WisePlant – A WiseGroup Company
PFFail

PKfail Secure Boot bypass lets attackers install UEFI malware

.

Summary:

Hundreds of UEFI products from 10 vendors are vulnerable to the PKfail supply-chain issue, allowing attackers to bypass Secure Boot and install malware. The issue has been present for over 12 years and affects nearly 900 devices. Vendors should follow cryptographic key management best practices and replace test keys. Users should apply firmware updates and security patches promptly. To check if your device is affected, run a command in PowerShell or use an online tool. To protect your device, apply security patches, monitor devices, follow cryptographic key management practices, and replace test keys. The PKfail vulnerability poses risks such as bypassing Secure Boot, execution of malicious code, persistent threats, wide impact, and data breach risks. Disconnect devices with leaked AMI PK from critical networks until a firmware upgrade is available.

Here are the key points:

  • Critical Firmware Issue: Hundreds of UEFI products from 10 vendors are vulnerable due to a supply-chain issue known as PKfail, allowing attackers to bypass Secure Boot and install malware.
  • Untrusted Keys: Devices shipped with a test Secure Boot “master key” from AMI, which should have been replaced by OEMs with secure keys.
  • Long-Lasting Vulnerability: The issue has persisted for over 12 years, affecting nearly 900 devices.
  • Mitigation: Vendors should follow cryptographic key management best practices and replace test keys2. Users should apply firmware updates and security patches promptly.

What are the risks of this vulnerability?

The PKfail vulnerability poses several significant risks:

  1. Bypassing Secure Boot: PKfail allows attackers to bypass the Secure Boot process on millions of Intel and ARM microprocessor-based computing systems from multiple vendors. Secure Boot is a security feature that ensures only trusted and verified software runs during the boot process. Bypassing Secure Boot compromises the entire security chain, from firmware to the operating system.
  2. Execution of Malicious Code: Attackers can sign and execute malicious code during the device’s boot process, even when Secure Boot is enabled. This can lead to the installation of UEFI bootkits, such as BlackLotus, which compromise the system’s security from the firmware level up to the operating system.
  3. Persistent Threats: The vulnerability makes it easier for attackers to deploy Unified Extensible Firmware Interface (UEFI) bootkits like BlackLotus, which offer persistent kernel access and privileges. These threats are difficult to detect and remove, as they survive operating system reinstalls.
  4. Wide Impact: The issue affects multiple vendors and several consumer- and enterprise-grade devices. Affected vendors include Lenovo, HP, Asus, and SuperMicro.
  5. Data Breach Risks: The private part of a Platform Key was identified in a recent data breach that affected an ODM working with AMI. This exposes systems to low-level malware attacks that would not be detectable to OS-level antimalware protections.
  6. Given these risks, it’s recommended that organizations disconnect devices with the leaked AMI PK from critical networks until they are able to deploy a firmware upgrade.

How you can check if your device is affected?

  • You can check if your device is affected by the PKfail vulnerability by following these steps:
  • Windows Users: Run the following command in an elevated PowerShell:
  • [System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI PK).bytes) -match “DO NOT TRUST|DO NOT SHIP”
  • If it returns true, then your device is affected. If it returns false, then your device is not affected.
  • Online Tool: Binarly has provided an online tool to check whether the firmware is affected by PKfail2. Devices affected by PKfail will have the Platform Key certificate’s subject and issuer fields containing the string DO NOT TRUST or DO NOT SHIP.
  • PKfail Scanner: Use tools like the PKfail scanner provided by Binarly to detect vulnerable devices and malicious payloads.
  • Remember to regularly check for and apply firmware updates from your device vendors to address PKfail vulnerabilities. If you find that your device is affected, it’s recommended to disconnect it from critical networks until you are able to deploy a firmware upgrade.

How can I protect my device from PKfail attacks?

To protect your device from PKfail attacks, you can follow these steps:

  1. Apply Security Patches: Regularly check for and apply firmware updates from your device vendors to address PKfail vulnerabilities.
  2. Monitor Devices: Use tools like the PKfail scanner provided by Binarly to detect vulnerable devices and malicious payloads.
  3. Cryptographic Key Management: Vendors are advised to generate and manage the Platform Key by following cryptographic key management best practices, such as Hardware Security Modules.
  4. Replace Test Keys: It’s essential to replace any test keys provided by independent BIOS vendors like AMI with their own safely generated keys.
  5. Remember, the fix for PKfail is straightforward: the compromised key needs to be replaced, and device vendors need to ship a firmware update. If your device is affected, it’s recommended to disconnect it from critical networks until you are able to deploy a firmware upgrade.
About the author: Kevin Harrys

Don't forget to subscribe to OT Connect Newsletter - The News That Matters.

OTC News Subscribe Slim


Take advantage of the "Cybersecurity Awareness Month" exclusive discounts on training before October 31st.

EN Training Value Pack


 

Get Involved & Participate!

Welcome to WisePlant
Industrial Cybersecurity and Safety Solutions

Comments

No comments yet