Full Report
Details have emerged about a now-patched security vulnerability that could allow a bypass of the Secure Boot mechanism in Unified Extensible Firmware Interface (UEFI) systems. The vulnerability, assigned the CVE identifier CVE-2024-7344 (CVSS score: 6.7), resides in a UEFI application signed by Microsoft's "Microsoft Corporation UEFI CA 2011" third-party UEFI certificate, according to a new
Analysis Summary
# Vulnerability: UEFI Secure Boot Bypass via Vulnerable Microsoft-Signed Third-Party Application
## CVE Details
- CVE ID: CVE-2024-7344
- CVSS Score: 6.7 (Medium)
- CWE: (Not explicitly stated, but relates to Improper Input Validation/Improper Use of Secure Functions, likely CWE-20 or CWE-218)
## Affected Systems
- Products: UEFI systems utilizing recovery software suites from Howyar Technologies Inc., Greenware Technologies, Radix Technologies Ltd., SANFONG Inc., Wasay Software Technology Inc., Computer Education System Inc., and Signal Computer GmbH that leverage a UEFI application signed by the "Microsoft Corporation UEFI CA 2011" certificate.
- Versions:
- Howyar SysReturn before version 10.2.023\_20240919
- Greenware GreenGuard before version 10.2.023-20240927
- Radix SmartRecovery before version 11.2.023-20240927
- Sanfong EZ-back System before version 10.3.024-20241127
- WASAY eRecoveryRX before version 8.4.022-20241127
- CES NeoImpact before version 10.1.024-20241127
- SignalComputer HDD King before version 10.3.021-20241127
- Configurations: Systems with Secure Boot enabled where the vulnerable third-party UEFI application is present on the EFI System Partition (ESP). Exploitation requires local administrative (Windows) or root (Linux) privileges to deploy malicious files to the ESP.
## Vulnerability Description
The vulnerability stems from a UEFI application signed by Microsoft's third-party certificate ("Microsoft Corporation UEFI CA 2011") that incorrectly utilizes a custom PE loader instead of the standard and secure UEFI functions `LoadImage` and `StartImage`. This leads to an insecure loading mechanism that permits execution of untrusted code during system boot by reading arbitrary content from a specially crafted file named `cloak.dat`. This effectively bypasses the UEFI Secure Boot mechanism, allowing the loading of unauthorized binaries (including malicious UEFI bootkits) irrespective of the overall Secure Boot state.
## Exploitation
- Status: PoC available (implied by technical disclosure and research findings, though active exploitation in the wild is not explicitly confirmed, the capability exists).
- Complexity: Medium (Requires initial local privilege escalation to place the malicious payload/config file onto the EFI System Partition).
- Attack Vector: Adjacent (Requires local access to deploy files, but execution occurs early in the boot process over the network/system initialization chain).
## Impact
- Confidentiality: High (Code executed early in boot can persist and exfiltrate data).
- Integrity: High (Enables persistent malicious code/bootkits that survive OS reinstallation).
- Availability: Medium (Potential impact on system stability/integrity depending on the malicious payload).
## Remediation
### Patches
- Microsoft revoked the vulnerable binaries on January 14, 2025, as part of Patch Tuesday updates. (Vendors listed above have released product updates addressing the underlying issue.)
### Workarounds
1. **Secure Boot Customization:** Implement specific Secure Boot settings to restrict unsigned code loading.
2. **UEFI Revocation Management:** Ensure revoked binaries are properly managed by the firmware.
3. **Remote Attestation:** Utilize Trusted Platform Module (TPM) capabilities for remote attestation to verify boot integrity.
4. **Restrict ESP Access:** Strictly control access to the EFI System Partition (ESP) to prevent unauthorized deployment of the vulnerable binary or the `cloak.dat` file, requiring administrator/root rights for file placement.
## Detection
- Indicators of Compromise (IOCs): Presence of the vulnerable application binaries or the presence of a specially crafted `cloak.dat` file on the EFI System Partition.
- Detection methods and tools: Inspection of the EFI System Partition for unauthorized files. Monitoring for early-stage (pre-OS) execution, potentially using enhanced hardware-level monitoring or specialized firmware analysis tools, as OS-based EDR solutions will likely be evaded.
## References
- Vendor Advisories: Microsoft Security Update Guide (CVE-2024-7344)
- Relevant links:
- hxxps://www.welivesecurity.com/en/eset-research/under-cloak-uefi-secure-boot-introducing-cve-2024-7344/
- hxxps://kb.cert.org/vuls/id/529659
- hxxps://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2024-7344