A two-month-old vulnerability, known as “PKfail” (CVE-2024-8105), remains a significant risk for millions of devices worldwide. The issue stems from the use of non-production cryptographic keys that are publicly known or leaked in data breaches, leaving Secure Boot devices vulnerable to UEFI bootkit malware attacks.
Despite warnings from Binarly, the security firm that discovered the vulnerability, numerous computer manufacturers have continued to use untrusted test keys. These keys were marked as “DO NOT TRUST,” but were still used by companies such as Acer, Dell, Fujitsu, Gigabyte, HP, Intel, Lenovo, Phoenix, and Supermicro.
PKfail allows threat actors to bypass Secure Boot protections and plant undetectable UEFI malware on vulnerable systems, leaving users without a way to defend or even discover the compromise. A “PKfail scanner” has been released by Binarly to help vendors identify affected firmware images.
As of now, the scanner has found 791 vulnerable firmware submissions out of 10,095 tested. The majority of these submissions come from AMI, followed by Insyde and Phoenix. Notably, some of the vulnerable keys were generated as far back as 2011 and are still being used in modern devices.
While vendor response to PKfail has generally been proactive and swift, not everyone has quickly published advisories about the security risk. Patches or firmware updates have been released by Dell, Fujitsu, Supermicro, Gigabyte, Intel, and Phoenix, allowing users to update their BIOS and remove vulnerable Platform Keys. For devices that are no longer supported and unlikely to receive security updates for PKfail, it is recommended that physical access be limited and the device be isolated from more critical parts of the network.
Source: https://www.bleepingcomputer.com/news/security/pkfail-secure-boot-bypass-remains-a-significant-risk-two-months-later/