{"document":{"acknowledgments":[{"urls":["https://kb.cert.org/vuls/id/309662#acknowledgements"]}],"category":"CERT/CC Vulnerability Note","csaf_version":"2.0","notes":[{"category":"summary","text":"### Overview\r\n\r\nA security feature bypass vulnerability exists in signed 3rd party UEFI  bootloaders that allows bypass of the UEFI Secure Boot feature.   An attacker who successfully exploits this vulnerability can bypass the UEFI Secure Boot feature and execute unsigned code during the boot process.\r\n\r\n### Description\r\n\r\nUEFI firmware is software written by vendors in the [UEFI ecosystem](https://uefi.org/node/4046) to provide capabilities in the early start up phases of a computer.  [Secure Boot](https://edk2-docs.gitbook.io/understanding-the-uefi-secure-boot-chain/secure_boot_chain_in_uefi/uefi_secure_boot) is a UEFI standard that can be enabled and used to verify firmware and to protect a system against malicious code being loaded and executed early in the boot process, prior to the loading of the operating system.  \r\n\r\nSecurity researchers at [Eclypsium](https://eclypsium.com)  have found three specific UEFI  bootloaders that are signed and authenticated by Microsoft to be vulnerable to a security feature bypass vulnerability allowing an attacker to bypass Secure Boot when it is enabled. The vulnerable bootloaders can be tricked to bypass Secure Boot via a custom installer  (CVE-2022-34302) or an EFI shell (CVE-2022-34301 and CVE-2022-34303). As a vulnerable bootloader executes unsigned code prior to initialization of the the Operating System's (OS) boot process, it cannot be easily monitored by the OS or common Endpoint Detection and Response (EDR) tools.\r\n\r\nThe following vendor-specific bootloaders were found vulnerable:\r\n\r\n* Inherently vulnerable bootloader to bypass Secure Boot\r\n\t* New Horizon Datasys Inc (CVE-2022-34302) \r\n* UEFI Shell execution to bypass Secure Boot\r\n\t* CryptoPro Secure Disk (CVE-2022-34301)\r\n\t* Eurosoft (UK) Ltd (CVE-2022-34303)\r\n\r\n\r\n\r\n### Impact\r\n\r\nAn attacker can bypass a system's Secure Boot feature at startup and execute arbitrary code before the operating system (OS) loads.  Code executed in these early boot phases can provide persistence to an attacker, potentially loading arbitrary kernel extensions that survive both reboot and re-installation of an OS. It may also evade common OS-based and EDR security defenses.\r\n\r\n\r\n### Solution\r\n\r\n#### Apply a patch\r\n\r\nApply your vendor-provided security updates that address these vulnerabilities to block vulnerable firmware from bypassing Secure Boot.  Microsoft has provided details with their [KB5012170](https://support.microsoft.com/en-us/topic/kb5012170-security-update-for-secure-boot-dbx-august-9-2022-72ff5eed-25b4-47c7-be28-c42bd211bb15 ) article released on August 9th 2022.  Note, these updates can be delivered from your OEM vendor or the OS vendor to install an updated [Secure Boot Forbidden Signature Database (DBX) ](https://uefi.org/revocationlistfile). \r\n\r\n#### Enterprise and Product Developers\r\n\r\nAs DBX file changes can cause a system to become [unstable](https://www.zdnet.com/article/microsoft-pulls-security-update-after-reports-of-issues-affecting-some-pcs/), Vendors are urged to verify the DBX updates do not cause the machine to be unusable.  Enterprises and Cloud Providers that manage large number of computers are also urged to do the required security updates and ensure DBX files are implemented reliably without any risk of boot failure.\r\n\r\n\r\n### Acknowledgements\r\nThanks to Mickey Shkatov and Jesse Michael of Eclypsium who researched and reported these vulnerabilities.