PKfail Secure Boot bypass lets attackers install UEFI malware
Hundreds of UEFI products from 10 vendors are vulnerable to compromise due to a critical firmware supply-chain issue called PKfail. This allows attackers to bypass Secure Boot and install malware.
The affected devices use an untrusted test Secure Boot “master key” generated by American Megatrends International (AMI), which was tagged as “DO NOT TRUST”. Upstream vendors should have replaced this key with their own securely generated keys, but often don’t. This results in devices shipping with untrusted keys.
10 device makers who used untrusted test keys across 813 products are:
* Acer
* Aopen
* Dell
* Formelife
* Fujitsu
* Gigabyte
* HP
* Intel
* Lenovo
* Supermicro
In May 2023, Binarly discovered a supply chain security incident involving leaked private keys from Intel Boot Guard. This impacted multiple vendors.
The PKfail issue allows threat actors to bypass Secure Boot by manipulating the Key Exchange Key (KEK) database, Signature Database (db), and Forbidden Signature Database (dbx). After compromising the entire security chain, they can sign malicious code and deploy UEFI malware like CosmicStrand and BlackLotus.
To mitigate PKfail, vendors should generate and manage the Platform Key using cryptographic key management best practices, such as Hardware Security Modules. Users should replace any test keys provided by independent BIOS vendors with their own safely generated keys. It’s also essential to monitor firmware updates issued by device vendors and apply any security patches addressing the PKfail supply-chain issue as soon as possible.
Source: https://www.bleepingcomputer.com/news/security/pkfail-secure-boot-bypass-lets-attackers-install-uefi-malware/