Software Engineering Institute

Overview

Multiple vendor-signed UEFI applications are vulnerable to Secure Boot bypass via a "Bring Your Own Vulnerable Driver" (BYOVD)-style attack. If a target system trusts the affected vendor’s certificate, an attacker can exploit these applications to execute arbitrary code during the early pre-boot phase before the operating system initializes. To mitigate this risk, system administrators should apply updates to the UEFI Forbidden Signature Database (DBX) that revoke trust in the affected vendor-signed binaries, preventing these vulnerable applications from executing during the boot process.

Description

The Unified Extensible Firmware Interface (UEFI) standard defines the modern firmware architecture used to initialize hardware and transfer control to the operating system during system startup. On systems with Secure Boot enabled, UEFI applications and drivers must be cryptographically signed and verified before execution. Trust for these signatures is established through several firmware-managed databases, including the authorized signature database (DB), which commonly contains certificates from original equipment manufacturer (OEM) vendors, operating system authorities, and other supply-chain partners in the UEFI ecosystem.

The UEFI shell is a command-line application that allows advanced users to interact directly with the UEFI environment to run diagnostics or special tasks prior to the operating system boot. Other UEFI applications, such as bootloaders, manage the operating system startup sequence or load specific drivers before the main OS initializes. Some of these applications possess functionalities that can manipulate system memory, modify sensitive NVRAM variables, or load raw drivers.

If a vendor-signed application inadvertently exposes these capabilities without strict access controls, attackers can abuse them to circumvent Secure Boot policies and execute unverified code. This exposure effectively results in an early compromise of the pre-boot environment, bypassing the Secure Boot policy.

Researchers from ESET identified multiple UEFI applications vulnerable to this type of abuse. To neutralize the risk, the affected binaries will be added to vendor-specific DBX revocation lists to prevent them from executing on the target systems.

Acer `GRUB2` insmod
71DCE405964C67779DB92DBC01F683D6E29075AB
6cc0e9501420ec036f0ad74df2d17f4d6360f26585f265042537b9f8c2780c30

Acer `UEFI shell` mm,dmpstore
D275C2DFD884D2B7842C7F861C527A9FFC6E59DD
b0af2158f11535d8458b8497a35e96d5afc76e43825f255d2d6aa2da74bad883

Acer `UEFI shell` mm,dmpstore
42C4923E676A9FD0A93C08631AD7A8244A8F2174
0784c30a83bfcc45bf42804e5729323987957f0a104fcb693d0ff10d76d5b42c

Acer `UEFI shell` mm,dmpstore
04BE47C873F116B85111FBF8EE9191C87CEE2619
b0af2158f11535d8458b8497a35e96d5afc76e43825f255d2d6aa2da74bad883

Acer Emdoor `UEFI shell` mm,setvar
CD5E3EAD6F78526BF9301DEEF66906618654F604
14a493007443c72050ce644562db1470e36bf9d04baf5dec6b046e32cbdbb61b

AMD `UEFI shell` mm,dmpstore
744565FBB35DB710BCC1547292204763C731DC55
58bc1e460a1b7e18e6ad12dae8020c38bd7b3d6217130dd127ae232e4b248406

ASUS schenker-tech.de(XMG) `UEFI shell` mm,dmpstore
DC18D31E46A541C9E42F9588554ADDC7DECE124B
61ee9a23c366a102ceb34c78af7816413769791658cdb668b02cb81ec94f7c70

ECS `UEFI Shell` mm,dmpstore
59BA2B5C239AF3CC7FCE74AA5E65AAA8CE3C454F
81da15d6acdfb7868ecea44d41c869c2295603af9a44a2d106d4c0e57d66908

Getac `UEFI Shell` mm,dmpstore
35FBD8ED5ED31D281A6146360CDEFE7E8CEC31DA
09d895bb03bdac3188ef61b09ab72b99492cfd0b785cbc3eb2eb75657a2f9fa0

GIGABYTE Maibenben `UEFI Shell` mm,setvar,dmpstore
6CC172CBFEEA24B2806B477F8EDF897334ECC486
2944da098861619e21b522a642235bb2ec189ff20ef96e100b2ffdd9a39c3416

Toshiba `UEFI Shell` mm,dmpstore
2EAE2807A4265D9C30EECA68A8C59C7A6D1ACFE7
cad246ae8a5db51f32f128896ccef5efc30e5d65c9d9722b449988d43da53d51

Uniwill Maingear schenker-tech.de(XMG) `UEFI Shell` mm,dmpstore
8CED62F9BD5C987A80598DA1E13414391BBB1ADE
55682bec887134a2ccaa2cd5458cd3fe6395ea93bb88c9dc541806428b14fc66

Impact

This vulnerability only impacts systems where the specific affected vendor's certificate is trusted within the UEFI Authorized Signature Database (DB). On such systems, an attacker with administrative privileges or physical access could leverage the vulnerable application to bypass Secure Boot protections and execute arbitrary code before the operating system loads.

Code executed during this early boot phase can achieve persistent platform compromise, including the ability to load unsigned or malicious kernel components that survive system reboots and operating system reinstallations. Because this activity occurs before the operating system and endpoint security products initialize, malicious code executed through this technique may completely evade detection by standard security controls and endpoint detection and response (EDR) solutions.

Solution

Apply the latest firmware and software updates provided by your hardware or software vendor. Please refer to the Vendor Information section for details. Updated software packages will replace vulnerable UEFI applications with corrected versions that incorporate the latest upstream security fixes.Additionally, administrators should update and verify the UEFI DBX on affected systems to ensure the vulnerable binaries are revoked and can no longer execute during the boot process.

Acknowledgements

Thanks to Martin Smolar of ESET for researching and reporting this vulnerability. This document was written by Vijay Sarvepalli.

Vendor Information

References

• https://uefi.org/specs/UEFI/2.11/32_Secure_Boot_and_Driver_Signing.html
• https://uefi.org/specs/UEFI/2.11/03_Boot_Manager.html
• https://uefi.org/specs/UEFI/2.11/07_Services_Boot_Services.html
• https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-secure-boot
• https://www.welivesecurity.com/en/eset-research/under-cloak-uefi-secure-boot-introducing-cve-2024-7344/
• https://www.eset.com/us/about/newsroom/press-releases/eset-research-discovers-uefi-secure-boot-bypass-vulnerability/
• https://github.com/sei-vsarvepalli/uefi-dbx-audit/