\r\n\r\nThis document was written by Brad Runyon & Vijay Sarvepalli.","title":"Summary"},{"category":"legal_disclaimer","text":"THIS DOCUMENT IS PROVIDED ON AN 'AS IS' BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. ","title":"Legal Disclaimer"},{"category":"other","text":"CERT/CC Vulnerability Note is a limited advisory. It primarily identifies vendors impacted by the advisory and not specific products. We only support \"known_affected\" and \"known_not_affected\" status. Please consult the vendor's statements and advisory URL if provided by the vendor for more details ","title":"Limitations of Advisory"},{"category":"other","text":"Fujitsu is aware of the vulnerabilities in third party UEFI bootloaders by New Horizon Datasys Inc, CryptoPro Secure Disk and Eurosoft (UK) Ltd.\r\n\r\nFujitsu commenced an analysis, inquired manufacturer Insyde, and simultaneously resorted to CERT/CC intelligence.\r\n\r\nBased on that, UEFI-BIOS manufacturers will provide a Secure Boot Forbidden Signature Database (DBX) update, along with future firmware releases. These updates will be integrated timely into Fujitsu UEFI-BIOS firmware.\r\n\r\nThe Fujitsu PSIRT has no plans to issue a dedicated Security Notice or similar. Due to the mitigation by OEM vendors and OS vendors at the same time, the issue is therefore considered resolved.\r\n\r\nIn case of questions, please contact the Fujitsu PSIRT (Fujitsu-PSIRT@ts.fujitsu.com).","title":"Vendor statment from Fujitsu Europe"},{"category":"other","text":"Intel is aware of reports around a vulnerability within signed bootloaders and is actively investigating if our products are impacted.  If products are found to be impacted, a security advisory will be published coordinated with our ecosystem partners.","title":"Vendor statment from Intel"},{"category":"other","text":"Red Hat has evaluated this issue and determined we are affected by this vulnerability. Although Red Hat doesn't ship any of the affected shim versions, it would still be bootable in machines installed with Red Hat Enterprise Linux as the shim signatures are still not listed in the DBX. Red Hat is working to provide a DBX update disallowing the affected shims to be booted.","title":"Vendor statment from Red Hat"}],"publisher":{"category":"coordinator","contact_details":"Email: cert@cert.org, Phone: +1412 268 5800","issuing_authority":"CERT/CC under DHS/CISA https://www.cisa.gov/cybersecurity also see https://kb.cert.org/ ","name":"CERT/CC","namespace":"https://kb.cert.org/"},"references":[{"url":"https://certcc.github.io/certcc_disclosure_policy","summary":"CERT/CC vulnerability disclosure policy"},{"summary":"CERT/CC document released","category":"self","url":"https://kb.cert.org/vuls/id/309662"},{"url":"https://eclypsium.com/2022/08/11/vulnerable-bootloaders-2022","summary":"https://eclypsium.com/2022/08/11/vulnerable-bootloaders-2022"},{"url":"https://support.microsoft.com/en-us/topic/kb5012170-security-update-for-secure-boot-dbx-august-9-2022-72ff5eed-25b4-47c7-be28-c42bd211bb15","summary":"https://support.microsoft.com/en-us/topic/kb5012170-security-update-for-secure-boot-dbx-august-9-2022-72ff5eed-25b4-47c7-be28-c42bd211bb15"},{"url":"https://tianocore-docs.github.io/Understanding_UEFI_Secure_Boot_Chain/draft/secure_boot_chain_in_uefi/uefi_secure_boot","summary":"https://tianocore-docs.github.io/Understanding_UEFI_Secure_Boot_Chain/draft/secure_boot_chain_in_uefi/uefi_secure_boot"},{"url":"https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-secure-boot","summary":"https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-secure-boot"},{"url":"https://uefi.org/sites/default/files/resources/Insyde%20HPE%20NSA%20and%20UEFI%20Secure%20Boot%20Guidelines_FINAL%20v2.pdf","summary":"https://uefi.org/sites/default/files/resources/Insyde%20HPE%20NSA%20and%20UEFI%20Secure%20Boot%20Guidelines_FINAL%20v2.pdf"},{"url":"https://eclypsium.com/2022/07/26/firmware-security-realizations-part-1-secure-boot-and-dbx/","summary":"https://eclypsium.com/2022/07/26/firmware-security-realizations-part-1-secure-boot-and-dbx/"},{"url":"https://www.zdnet.com/article/microsoft-pulls-security-update-after-reports-of-issues-affecting-some-pcs/","summary":"https://www.zdnet.com/article/microsoft-pulls-security-update-after-reports-of-issues-affecting-some-pcs/"},{"url":"https://uefi.org/revocationlistfile","summary":"https://uefi.org/revocationlistfile"}],"title":"Signed third party UEFI bootloaders are vulnerable to Secure Boot bypass","tracking":{"current_release_date":"2024-03-04T19:07:34+00:00","generator":{"engine":{"name":"VINCE","version":"3.0.35"}},"id":"VU#309662","initial_release_date":"2022-08-11 00:00:00+00:00","revision_history":[{"date":"2024-03-04T19:07:34+00:00","number":"1.20240304190734.7","summary":"Released on 2024-03-04T19:07:34+00:00"}],"status":"final","version":"1.20240304190734.7"}},"vulnerabilities":[{"title":"Eurosoft (UK) Ltd: Microsoft Secure Boot Bypass Vulnerability- Eurosoft (UK) Ltd   bootloader can replace the current bootloader to allow it to execute code before the OS loads and maintain persistence pre-OS.","notes":[{"category":"summary","text":"Eurosoft (UK) Ltd: Microsoft Secure Boot Bypass Vulnerability- Eurosoft (UK) Ltd   bootloader can replace the current bootloader to allow it to execute code before the OS loads and maintain persistence pre-OS.\r\nThis is done by replacing the existing bootloader with a vulnerable one, since it is signed by Microsoft it is considered a valid bootloader until it's hash is revoked in DBX"}],"cve":"CVE-2022-34301","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#309662"}],"product_status":{"known_affected":["CSAFPID-92d6f3c4-3817-11f1-8422-122e2785dc9f","CSAFPID-92d72768-3817-11f1-8422-122e2785dc9f"],"known_not_affected":["CSAFPID-92d63560-3817-11f1-8422-122e2785dc9f","CSAFPID-92d663dc-3817-11f1-8422-122e2785dc9f","CSAFPID-92d69028-3817-11f1-8422-122e2785dc9f","CSAFPID-92d6c796-3817-11f1-8422-122e2785dc9f"]}},{"title":"New Horizon Datasys Inc: Microsoft Secure Boot Bypass Vulnerability - New Horizon Datasys Inc  bootloader can replace the current bootloader to allow it to execute code before the OS loads and maintain persistence pre-OS.","notes":[{"category":"summary","text":"New Horizon Datasys Inc: Microsoft Secure Boot Bypass Vulnerability - New Horizon Datasys Inc  bootloader can replace the current bootloader to allow it to execute code before the OS loads and maintain persistence pre-OS.\r\nThis is done by replacing the existing bootloader with a vulnerable one, since it is signed by Microsoft it is considered a valid bootloader until it's hash is revoked in DBX"}],"cve":"CVE-2022-34302","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#309662"}],"product_status":{"known_affected":["CSAFPID-92d8a6e2-3817-11f1-8422-122e2785dc9f","CSAFPID-92d8e148-3817-11f1-8422-122e2785dc9f"],"known_not_affected":["CSAFPID-92d7a58a-3817-11f1-8422-122e2785dc9f","CSAFPID-92d84242-3817-11f1-8422-122e2785dc9f","CSAFPID-92d87c08-3817-11f1-8422-122e2785dc9f","CSAFPID-92d91e2e-3817-11f1-8422-122e2785dc9f"]}},{"title":"CryptoPro Secure Disk: Microsoft Secure Boot Bypass Vulnerability - CryptoPro Secure Disk bootloader can replace the current bootloader to allow it to execute code before the OS loads and maintain persistence pre-OS.","notes":[{"category":"summary","text":"CryptoPro Secure Disk: Microsoft Secure Boot Bypass Vulnerability - CryptoPro Secure Disk bootloader can replace the current bootloader to allow it to execute code before the OS loads and maintain persistence pre-OS. This is done by replacing