A recently patched security vulnerability (CVE-2024-7344) in Unified Extensible Firmware Interface (UEFI) systems could enable bypassing Secure Boot and executing untrusted code during system boot. This allows attackers to deploy malicious UEFI bootkits on machines with Secure Boot enabled.
The affected UEFI application is part of various real-time system recovery software suites developed by several companies. A custom PE loader was used instead of the standard and secure UEFI functions LoadImage and StartImage, allowing the loading of any UEFI binary – even an unsigned one – from a specially crafted file during system start.
Exploiting this vulnerability could grant attackers covert, persistent access to the host, potentially loading malicious kernel extensions that survive reboots and OS reinstallation. To protect against exploitation, managing access to files on the EFI system partition, Secure Boot customization, and remote attestation with a Trusted Platform Module (TPM) are recommended.
The incident highlights concerns over the common use of unsafe signed UEFI binaries among third-party software vendors. This raises questions about how many other similar obscure, but signed, bootloaders might exist out there, highlighting the need for increased vigilance in monitoring and securing UEFI systems.
Source: https://thehackernews.com/2025/01/new-uefi-secure-boot-vulnerability.html