2 min read

Old Microsoft-signed shims can bypass Secure Boot

ESET found 11 Microsoft-signed UEFI shim bootloaders that can bypass Secure Boot on systems trusting the 2011 certificate.

Image: TechRadar

ESET finds old shims that can break Secure Boot

ESET says it found 11 vulnerable UEFI shim bootloaders, all signed by Microsoft, that attackers could use to bypass UEFI Secure Boot and deploy malicious bootkits.

The issue does not rely on a newly discovered flaw. Instead, according to ESET, attackers can use old, still-trusted shim binaries to get around one of the PC boot process’s core protections.

Why the problem is so broad

A shim is a small intermediary bootloader that sits between UEFI firmware and an operating system’s bootloader. It is commonly used so operating systems can work with UEFI Secure Boot without requiring Microsoft to sign every Linux bootloader individually.

According to the report, any UEFI-based machine that trusts the Microsoft Corporation UEFI CA 2011 third-party UEFI certificate authority certificate could be exposed, regardless of operating system, if it accepts the affected shims — versions 0.9 and older.

That could put the number of potentially vulnerable devices in the billions. TechRadar notes that almost all modern x86 PCs use UEFI firmware, and most trust the Microsoft Corporation UEFI CA 2011 certificate by default.

Recommended reading

OpenAI’s first gadget is a $230 coding keypad

Attackers can bring vulnerable shims with them

ESET said the shims came from different tools, including:

  • PC diagnostic software
  • Linux distribution tools
  • other UEFI-based utilities

That matters because attackers do not need a system to already be using one of these shims. ESET researchers said an attacker can bring a vulnerable shim to any UEFI system with the Microsoft third-party UEFI certificate enrolled, making even systems that were not initially affected vulnerable to attack.

“What makes these old shims dangerous is not a novel vulnerability; it’s that no new vulnerability is needed to bypass UEFI Secure Boot,” says ESET researcher Martin Smolár, who discovered the vulnerable shims.

“An attacker needs no complicated exploitation primitives — only a copy of an old, still-trusted but unrevoked shim binary and a basic understanding of how UEFI shims work. That is enough to bypass such an essential security feature as UEFI Secure Boot.”

Revocations are already available

ESET said it reported the findings to CERT/CC, and the vulnerable UEFI applications were all revoked.

To block exploitation, users should apply the latest UEFI revocations from Microsoft. On Windows, those updates will most likely arrive automatically. On Linux, users should install them through the Linux Vendor Firmware Service.

The key point is unusually stark: attackers may not need fresh bugs to undermine Secure Boot if old, trusted components remain in circulation and unrevoked.

Tomas Berg

Computing Editor

Tomas lives in the terminal. He covers chips, laptops, and operating systems with a focus on performance and efficiency. He reads kernel changelogs the way other people read fiction, and he's always on the hunt for the perfect mechanical keyboard switch. If it processes data, Tomas has an opinion on it.

via TechRadar

// Keep reading