The Eclypsium Research Group presents three new bootloader vulnerabilities

By TechThop Team

Posted on: 17 Aug, 2022

The Eclypsium team has discovered three new vulnerabilities in SecureBoot certified bootloaders that will affect multiple processor types, including ARM and x86.

Rather than guaranteeing bug-free code, SecureBoot just states that the code is good. It will continue to happen for as long as humans exist, is my explanation,' said Jesse Michael, who presented the research with Mickey Shkatov at the Black Hat conference in Las Vegas on Friday.

Earlier, Eclypsium published the BootHole research into another vulnerable bootloader.

In the bootloader ecosystem, there are a variety of vendors, with Microsoft acting as a certificate authority. In addition to testing the bootloader for vulnerabilities, Microsoft provides some checks. 

There are three bootloaders registered to Eurosoft Ltd, New Horizon Datasys Inc, and CryptoPro Secure Disk for Bitlocker, each representing a different class of problem.

The Eurosoft and CryptoPro signed shells could be used to circumvent SecureBoot's boundaries through scriptings, such as writing or mapping memory.

As a result of the New Horizon Datasys vulnerability, arbitrary code can be executed by bypassing SecureBoot. 

There is a little more stealth to the New Horizon vulnerability. A shell code would open a window that a user might see on a monitor. Bypassing does not open a window.

It is necessary to have administrator access to exploit all the vulnerabilities. It might not be particularly difficult to evade that.

“All current ransomware campaigns send programs via email,” said Shakti.

For more stories like this

Explore our website