search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Signed third party UEFI bootloaders are vulnerable to Secure Boot bypass

Vulnerability Note VU#309662

Original Release Date: 2022-08-11 | Last Revised: 2024-03-04

Overview

A security feature bypass vulnerability exists in signed 3rd party UEFI bootloaders that allows bypass of the UEFI Secure Boot feature. An attacker who successfully exploits this vulnerability can bypass the UEFI Secure Boot feature and execute unsigned code during the boot process.

Description

UEFI firmware is software written by vendors in the UEFI ecosystem to provide capabilities in the early start up phases of a computer. Secure Boot is a UEFI standard that can be enabled and used to verify firmware and to protect a system against malicious code being loaded and executed early in the boot process, prior to the loading of the operating system.

Security researchers at Eclypsium have found three specific UEFI bootloaders that are signed and authenticated by Microsoft to be vulnerable to a security feature bypass vulnerability allowing an attacker to bypass Secure Boot when it is enabled. The vulnerable bootloaders can be tricked to bypass Secure Boot via a custom installer (CVE-2022-34302) or an EFI shell (CVE-2022-34301 and CVE-2022-34303). As a vulnerable bootloader executes unsigned code prior to initialization of the the Operating System's (OS) boot process, it cannot be easily monitored by the OS or common Endpoint Detection and Response (EDR) tools.

The following vendor-specific bootloaders were found vulnerable:

  • Inherently vulnerable bootloader to bypass Secure Boot
    • New Horizon Datasys Inc (CVE-2022-34302)
  • UEFI Shell execution to bypass Secure Boot
    • CryptoPro Secure Disk (CVE-2022-34301)
    • Eurosoft (UK) Ltd (CVE-2022-34303)

Impact

An attacker can bypass a system's Secure Boot feature at startup and execute arbitrary code before the operating system (OS) loads. Code executed in these early boot phases can provide persistence to an attacker, potentially loading arbitrary kernel extensions that survive both reboot and re-installation of an OS. It may also evade common OS-based and EDR security defenses.

Solution

Apply a patch

Apply your vendor-provided security updates that address these vulnerabilities to block vulnerable firmware from bypassing Secure Boot. Microsoft has provided details with their KB5012170 article released on August 9th 2022. Note, these updates can be delivered from your OEM vendor or the OS vendor to install an updated Secure Boot Forbidden Signature Database (DBX) .

Enterprise and Product Developers

As DBX file changes can cause a system to become unstable, Vendors are urged to verify the DBX updates do not cause the machine to be unusable. Enterprises and Cloud Providers that manage large number of computers are also urged to do the required security updates and ensure DBX files are implemented reliably without any risk of boot failure.

Acknowledgements

Thanks to Mickey Shkatov and Jesse Michael of Eclypsium who researched and reported these vulnerabilities.

This document was written by Brad Runyon & Vijay Sarvepalli.

Vendor Information

309662
 

Microsoft Affected

Notified:  2022-05-24 Updated: 2022-08-11

Statement Date:   June 01, 2022

CVE-2022-34301 Affected
Vendor Statement:
Microsoft has worked closely with the vendor, Eurosoft (UK) to remedy the vulnerable bootloader issue, and has blocked the certificate previously issued with the July 2022 Security Update Release.
CVE-2022-34302 Affected
Vendor Statement:
Microsoft has blocked the certificate previously issued to New Horizon Datasys Inc. with the July 2022 Security Update Release.
CVE-2022-34303 Affected
Vendor Statement:
Microsoft has worked closely with the vendor, CryptoPro Secure Disk (CPSD) to remedy the vulnerable bootloader issue, and has blocked the certificate previously issued with the July 2022 Security Update Release.

Red Hat Affected

Notified:  2022-08-02 Updated: 2022-08-25

Statement Date:   August 16, 2022

CVE-2022-34301 Affected
CVE-2022-34302 Affected
CVE-2022-34303 Affected

Vendor Statement

Red Hat has evaluated this issue and determined we are affected by this vulnerability. Although Red Hat doesn't ship any of the affected shim versions, it would still be bootable in machines installed with Red Hat Enterprise Linux as the shim signatures are still not listed in the DBX. Red Hat is working to provide a DBX update disallowing the affected shims to be booted.

