Hundreds of Unified Extensible Firmware Interface (UEFI) products from major vendors are vulnerable to compromise due to a critical firmware supply-chain issue called PKfail. The vulnerability enables attackers to bypass Secure Boot and install malware.
Hundreds of UEFI products from 10 major vendors are vulnerable due to a critical firmware supply-chain issue named PKfail. This issue, discovered by the Binarly Research Team, allows attackers to bypass Secure Boot and install malware. Functionally, Secure Boot ensures that when any computer starts up, malicious actors are unable to intercept the process. Without it, computers become significantly more vulnerable.
The vulnerability stems from the use of a test Secure Boot "master key" (Platform Key or PK), generated by American Megatrends International (AMI) and marked "DO NOT TRUST," which many vendors failed to replace with their own secure keys. This oversight left devices with untrusted keys, compromising the security chain from firmware to the operating system.
Affected vendors include Acer, Aopen, Dell, Formelife, Fujitsu, Gigabyte, HP, Intel, Lenovo, and Supermicro, covering 813 products.
In May 2023, BleepingComputer wrote about a related security incident that involved leaked private keys from Intel Boot Guard, impacting multiple vendors. The Money Message extortion gang leaked a firmware organization, MSI's, source code containing private keys for 57 MSI products and Intel Boot Guard keys for another 116 MSI products. Additionally, an AMI Secure Boot "master key" leak earlier this year affected various enterprise devices still in use.
The PKfail vulnerability enables threat actors to access vulnerable devices and the private part of the Platform Key (PK), bypassing Secure Boot by manipulating key databases, compromising the entire security chain, and signing malicious code. Actors can then deploy malware like CosmicStrand and BlackLotus. The issue has persisted since the first vulnerable firmware release in May 2012, with the latest in June 2024, making it one of the longest-lasting supply-chain issues.
To mitigate PKfail, vendors should follow best practices for cryptographic key management, including using Hardware Security Modules, and replace any test keys with their own secure keys. Users should apply firmware updates and security patches promptly.
Binarly has also launched the pk.fail website to help users scan firmware binaries for PKfail vulnerabilities and malicious payloads.
“Secure Boot has always been the holy grail of platform security, and many security features at the operating system layer depend on its integrity,” said the Binarly REsearch team.
Binarly reported that the root cause of this issue is attributed to the "master key" within Secure Boot, known as Platform Key in UEFI terminology. Its primary function involves managing Secure Boot databases, which determine what is trusted, preserving a chain of trust from firmware through operating systems. “In theory, given its importance, the creation and the management of this master key should be done by the device vendors following best practices for cryptographic key management (for example, by using Hardware Security Modules).” The keys are generated assuming they will be replaced, however, IT administrators do not always do this.
See also: HIPAA Compliant Email: The Definitive Guide
UEFI (Unified Extensible Firmware Interface) malware is an advanced type of malicious software that targets a computer's firmware, specifically the UEFI firmware responsible for launching hardware components and loading operating systems.
By compromising the UEFI firmware, malware can achieve a high level of persistence and stealth as it operates below the operating system and traditional antivirus solutions. Once embedded in the firmware, UEFI malware can control the system at a fundamental level, enabling the execution of various malicious activities such as espionage, data theft, and system sabotage.
Related: What is malware?
The discovery of widespread vulnerabilities in UEFI firmware has significant implications beyond the immediate context, affecting individuals and industries in various ways:
The event highlights systemic weaknesses in the cybersecurity landscape, particularly in supply chain security, and underscores the need for a more robust framework for securing firmware.
See also:
UEFI (Unified Extensible Firmware Interface) firmware is a type of software that connects a computer's hardware to its operating system. It initializes the hardware components and loads the operating system when the computer is powered on.
Secure Boot is a security feature that prevents unauthorized software from running during the system startup process. It ensures that only software with a valid digital signature from a trusted authority can execute, protecting the system from malware and rootkits.
This issue highlights the importance of securing the entire supply chain and the need for comprehensive cybersecurity measures that include hardware and firmware, not just software. It underscores the evolving sophistication of cyber threats and the necessity for robust security practices.