About Secure Boost Bugs
Bootloaders that were in majority of the systems made in the last 10 years have been impacted by Secure Bost bypass vulnerabilities.
Secure Boot is a mechanism made to prevent a device's boot process from threats, to bypass it will allow an attacker to execute arbitrary code before the operating system can load.
It allows installation of stealthy and persistent malware. The Secure Boot vulnerabilities were found in the Eurosoft (CVE-2022-34301) CVE-2022-34303, New Horizon Datasys (CVE-2022-34302), and CryptoPro Secure Disk for BitLocker (CVE-2022-34303) bootloaders.
As per Eclypsium (company) bootloaders are found in almost every device made in the past 10 years, this includes ARM and x86-64 devices.
How does the bugs work?
The CryptoPro Secure Disk and Eurosoft bootloader bugs contain signed UEFI shells, the hackers are able to bypass Secure Boot by exploiting built-in capabilities. For these security loopholes, one can easily exploit automated startup scripts.
According to Eclypsium the bootloader contains a built-in bypass for Secure Boot that leaves Secure Boot on but disables the Secure Boot checks. This bypass can further enable even more complex evasions such as disabling security handlers.
In this case, an attacker would not need scripting commands, and could directly run arbitrary unsigned code. To exploit any of these bugs, a hacker must have admin or root privileges on the targeted Linux and Windows system.
But the company said that there are many ways to get these permissions on a device. The flawed bootloaders are signed by Microsoft. As per an advisory issued by the CERT/CC at Carnegie Mellon University, the tech giant has been working with vendors to address the flaws and it has restricted the certificates linked with the affected bootloaders.
"In 2020, Eclypsium disclosed the existence of a vulnerability named BootHole, which affected all operating systems that used the GRUB2 bootloader with Secure Boot. Some vendors rushed to release patches in response to BootHole, but they caused many systems," says Security Week.