Beyond Root: How Flaws in UEFI Secure Boot Allow Remote Attackers to Run Malware Beneath the OS and Survive Clean Re-Install and Even Disk Replacement

Webinar Registration

Some security experts have been warning UEFI Secure Boot risks aren’t getting the attention they deserve, and it looks like they were right. UEFI security technologies are not just about physical access vectors. Remotely launched attacks can exploit Secure Boot vulnerabilities to gain a level of persistence and privilege that goes way beyond anything you can accomplish with common OS level attacks.

These attacks are based in the firmware, a realm beyond the purview of Windows or Linux security controls. UEFI Secure Boot is a chain of security intended to protect that vulnerable period between power-on and when the OS is fully loaded and can take over security. Secure Boot should prevent:

  • Firmware attacks
  • Rootkits
  • Malicious device drivers

With Secure Boot, the PC starts and the firmware piece of boot code, including UEFI firmware drivers (aka Option ROMs), EFI applications, the bootloader and related early-stage components of the OS. If the signatures are valid, the PC boots, and the firmware gives control to the operating system.

But every security technology has it’s flaws and UEFI is no exception. In this real training for free session I will introduce you to UEFI Secure Boot and its components like:

  • SPI
  • EFI partition
  • Signature and key databases

We will look at the boot sequence and chain of trust embodied in Secure Boot.

Then we will identify several “features” of Secure Boot that bad guys are using in attacks like the first UEFI firmware attack caught in the wild – LoJax. But we’ll also talk about the much more recent vulnerabilities discovered in over 2 dozen Lenovo notebooks that allow disabling UEFI Secure Boot or restoring factory default Secure Boot databases, which then allow execution of known vulnerable bootloaders by effectively deleting the list of banned bootloaders.

Eclypsium first published information about 3 vulnerable bootloaders:

  • CVE-2022-34301 – Eurosoft (UK) Ltd
  • CVE-2022-34302 – New Horizon Datasys Inc
  • CVE-2022-34303 – CryptoPro Secure Disk for BitLocker

Eclypsium’s research and unique technology for securing and managing firmware make them the perfect sponsor for this session. Paul Asadoorian is a Security Evangelist at Eclypsium and founder of Security Weekly, a security podcast network (acquired by CyberRisk Alliance in 2020) and he will discuss past and current flaws in valid bootloaders, including some that misuse built-in features to bypass Secure Boot inadvertently and how malicious executables can hide from TPM measurements used by BitLocker and remote attestation mechanisms.

 Please join us for this technical and eye-opening real training for free session.

First Name:   
Last Name:   
Work Email:  
Job Title:  

Your information will be shared with the sponsor.

By clicking "Submit", you're agreeing to our Privacy Policy and consenting to be contacted by us and the sponsor.



Additional Resources