Hackers can exploit vulnerabilities in signed UEFI shells to bypass Safe Boot protections on over 200,000 Framework laptops and desktops.
Based on Eclypsium, these vulnerabilities expose basic flaws in how fashionable programs belief boot parts, probably enabling persistent malware infections that evade detection.
Disclosed not too long ago to Framework, the problems stem from reputable diagnostic instruments that, regardless of being signed by trusted authorities like Microsoft, embrace instructions highly effective sufficient to dismantle core safety safeguards.
As pre-operating system assaults develop extra widespread, echoing threats like BlackLotus and Bootkitty, this discovery underscores the dangers lurking within the firmware layer we frequently overlook.
Hidden Risks of Trusted UEFI Shells
UEFI shells act as pre-boot command-line environments, akin to a supercharged terminal with unrestricted {hardware} entry. Designed for IT professionals to diagnose {hardware}, replace firmware, configure settings, or check drivers, they run earlier than the OS masses, granting privileges far past typical admin rights.
The issue arises from their integration into the Safe Boot chain of belief. Microsoft’s UEFI Certificates Authority serves as the foundation anchor, signing third-party instruments that authentic gear producers (OEMs) embed in firmware.
As soon as signed, these shells execute with out scrutiny, even on programs implementing Safe Boot to dam unsigned code.
Eclypsium’s deep dive revealed that many such shells harbor the “mm” command for reminiscence modification. This software lets customers learn or write to any system reminiscence handle, bypassing protections like handle area structure randomization or knowledge execution prevention options absent within the pre-OS world.
Whereas helpful for diagnostics, it turns into a hacker’s dream when scripted to run robotically through startup information, persisting throughout reboots with out alerting the OS.
The method targets the Safety Architectural Protocol, which verifies signatures throughout boot. Eclypsium researchers Jesse Michael and Mickey Shkatov, of their DEF CON 30 demo, outlined an easy path: enumerate system handles to search out the protocol’s reminiscence handle, then use “mm” to overwrite its pointer, nulling it out or forcing a false “success” return.
A easy command like “mm 0x[target_address] 0x00000000 -w 8 -MEM” disables checks, permitting unsigned bootkits or rootkits to load freely whereas Safe Boot seems intact.
Testing on Framework units confirmed the problem. Utilizing instruments like sbverify and customized Python scripts with the pefile library, Eclypsium scanned EFI information for “mm” indicators, flagging high-risk binaries.
QEMU-based automation additional validated execution. This isn’t theoretical; avid gamers already pay for comparable cheats utilizing Microsoft-signed parts, and nation-state actors or ransomware teams like these behind HybridPetya might weaponize it for espionage or sabotage.
UEFI Shell Vulnerabilities
Affected fashions span Framework’s lineup, from eleventh Gen Intel Core to AMD Ryzen AI sequence, impacting roughly 200,000 items.
ProductBIOS Model with Restricted ShellBIOS Model with DBX UpdateFramework13 eleventh Gen Intel CoreVulnerable: Fastened deliberate in 3.24Vulnerable: Fastened deliberate in 3.24Framework13 twelfth Gen Intel CoreFixed in 3.18Fix deliberate for 3.19 (TBD)Framework13 thirteenth Gen Intel CoreFixed in 3.08Fixed in 3.09Framework13 Intel Core Extremely Collection 1Fixed in 3.06Fixed in 3.06Framework13 AMD Ryzen 7040 SeriesFixed in 3.16Fixed in 3.16Framework13 AMD Ryzen AI 300 SeriesFixed in 3.04Planned in 3.05 (TBD)Framework16 AMD Ryzen 7040 SeriesFixed in 3.06 (Beta)Fastened in 3.07Framework Desktop AMD Ryzen AI 300 MAXFixed in 3.01Planned in 3.03
Framework has rolled out fixes by stripping dangerous instructions from shells and updating DBX revocation lists to blacklist weak variations. Customers can apply BIOS updates or delete Framework DB keys through setup menus for rapid safety.
Previous incidents, like CVE-2022-34302 and CVE-2024-7344, spotlight this as an industry-wide disaster, prompting calls to bar shells from Safe Boot chains in EDK2 specs.
Defenses embrace common DBX updates, BIOS passwords, customized keys, and firmware scanning instruments. As Eclypsium warns, implicit belief in signatures blinds us to provide chain perils.
With firmware assaults escalating, organizations should prioritize this “below-OS” floor to keep away from catastrophic breaches. The period of treating signed code as inherently protected has ended; verification is now important.
Comply with us on Google Information, LinkedIn, and X for each day cybersecurity updates. Contact us to characteristic your tales.
