Hundreds of Unified Extensible Firmware Interface (UEFI) products from major vendors are vulnerable to compromise due to a critical firmware supply-chain issue called PKfail. The vulnerability enables attackers to bypass Secure Boot and install malware.
What happened?
Hundreds of UEFI products from 10 major vendors are vulnerable due to a critical firmware supply-chain issue named PKfail. This issue, discovered by the Binarly Research Team, allows attackers to bypass Secure Boot and install malware. Functionally, Secure Boot ensures that when any computer starts up, malicious actors are unable to intercept the process. Without it, computers become significantly more vulnerable.
The vulnerability stems from the use of a test Secure Boot "master key" (Platform Key or PK), generated by American Megatrends International (AMI) and marked "DO NOT TRUST," which many vendors failed to replace with their own secure keys. This oversight left devices with untrusted keys, compromising the security chain from firmware to the operating system.
Affected vendors include Acer, Aopen, Dell, Formelife, Fujitsu, Gigabyte, HP, Intel, Lenovo, and Supermicro, covering 813 products.
The backstory
In May 2023, BleepingComputer wrote about a related security incident that involved leaked private keys from Intel Boot Guard, impacting multiple vendors. The Money Message extortion gang leaked a firmware organization, MSI's, source code containing private keys for 57 MSI products and Intel Boot Guard keys for another 116 MSI products. Additionally, an AMI Secure Boot "master key" leak earlier this year affected various enterprise devices still in use.
Going deeper
The PKfail vulnerability enables threat actors to access vulnerable devices and the private part of the Platform Key (PK), bypassing Secure Boot by manipulating key databases, compromising the entire security chain, and signing malicious code. Actors can then deploy malware like CosmicStrand and BlackLotus. The issue has persisted since the first vulnerable firmware release in May 2012, with the latest in June 2024, making it one of the longest-lasting supply-chain issues.
To mitigate PKfail, vendors should follow best practices for cryptographic key management, including using Hardware Security Modules, and replace any test keys with their own secure keys. Users should apply firmware updates and security patches promptly.
Binarly has also launched the pk.fail website to help users scan firmware binaries for PKfail vulnerabilities and malicious payloads.
What was said?
“Secure Boot has always been the holy grail of platform security, and many security features at the operating system layer depend on its integrity,” said the Binarly REsearch team.
Binarly reported that the root cause of this issue is attributed to the "master key" within Secure Boot, known as Platform Key in UEFI terminology. Its primary function involves managing Secure Boot databases, which determine what is trusted, preserving a chain of trust from firmware through operating systems. “In theory, given its importance, the creation and the management of this master key should be done by the device vendors following best practices for cryptographic key management (for example, by using Hardware Security Modules).” The keys are generated assuming they will be replaced, however, IT administrators do not always do this.
See also: HIPAA Compliant Email: The Definitive Guide
In the know
UEFI (Unified Extensible Firmware Interface) malware is an advanced type of malicious software that targets a computer's firmware, specifically the UEFI firmware responsible for launching hardware components and loading operating systems.
By compromising the UEFI firmware, malware can achieve a high level of persistence and stealth as it operates below the operating system and traditional antivirus solutions. Once embedded in the firmware, UEFI malware can control the system at a fundamental level, enabling the execution of various malicious activities such as espionage, data theft, and system sabotage.
Related: What is malware?
Why it matters
The discovery of widespread vulnerabilities in UEFI firmware has significant implications beyond the immediate context, affecting individuals and industries in various ways:
- Individuals: For individual users, compromised UEFI firmware means their data, including sensitive information like financial details and personal communications, is at risk of being stolen or manipulated by attackers.
- Industries: For industries, particularly those relying on high-security environments such as finance, healthcare, and government, UEFI vulnerabilities can lead to breaches that compromise proprietary information, disrupt operations, and incur substantial financial losses. The integrity of the supply chain is critical; companies should ensure they are vetting their hardware sources and implementing stringent security measures.
The event highlights systemic weaknesses in the cybersecurity landscape, particularly in supply chain security, and underscores the need for a more robust framework for securing firmware.
See also:
FAQs
What is UEFI firmware?
UEFI (Unified Extensible Firmware Interface) firmware is a type of software that connects a computer's hardware to its operating system. It initializes the hardware components and loads the operating system when the computer is powered on.
What is Secure Boot?
Secure Boot is a security feature that prevents unauthorized software from running during the system startup process. It ensures that only software with a valid digital signature from a trusted authority can execute, protecting the system from malware and rootkits.
How does this issue affect the broader cybersecurity landscape?
This issue highlights the importance of securing the entire supply chain and the need for comprehensive cybersecurity measures that include hardware and firmware, not just software. It underscores the evolving sophistication of cyber threats and the necessity for robust security practices.
Tshedimoso Makhene