the existing bootloader with a vulnerable one, since it is signed by Microsoft it is considered a valid bootloader until it's hash is revoked in DBX"}],"cve":"CVE-2022-34303","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#309662"}],"product_status":{"known_affected":["CSAFPID-92da8098-3817-11f1-8422-122e2785dc9f","CSAFPID-92dab6b2-3817-11f1-8422-122e2785dc9f"],"known_not_affected":["CSAFPID-92d9bc4e-3817-11f1-8422-122e2785dc9f","CSAFPID-92d9f42a-3817-11f1-8422-122e2785dc9f","CSAFPID-92da2b16-3817-11f1-8422-122e2785dc9f","CSAFPID-92db0522-3817-11f1-8422-122e2785dc9f"]}}],"product_tree":{"branches":[{"category":"vendor","name":"Intel","product":{"name":"Intel Products","product_id":"CSAFPID-92d5fef6-3817-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Fujitsu Europe","product":{"name":"Fujitsu Europe Products","product_id":"CSAFPID-92d63560-3817-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Toshiba Corporation","product":{"name":"Toshiba Corporation Products","product_id":"CSAFPID-92d663dc-3817-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Insyde Software Corporation","product":{"name":"Insyde Software Corporation Products","product_id":"CSAFPID-92d69028-3817-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Phoenix Technologies","product":{"name":"Phoenix Technologies Products","product_id":"CSAFPID-92d6c796-3817-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Microsoft","product":{"name":"Microsoft Products","product_id":"CSAFPID-92d6f3c4-3817-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Red Hat","product":{"name":"Red Hat Products","product_id":"CSAFPID-92d72768-3817-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Fujitsu Europe","product":{"name":"Fujitsu Europe Products","product_id":"CSAFPID-92d7a58a-3817-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Intel","product":{"name":"Intel Products","product_id":"CSAFPID-92d80250-3817-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Toshiba Corporation","product":{"name":"Toshiba Corporation Products","product_id":"CSAFPID-92d84242-3817-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Insyde Software Corporation","product":{"name":"Insyde Software Corporation Products","product_id":"CSAFPID-92d87c08-3817-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Microsoft","product":{"name":"Microsoft Products","product_id":"CSAFPID-92d8a6e2-3817-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Red Hat","product":{"name":"Red Hat Products","product_id":"CSAFPID-92d8e148-3817-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Phoenix Technologies","product":{"name":"Phoenix Technologies Products","product_id":"CSAFPID-92d91e2e-3817-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Intel","product":{"name":"Intel Products","product_id":"CSAFPID-92d97932-3817-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Fujitsu Europe","product":{"name":"Fujitsu Europe Products","product_id":"CSAFPID-92d9bc4e-3817-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Toshiba Corporation","product":{"name":"Toshiba Corporation Products","product_id":"CSAFPID-92d9f42a-3817-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Insyde Software Corporation","product":{"name":"Insyde Software Corporation Products","product_id":"CSAFPID-92da2b16-3817-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Microsoft","product":{"name":"Microsoft Products","product_id":"CSAFPID-92da8098-3817-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Red Hat","product":{"name":"Red Hat Products","product_id":"CSAFPID-92dab6b2-3817-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Phoenix Technologies","product":{"name":"Phoenix Technologies Products","product_id":"CSAFPID-92db0522-3817-11f1-8422-122e2785dc9f"}}]}}