In response to bootloader security concerns, Eclypsium calls on Microsoft

By TechThop Team

Posted on: 13 Aug, 2022

LAS VEGAS - Researchers from Eclypsium criticized Microsoft's response to the discovery of three new bootloader vulnerabilities that may be exploited to take over methods throughout boot time.

Researchers from safety platform provider Eclypsium examined the vulnerabilities disclosed by Microsoft in this week's Tuesday Patch launch at DEF CON 30 on Friday. The bootloaders of Eurosoft Ltd. and New Horizon Datasys, Inc. have three vulnerabilities.

A threat actor can exploit this vulnerability to bypass Safe Boot, an OEM and operating system distribution protocol that authenticates bootloaders and UEFI drivers through legitimate digital signatures. Through the bypassing of Safe Boot checks, threat actors can modify the operating system, disable safety controls, and install a backdoor.

Although these bootloaders are not Microsoft products, they are cryptographically signed by the company's UEFI Third-Party Certification Authority. According to Eclypsium principal researchers Jesse Michael and Mickey Shkatov, Microsoft indicates the bootloaders without evaluating the code.

The third-party distributors will submit their bootloaders to Microsoft for evaluation, but the levels of security maturity are different,” Michael told SearchSecurity.

A bootloader that is tampered with by threat actors passes the Safe Boot test, therefore. It's just a way to validate the code you anticipate on the system. 'It would not confirm that the code is clean or bug-free,' Michael said, adding that weak bootloaders can compromise the supply chain.

Despite Microsoft's significant presence within the UEFI Safe Boot ecosystem since 2011 when it established its personal CA, Shkatov said the organization doesn't give its bootloaders a lot of visibility.

Since 2011, there have been X bootloaders signed by Microsoft on this planet. Only one group knows how many bootloaders there are and what variations they come in,' he said. 'Moreover, they will share this data with precisely zero external organizations.' It is Microsoft that can own the ecosystem and confirm bootloaders, according to Shkatov.

According to Michael and Shkatov, the GRUB2 Linux bootloader contains three bootloader vulnerabilities that are similar to the 'BootHole' vulnerability found by Eclypsium in 2020. Consequently, two of the vulnerabilities, CVE-2022-34301, and CVE-2022-34303, are comparable since Eurosoft and Kidan use signed UEFI shells for their bootloaders.

A shell could be used by an attacker to evade Safe Boot controls. As Shkatov mentioned throughout the presentation, they are not good for the safety of the audience.

In addition to visible components, malicious shell exercise contains vulnerabilities that are particularly dangerous for servers without screens and industrial management methods.

For more stories like this

Explore our website