Exploit Vulnerability in Windows Firmware Security
For the past seven months—and likely longer—an industry-wide standard that protects Windows devices from firmware infections could be bypassed using a simple technique. On Tuesday, Microsoft finally patched the vulnerability. The status of Linux systems is still unclear.
The Vulnerability: CVE-2024-7344
Tracked as CVE-2024-7344, the vulnerability made it possible for attackers who had already gained privileged access to a device to run malicious firmware during bootup. These types of attacks can be particularly pernicious because infections hide inside the firmware that runs at an early stage, before even Windows or Linux has loaded. This strategic position allows the malware to evade defenses installed by the OS and gives it the ability to survive even after hard drives have been reformatted. From then on, the resulting "bootkit" controls the operating system start.
Secure Boot: A Chain-of-Trust
In place since 2012, Secure Boot is designed to prevent these types of attacks by creating a chain-of-trust linking each file that gets loaded. Each time a device boots, Secure Boot verifies that each firmware component is digitally signed before it’s allowed to run. It then checks the OS bootloader’s digital signature to ensure that it’s trusted by the Secure Boot policy and hasn’t been tampered with. Secure Boot is built into the UEFI—the successor to the BIOS that’s responsible for booting modern Windows and Linux devices.
An Unsigned UEFI App Lurks
Last year, researcher Martin Smolár with security firm ESET noticed something curious about SysReturn, a real-time system recovery software suite available from Howyar Technologies. Buried deep inside was an XOR-encoded UEFI application named reloader.efi, which was digitally signed after somehow passing Microsoft’s internal review process for third-party UEFI apps.
Custom PE Loader
Rather than invoking the UEFI functions LoadImage and StartImage for performing the Secure Boot process, reloader.efi used a custom PE loader. This custom loader didn’t perform the required checks. As Smolár dug further, he found that reloader.efi was present not only in Howyar’s SysReturn, but also in recovery software from six other suppliers. The complete list is:
- Howyar Technologies
- Acronis
- EaseUS
- Paragon
- Kaspersky
- Avast
- AVG
Conclusion
The discovery of this vulnerability highlights the importance of regularly updating firmware and UEFI applications to ensure the security of Windows devices. Microsoft’s patching of the vulnerability is a step in the right direction, but Linux users should remain vigilant and ensure their systems are up-to-date to prevent potential attacks.
Frequently Asked Questions
Q: What is the CVE-2024-7344 vulnerability?
A: The CVE-2024-7344 vulnerability is a firmware security exploit that allows attackers to run malicious firmware during bootup, potentially evading defenses installed by the OS.
Q: What is Secure Boot?
A: Secure Boot is a chain-of-trust mechanism that verifies each firmware component is digitally signed before it’s allowed to run, ensuring the OS bootloader hasn’t been tampered with.
Q: What is the impact of this vulnerability?
A: The vulnerability allows attackers to evade defenses installed by the OS, potentially surviving even after hard drives have been reformatted, and giving them control over the operating system start.
Q: How can I protect my Windows device from this vulnerability?
A: Ensure your device is up-to-date with the latest firmware and UEFI applications, and regularly update your operating system to prevent potential attacks.
