks.”
“In this case, an attacker would not need scripting commands, and could directly run arbitrary unsigned code,” Eclypsium said.
The researchers warned that the simplicity of this exploit makes it highly likely that bad actors would attempt to exploit it in the wild.
The researchers said that since the Microsoft UEFI Third-Party Certificate Authority signs these bootloaders, they are trusted by “virtually all traditional Windows and Linux-based systems”.
Eclypsium said attackers would need administrator privileges to install one of the vulnerable bootloaders on a system. However, it also noted that these privilege escalations are readily available.
The researchers said that the final step in mitigating the flaws would require original equipment manufacturers or operating system vendors to update the Secure Boot Forbidden Signature Database (DBX).
Eclypsium cautioned against updating the DBX prematurely, as this could result in devices with the affected bootloaders failing to start up.
Microsoft’s KB5012170 security update has added the signatures of the CryptoPro Secure Disk and Eurosoft bootloaders to the DBX, BleepingComputer reported.