Fujitsu Europe Not Affected

Notified:  2022-09-21 Updated: 2022-09-28

Statement Date:   September 23, 2022

CVE-2022-34301 Not Affected
CVE-2022-34302 Not Affected
CVE-2022-34303 Not Affected

Vendor Statement

Fujitsu is aware of the vulnerabilities in third party UEFI bootloaders by New Horizon Datasys Inc, CryptoPro Secure Disk and Eurosoft (UK) Ltd.

Fujitsu commenced an analysis, inquired manufacturer Insyde, and simultaneously resorted to CERT/CC intelligence.

Based on that, UEFI-BIOS manufacturers will provide a Secure Boot Forbidden Signature Database (DBX) update, along with future firmware releases. These updates will be integrated timely into Fujitsu UEFI-BIOS firmware.

The Fujitsu PSIRT has no plans to issue a dedicated Security Notice or similar. Due to the mitigation by OEM vendors and OS vendors at the same time, the issue is therefore considered resolved.

In case of questions, please contact the Fujitsu PSIRT (Fujitsu-PSIRT@ts.fujitsu.com).

Insyde Software Corporation Not Affected

Notified:  2022-08-09 Updated: 2022-08-25

Statement Date:   August 17, 2022

CVE-2022-34301 Not Affected
CVE-2022-34302 Not Affected
CVE-2022-34303 Not Affected

Vendor Statement

We have not received a statement from the vendor.

Phoenix Technologies Not Affected

Notified:  2022-08-09 Updated: 2022-08-11

Statement Date:   August 09, 2022

CVE-2022-34301 Not Affected
CVE-2022-34302 Not Affected
CVE-2022-34303 Not Affected

Vendor Statement

We have not received a statement from the vendor.

Toshiba Corporation Not Affected

Notified:  2022-08-02 Updated: 2022-08-25

Statement Date:   August 16, 2022

CVE-2022-34301 Not Affected
CVE-2022-34302 Not Affected
CVE-2022-34303 Not Affected

Vendor Statement

We have not received a statement from the vendor.

Intel Unknown

Notified:  2022-08-02 Updated: 2022-09-12

Statement Date:   August 26, 2022

CVE-2022-34301 Unknown
Vendor Statement:
Intel is aware of reports around a vulnerability within signed bootloaders and is actively investigating if our products are impacted. If products are found to be impacted, a security advisory will be published coordinated with our ecosystem partners.
CVE-2022-34302 Unknown
Vendor Statement:
Intel is aware of reports around a vulnerability within signed bootloaders and is actively investigating if our products are impacted. If products are found to be impacted, a security advisory will be published coordinated with our ecosystem partners.
CVE-2022-34303 Unknown
Vendor Statement:
Intel is aware of reports around a vulnerability within signed bootloaders and is actively investigating if our products are impacted. If products are found to be impacted, a security advisory will be published coordinated with our ecosystem partners.

Vendor Statement

Intel is aware of reports around a vulnerability within signed bootloaders and is actively investigating if our products are impacted. If products are found to be impacted, a security advisory will be published coordinated with our ecosystem partners.

Acer Unknown

Notified:  2022-08-02 Updated: 2022-08-11

CVE-2022-34301 Unknown
CVE-2022-34302 Unknown
CVE-2022-34303 Unknown

Vendor Statement

We have not received a statement from the vendor.

Amazon Unknown

Updated: 2022-08-11

CVE-2022-34301 Unknown
CVE-2022-34302 Unknown
CVE-2022-34303 Unknown

Vendor Statement

We have not received a statement from the vendor.

AMD Unknown

Notified:  2022-08-11 Updated: 2022-08-11

CVE-2022-34301 Unknown
CVE-2022-34302 Unknown
CVE-2022-34303 Unknown

Vendor Statement

We have not received a statement from the vendor.

American Megatrends Incorporated (AMI) Unknown

Notified:  2022-08-09 Updated: 2022-08-11

CVE-2022-34301 Unknown
CVE-2022-34302 Unknown
CVE-2022-34303 Unknown

Vendor Statement

We have not received a statement from the vendor.

