14 DAY TRIAL // A flaw has been discovered in the unified extensible firmware interface (UEFI) of some systems, allowing an attacker to bypass Secure Boot, the security standard used on the latest Windows versions for verifying the legitimacy of software loading at boot time.
According to an advisory from the CERT (Computer Emergency Response Team) division at Carnegie Mellon University, some UEFI systems do not restrict access to the boot script used by the EFI S3 Resume Boot Path, which can give a local attacker the possibility to get past the write protections imposed by the firmware.
Boot script runs before security mechanisms are deployed
Apart from bypassing Secure Boot, another danger stemming from this is that the firmware of the platform can be replaced with a different one that permits unsigned software to run during the boot sequence of the machine.
The implications of this flaw are severe because the boot script is deployed before any of the security mechanisms are launched, meaning that the attacker can gain persistent access to the system beyond subsequent mitigation attempts.
“The boot script is interpreted early enough where important platform security mechanisms have not yet been configured. For example, BIOS_CNTL, which helps protects the platform firmware against arbitrary writes, is unlocked. TSEGMB, which protects SMRAM against DMA, is also unlocked,” say Rafal Wojtczuk from Bromium, and Corey Kallenberg of The MITRE Corporation, the researchers who discovered the vulnerability.
On the affected systems, the boot script is located in an unprotected memory area that can be tampered with by an attacker with physical access.
Vendors have already released updated firmware code
Another outcome of exploiting this security flaw is corrupting the platform firmware in a way that renders the machine inoperable (8, 8.1, RT, RT 8.1, Server 2012 and Servers 2012 R2).
According to the advisory, some products from American Megatrends Incorporated (AMI), Intel and Phoenix Technologies are affected by the flaw, which is currently tracked as CVE-2014-8274.
However, these vendors have released a new firmware that fixes the problem and are currently working with OEMs to include the new code on the machines currently in production. Users are recommended to apply the firmware update in order to eliminate the risks.