PC Gaming

9784 readers

603 users here now

For PC gaming news and discussion. PCGamingWiki

Rules:

Be Respectful.
No Spam or Porn.
No Advertising.
No Memes.
No Tech Support.
No questions about buying/building computers.
No game suggestions, friend requests, surveys, or begging.
No Let's Plays, streams, highlight reels/montages, random videos or shorts.
No off-topic posts/comments, within reason.
Use the original source, no clickbait titles, no duplicates. (Submissions should be from the original source if possible, unless from paywalled or non-english sources. If the title is clickbait or lacks context you may lightly edit the title.)

founded 2 years ago

MODERATORS

EXiLExJD@lemmy.ca

UncleBadTouch@lemmy.ca

KairuByte@lemmy.dbzer0.com

196

New UEFI vulnerability bypasses Secure Boot — bootkits stay undetected even after OS re-install (www.tomshardware.com)

submitted 1 month ago by alessandro@lemmy.ca to c/pcgaming@lemmy.ca

44 comments fedilink hide all child comments

you are viewing a single comment's thread
view the rest of the comments

[–] TootSweet 75 points 1 month ago (9 children)

If I'm understading what I've been able to glean about this just by googling, it looks like the vulnerability is in certain tools that Microsoft has decided to sign with some of its UEFI secure boot keys. It's not a vulnerability in your UEFI firmware itself, except insofar as your UEFI firmware comes already configured to trust Microsoft's certificates. So even though the vulnerability isn't in your UEFI firmware per se, the fix will require revoking trust to keys that are almost definitely pre-installed in your UEFI firmware.

[+] JordanZ 16 points 1 month ago (2 children)

[deleted]

[–] TootSweet 9 points 1 month ago

They don’t even have to be signed…

Yeah. My understanding is that Microsoft has signed several tools made by other companies that boot as UEFI PE executables and aren't supposed to allow loading arbitrary (including unsigned and malicious) UEFI PE binaries, but due to security vulnerabilities in the tool, they'll load any old UEFI PE binary you give them.

The payload/malicious UEFI PE binaries don't have to be signed. But the third-party tools that contain the vulnerabilities have to be signed by a signer your UEFI firmware trusts. (And the tools are signed by Microsoft, which your UEFI firmware almost definitely trusts, unless you've already applied a fix).

(And I don't know exactly what sort of tools they are. Maybe they're like UEFI Shell software or something? Not sure. Not sure it matters that much for purposes of understanding the impact or remediation strategy for this vulnerability.)

The fix, I'd imagine is:

Everyone should untrust the certificates used to sign those vulnerable tools. (And by "untrust", I really mean they need to apply the revocations.)
Microsoft needs to issue new certificates to replace the ones with which they signed the vulnerable tools.
The companies who made those tools need to release new, fixed, not-vulnerable versions of the same tools.
...and get Microsoft to sign those new versions with the replacement keys.
And users need to migrate from the vulnerable versions to the new versions of the tools in question.

Now, I'm not 100% sure if there needs to be yet another step in there where individual users explicitly install/trust the replacement certs. Those replacement certs are signed by Microsoft's root certificate, right? As long as all the certificates in the chain from the root certifcate down to the signature are included with the UEFI PE binary, the firmware should be able to verify the new binary? Or maybe having chains of certs is not how UEFI PE binaries work. Not sure.

Here is an example of something similar that disables Windows Platform Binary Table…(I’m not advocating that anybody actually use this).

Yuck. Thanks for letting me know of that. I'm still firmly in the "learning" phase when it comes to this UEFI stuff. It's good to be aware of this.

[–] AtariDump 5 points 1 month ago* (last edited 1 month ago)

It’s like people never learned from the Lenovo Superfish inicdent

load more comments (6 replies)