A newly identified UEFI vulnerability, CVE-2024-7344, has raised significant concerns regarding the security of Secure Boot on systems using the Unified Extensible Firmware Interface (UEFI). The vulnerability, discovered by ESET, resides in a signed UEFI application used by third-party recovery software vendors, including Howyar Technologies and Greenware Technologies. It allows attackers to bypass Secure Boot protections and execute malicious code during the system boot process. The flaw is due to the use of a custom PE loader instead of the standard UEFI functions, which enables the loading of any UEFI binary, including unsigned ones, during system startup. This issue affects machines with Secure Boot enabled, regardless of the operating system installed.
Exploiting this vulnerability could give attackers persistent access to systems, allowing them to deploy UEFI bootkits
Exploiting this vulnerability could give attackers persistent access to systems, allowing them to deploy UEFI bootkits that persist even through reboots or operating system reinstallations. The flaw presents a serious risk because it allows for the execution of malicious code in the early boot phase, which can bypass traditional operating system-based security measures. These bootkits can operate covertly, evading detection from endpoint detection and response (EDR) tools, and potentially compromise sensitive data. Attackers could exploit the flaw by loading their own vulnerable reloader.efi binary onto a system that has the Microsoft third-party UEFI certificate, though elevated privileges are necessary to deploy the malicious files to the EFI system partition.
The vulnerability was responsibly disclosed to the CERT Coordination Center (CERT/CC) in June 2024, leading to fixes from the affected vendors, including the release of updates that addressed the issue. Microsoft also revoked the vulnerable binaries as part of its Patch Tuesday update in January 2025. Despite the fixes, the discovery of CVE-2024-7344 has highlighted a wider issue of security flaws in signed UEFI bootloaders. Experts have expressed concern over the use of unsafe techniques among third-party UEFI software vendors, questioning how many other similar vulnerabilities might exist in obscure but signed bootloaders that could be exploited by malicious actors.
The discovery of this vulnerability underscores the importance of securing the UEFI ecosystem and ensuring that firmware-level security mechanisms like Secure Boot are continuously updated. Although the vulnerability has been patched, it serves as a reminder that even fundamental security features are not invulnerable to attack. Cybersecurity experts recommend applying UEFI revocations, managing access to files on the EFI system partition, and using Secure Boot customization and remote attestation with a Trusted Platform Module (TPM) as additional measures to protect against the exploitation of signed UEFI bootloaders and the deployment of UEFI bootkits. This vulnerability, though patched, points to the ongoing need for vigilance in the firmware security landscape.