ASUSTeK Computer Inc. Unknown

Notified:  2022-08-02 Updated: 2022-08-11

CVE-2022-34301 Unknown
CVE-2022-34302 Unknown
CVE-2022-34303 Unknown

Vendor Statement

We have not received a statement from the vendor.

Debian GNU/Linux Unknown

Notified:  2022-08-02 Updated: 2022-08-11

CVE-2022-34301 Unknown
CVE-2022-34302 Unknown
CVE-2022-34303 Unknown

Vendor Statement

We have not received a statement from the vendor.

Dell Unknown

Notified:  2022-08-02 Updated: 2022-08-11

CVE-2022-34301 Unknown
CVE-2022-34302 Unknown
CVE-2022-34303 Unknown

Vendor Statement

We have not received a statement from the vendor.

Dynabook Inc. Unknown

Notified:  2022-08-24 Updated: 2022-08-25

CVE-2022-34301 Unknown
CVE-2022-34302 Unknown
CVE-2022-34303 Unknown

Vendor Statement

We have not received a statement from the vendor.

Gamma Tech Computer Corp. Unknown

Notified:  2022-08-02 Updated: 2022-08-11

CVE-2022-34301 Unknown
CVE-2022-34302 Unknown
CVE-2022-34303 Unknown

Vendor Statement

We have not received a statement from the vendor.

GETAC Inc. Unknown

Notified:  2022-08-02 Updated: 2022-08-11

CVE-2022-34301 Unknown
CVE-2022-34302 Unknown
CVE-2022-34303 Unknown

Vendor Statement

We have not received a statement from the vendor.

Google Unknown

Updated: 2022-08-11

CVE-2022-34301 Unknown
CVE-2022-34302 Unknown
CVE-2022-34303 Unknown

Vendor Statement

We have not received a statement from the vendor.

Hewlett Packard Enterprise Unknown

Notified:  2022-08-02 Updated: 2022-08-11

CVE-2022-34301 Unknown
CVE-2022-34302 Unknown
CVE-2022-34303 Unknown

Vendor Statement

We have not received a statement from the vendor.

HP Inc. Unknown

Notified:  2022-08-02 Updated: 2022-08-11

CVE-2022-34301 Unknown
CVE-2022-34302 Unknown
CVE-2022-34303 Unknown

Vendor Statement

We have not received a statement from the vendor.

Lenovo Unknown

Notified:  2022-08-02 Updated: 2022-08-11

CVE-2022-34301 Unknown
CVE-2022-34302 Unknown
CVE-2022-34303 Unknown

Vendor Statement

We have not received a statement from the vendor.

ReactOS Unknown

Notified:  2022-08-02 Updated: 2022-08-11

CVE-2022-34301 Unknown
CVE-2022-34302 Unknown
CVE-2022-34303 Unknown

Vendor Statement

We have not received a statement from the vendor.

Star Labs Online Limited Unknown

Notified:  2022-08-02 Updated: 2022-08-11

CVE-2022-34301 Unknown
CVE-2022-34302 Unknown
CVE-2022-34303 Unknown

Vendor Statement

We have not received a statement from the vendor.

UEFI Security Response Team Unknown

Notified:  2022-08-02 Updated: 2022-08-11

CVE-2022-34301 Unknown
CVE-2022-34302 Unknown
CVE-2022-34303 Unknown

Vendor Statement

We have not received a statement from the vendor.

VAIO Corporation Unknown

Notified:  2022-08-02 Updated: 2022-08-11

CVE-2022-34301 Unknown
CVE-2022-34302 Unknown
CVE-2022-34303 Unknown

Vendor Statement

We have not received a statement from the vendor.

View all 25 vendors View less vendors


Other Information

CVE IDs: CVE-2022-34301 CVE-2022-34302 CVE-2022-34303
API URL: VINCE JSON | CSAF
Date Public: 2022-08-11
Date First Published: 2022-08-11
Date Last Updated: 2024-03-04 19:07 UTC
Document Revision: 7

Sponsored by CISA.