Full Report
The story of a signed UEFI application allowing a UEFI Secure Boot bypass
Analysis Summary
# Vulnerability: UEFI Secure Boot Bypass via Maliciously Signed Third-Party Application
## CVE Details
- CVE ID: CVE-2024-7344
- CVSS Score: N/A (Severity not explicitly given, but context implies HIGH due to Secure Boot bypass) ([High])
- CWE: N/A (Specific CWE not provided, related to insecure loading/signature verification)
## Affected Systems
- Products: Various real-time system recovery software suites from Howyar Technologies Inc., Greenware Technologies, Radix Technologies Ltd., SANFONG Inc., Wasay Software Technology Inc., Computer Education System Inc., and Signal Computer GmbH.
- Versions:
- Howyar SysReturn before v10.2.023\_20240919
- Greenware GreenGuard before v10.2.023-20240927
- Radix SmartRecovery before v11.2.023-20240927
- Sanfong EZ-back System before v10.3.024-20241127
- WASAY eRecoveryRX before v8.4.022-20241127
- CES NeoImpact before v10.1.024-20241127
- SignalComputer HDD King before v10.3.021-20241127
- Configurations: UEFI-based systems where these third-party recovery applications are present and using Microsoft’s Microsoft Corporation UEFI CA 2011 third-party UEFI certificate. Systems with Windows 11 Secured-core disabled on default Secure Boot settings might be more susceptible if these applications are present.
## Vulnerability Description
The vulnerability resides in multiple UEFI applications that inappropriately use a custom Portable Executable (PE) loader instead of relying on the secure, standard UEFI functions `LoadImage` and `StartImage`. Because these applications were signed with a trusted Microsoft third-party UEFI certificate, the UEFI firmware loads them during the boot process. The custom loader allows the application to load any UEFI binary from a specially crafted file named `cloak.dat`, irrespective of Secure Boot verification and trust status. Successful exploitation results in the execution of untrusted code during system boot time, enabling the installation of persistent threats like UEFI bootkits.
## Exploitation
- Status: PoC available (Implied by research findings, though not explicitly stated as being public PoC, the method is proven capable of leveraging bootkits)
- Complexity: Low (The vulnerability relies on the presence of a trusted, signed application that performs insecure loading.)
- Attack Vector: Adjacent (Requires the attacker to place the specially crafted `cloak.dat` file accessible during the boot process, likely via removable media or filesystem on a compromised disk.)
## Impact
- Confidentiality: High (Execution of code early in the boot process allows for comprehensive system compromise before the OS security measures load.)
- Integrity: High (Allows for the installation of persistent bootkits, modifying the operating system environment.)
- Availability: High (System integrity is compromised, potentially leading to denial of service or persistent compromise.)
## Remediation
### Patches
Affected vendors have issued patches resulting in updated binaries. Microsoft revoked the old, vulnerable binaries via the **January 14th, 2025 Patch Tuesday update**. Users should ensure their recovery software is updated to the versions listed above or later, or confirm that the vulnerable binaries have been revoked by Microsoft.
### Workarounds
The article suggests that Windows 11 Secured-core PCs *should* have the third-party signing option disabled by default, which acts as a safeguard. Defenders should focus on obtaining updated software versions or ensuring Microsoft's revocation takes effect.
## Detection
- Detection methods are **not explicitly detailed** with Indicators of Compromise (IoCs) to prevent mass misidentification, as the vulnerable loaders are part of legitimate software.
- Defenders should focus on monitoring the integrity of system boot files and UEFI measurements.
## References
- Vendor advisories (Coordinated disclosure handled via CERT/CC)
- Relevant links - defanged:
- Secure Boot Specification: hxxps://uefi.org/specs/UEFI/2.9_A/07_Services_Boot_Services.html#efi-boot-services-loadimage
- Secure Boot Specification: hxxps://uefi.org/specs/UEFI/2.9_A/07_Services_Boot_Services.html#efi-boot-services-startimage
- Previous similar vulnerability (CVE-2022-34302): hxxps://eclypsium.com/research/one-bootloader-to-load-them-all/
- ESET Research Blog: hxxps://www.welivesecurity.com/en/eset-research/under-cloak-uefi-secure-boot-introducing-cve-2024-7344/