Recently, cybersecurity researchers uncovered a severe vulnerability within the Unified Extensible Firmware Interface (UEFI) Secure Boot system, tracked as CVE-2024-7344. This flaw allows attackers to bypass Secure Boot protections, enabling them to execute unauthorised code during the boot process. This type of vulnerability poses a significant threat, as it can lead to the deployment of persistent bootkits that compromise the integrity of a system.
What is UEFI Secure Boot?
The Unified Extensible Firmware Interface (UEFI) is a modern firmware standard that manages the initialisation of hardware and transfers control to the operating system (OS) during start-up. Secure Boot is a critical feature of UEFI designed to ensure that only trusted software signed by original equipment manufacturers (OEMs) is executed during the boot process. By verifying the digital signatures of bootloaders and other components, Secure Boot prevents unauthorised or malicious software from loading.
The CVE-2024-7344 Vulnerability Explained
The vulnerability, CVE-2024-7344, arises from the improper use of custom Portable Executable (PE) loaders in certain UEFI applications. These loaders bypass standard UEFI functions such as LoadImage
and StartImage
, failing to perform critical security checks. Instead, they permit the loading of any UEFI binary, including unsigned and potentially malicious ones, from a specially crafted file named cloak.dat
.
This flaw enables attackers to execute untrusted code during system startup, effectively bypassing the Secure Boot mechanism. This opens the door for persistent threats, such as bootkits, which can embed themselves deeply into the firmware, making them difficult to detect and remove.
Affected Devices and Software
The vulnerability impacts several system recovery tools and software packages from multiple vendors, including:
- Howyar Technologies Inc.: SysReturn (versions prior to 10.2.023_20240919)
- Greenware Technologies: GreenGuard (versions prior to 10.2.023-20240927)
- Radix Technologies Ltd.: SmartRecovery (versions prior to 11.2.023-20240927)
- SANFONG Inc.: EZ-back System (versions prior to 10.3.024-20241127)
- Wasay Software Technology Inc.: eRecoveryRX (versions prior to 8.4.022-20241127)
- Computer Education System Inc.: NeoImpact (versions prior to 10.1.024-20241127)
- Signal Computer GmbH: HDD King (versions prior to 10.3.021-20241127)
These tools, signed using Microsoft’s UEFI Certificate Authority, are widely deployed, making this a significant issue across various industries.
Risks and Exploitation Scenarios
By exploiting CVE-2024-7344, attackers can achieve persistent access to a target system through the installation of UEFI bootkits. These bootkits operate at the firmware level, loading before the operating system, making them resistant to detection by conventional security tools. This persistence allows attackers to:
- Maintain Stealth: Operate undetected for extended periods.
- Exfiltrate Sensitive Data: Intercept credentials, encryption keys, and other critical information.
- Compromise Entire Networks: Use the foothold to pivot to other systems within an organisation.
Such vulnerabilities are particularly concerning for enterprises, critical infrastructure, and government systems, where the compromise of a single system can have widespread consequences.
How to Mitigate the Vulnerability
Addressing this vulnerability requires prompt action from affected vendors and users. The following steps are essential to mitigate the risk:
- Apply Patches: Vendors have released updates to address the vulnerability in their respective products. Users must ensure that they are using the latest versions of these tools.
- Update Secure Boot Revocation Lists: Microsoft has revoked the affected UEFI binaries as part of its Patch Tuesday updates on 14 January 2025. Users should ensure that their systems’ Secure Boot revocation lists are up to date.
- Monitor System Integrity: Use tools capable of detecting unauthorised changes to firmware or the boot process. For example, employ UEFI integrity monitoring solutions.
- Enable Firmware-Level Security Features: Where supported, enable hardware-based protections, such as Intel Boot Guard or AMD Platform Secure Boot.
Lessons and Best Practices
The discovery of CVE-2024-7344 highlights several critical lessons about the importance of firmware security:
- Avoid Custom PE Loaders: Developers should rely on standard UEFI functions for loading and verifying binaries to ensure compliance with security best practices.
- Regularly Update Firmware: Outdated firmware often contains vulnerabilities that attackers can exploit. Organisations should establish processes for timely updates, such as following Cyber Essentials principles by installing all High & Critical rated patches within 14 days of release.
- Adopt Zero Trust Principles: Assume that all components, even those trusted previously, may be vulnerable, and continuously verify their integrity.
- Educate IT Teams: Ensure that IT staff are trained in recognising and mitigating threats at the firmware level.
- Conducting Regular Penetration Testing: By running regular network penetration tests across your network, you can further identify vulnerabilities or Indicators Of Compromise (IoC)
The CVE-2024-7344 vulnerability underscores the critical need for vigilance in firmware security. As attackers increasingly target low-level systems to evade traditional defences, organisations must prioritise proactive measures to secure their infrastructure. By applying patches, maintaining up-to-date revocation lists, and leveraging advanced monitoring tools, organisations can mitigate the risks posed by this vulnerability and strengthen their overall cybersecurity posture.
“We were very impressed with the service, I will say, the vulnerability found was one our previous organisation had not picked up, which does make you wonder if anything else was missed.”
Aim Ltd Chief Technology Officer (CTO)