Researchers Uncover UEFI Safe Boot Bypass in 3 Microsoft Signed Boot Loaders


A safety characteristic bypass vulnerability has been uncovered in three signed third-party Unified Extensible Firmware Interface (UEFI) boot loaders that enable bypass of the UEFI Safe Boot characteristic.

“These vulnerabilities may be exploited by mounting the EFI System Partition and changing the present bootloader with the susceptible one, or modifying a UEFI variable to load the susceptible loader as an alternative of the present one,” {hardware} safety agency Eclypsium stated in a report shared with The Hacker Information.


The next vendor-specific boot loaders, which have been signed and authenticated by Microsoft, have been discovered susceptible to the bypass and have been patched as a part of the tech big’s Patch Tuesday replace launched this week –

Safe Boot is a safety normal designed to thwart malicious applications from loading when a pc begins up (boots) and guarantee solely the software program that’s trusted by the Authentic Tools Producer (OEM) is launched.

“The firmware boot loaders boot the UEFI atmosphere and arms over management to UEFI purposes written by the SoC vendor, Microsoft, and OEMs,” Microsoft notes in its documentation. “The UEFI atmosphere launches the Home windows Boot Supervisor, which determines whether or not in addition to Full Flash Replace (FFU) picture flashing or system reset mode, to the replace OS, or to the principle OS.”

Boot Loaders

In a nutshell, profitable exploitation of the issues recognized by Eclypsium may allow an adversary to avoid safety guardrails at startup and execute arbitrary unsigned code in the course of the boot course of.

This could have additional knock-on results, enabling a nasty actor to realize entrenched entry and set up persistence on a bunch by way of in a fashion that may survive working system reinstalls and laborious drive replacements, to not point out fully bypassing detection by safety software program.


Calling CVE-2022-34302 “much more stealthy,” Eclypsium famous the New Horizon Datasys vulnerability isn’t solely trivial to take advantage of within the wild, however may also “allow much more advanced evasions corresponding to disabling safety handlers.”

Safety handlers, for example, can embody Trusted Platform Module (TPM) measurements and signature checks, Eclypsium researchers Mickey Shkatov and Jesse Michael stated.

It is value noting that exploiting these vulnerabilities requires an attacker to have administrator privileges, though gaining native privilege escalation isn’t thought-about insurmountable owing to the truth that Microsoft does not deal with Consumer Account Management (UAC) bypass as a safety danger.

“Very similar to BootHole, these vulnerabilities spotlight the challenges of making certain the boot integrity of units that depend on a posh provide chain of distributors and code working collectively,” the researchers concluded, including “these points spotlight how easy vulnerabilities in third-party code can undermine your complete course of.”


Please enter your comment!
Please enter your name here