New UEFI vulnerability bypasses Secure Boot — bootkits stay undetected even after OS re-install

A new UEFI vulnerability has been discovered that is spread through multiple system recovery tools. Bleeping Computer reports that the vulnerability enables attackers to bypass Secure Boot and deploy bootkits that can be invisible to the operating system. Microsoft has officially flagged the vulnerability with the codename CVE-2024-7344 Howyar Taiwan Secure Boot Bypass.

The culprit purportedly comes from a customer PE loader, which allows any UEFI binary to be loaded, even unsigned ones. This is due to the vulnerability allegedly not relying on trusted services such as LoadImage and StartImage.

Attackers can exploit this functionality by replacing an app's default OS bootloader on the EFI partition with a vulnerable version that contains a rudimentary encrypted XOR PE image. Once installed, the infected system will boot with malicious data from the XOR PE image.

Because this exploit completely bypasses Secure Boot and operates at the UEFI level, software-level anti-viruses and security measures are rendered useless in fighting this attack. Operating system re-installs can also not remove this attack as a potential countermeasure.

Multiple system recovery tools allegedly exploit the new vulnerability from many third-party software developers. Specifically, UEFI applications are designed to assist in recovery, disk maintenance, or backups. Some of the affected tools include Howyar SysReturn, Greenware GreenGuarde, and Radix SmartRecovery.

Affected software products discovered by ESET security researchers:

• Howyar SysReturn before version 10.2.023_20240919
• Greenware GreenGuard before version 10.2.023-20240927
• Radix SmartRecovery before version 11.2.023-20240927
• Sanfong EZ-back System before version 10.3.024-20241127
• WASAY eRecoveryRX before version 8.4.022-20241127
• CES NeoImpact before version 10.1.024-20241127
• SignalComputer HDD King before version 10.3.021-20241127

The good news is that Microsoft and ESET security have already taken measures to protect the public from this vulnerability. ESET has allegedly contacted affected vendors to eliminate the security issue. Microsoft has revoked the certificates of affected venerable software in the most recent Windows update, which went live this week on patch Tuesday.

Suppose you run any of the software applications above. In that case, it's worth ensuring you have the latest Windows update, and updating the aforementioned software to versions that will counter this UEFI vulnerability is worth ensuring you have the latest Windows update.