A vulnerability in trusted system restoration packages might enable privileged attackers to inject malware immediately into the system startup course of in Unified Extensible Firmware Interface (UEFI) gadgets.
Seven real-time restoration merchandise — Howyar SysReturn, Greenware GreenGuard, Radix SmartRecovery, Sanfong EZ-back System, WASAY eRecoveryRX, CES NeoImpact, and SignalComputer HDD King — all make use of “reloader.efi,” the Microsoft-signed Extensible Firmware Interface (EFI) file at concern.
The issue, ESET explains in a brand new report, is that reloader.efi makes use of a customized loader that permits the applying to load even unsigned binaries throughout the boot course of. In essence, it is a backdoor for sneaking any type of file right into a system’s startup, previous UEFI Safe Boot. The problem has been assigned CVE-2024-7344, and earned a “medium” 6.5 Widespread Vulnerability Scoring System (CVSS) score, because it requires administrator privileges to take advantage of.
Backdoor to the UEFI Boot Course of
The usual option to load, put together, and execute UEFI photographs in system reminiscence is with the autological LoadImage and StartImage features. The Microsoft-approved “reloader” software goes its personal approach, utilizing a customized mechanism that enables it to load any binary, trusted or in any other case, at startup.
“Perhaps it is a lack of safe coding consciousness,” Martin Smolár, malware researcher at ESET, guesses of the builders’ motives in implementing the customized loader. “Or possibly it is as a result of they discovered it handy to create such a performance. As a result of when a developer makes a change [to a signed program] they should ship it to Microsoft to get it re-signed. Which means they needn’t each time they create a brand new replace or one thing like that.”
Reloader.efi masses arbitrary binaries from a selected, encrypted file, “cloak.dat.” When ESET decrypted cloak.dat, it discovered that it contained an unsigned executable primarily designed for classroom environments. “Its core operate is to offer real-time system restoration, guaranteeing that college students from totally different lessons can work in a teacher-predefined pc surroundings inside shared pc labs,” Smolár says, although he provides that the identical part is likely to be utilized in different settings, like public Web cafes. The bigger level is that the unsigned executable is run throughout the startup course of, utterly bypassing UEFI Safe Boot checks.
This odd classroom restoration software program is completely sincere, however an attacker might simply swap it out for one thing worse. If they might simply come up with administrator privileges on a focused machine, an attacker might entry the EFI system partition (ESP) and substitute their very own malicious file rather than cloak.dat. Then all they’d want is a fast system reboot to drop any malicious file they wished into the startup course of.
Why UEFI Bugs Are So Dangerous
UEFI is a type of sacred house — a bridge between firmware and working system, permitting a machine in addition up within the first place.
Any malware that invades this house will earn a dogged persistence via reboots, by reserving its personal spot within the startup course of. Safety packages have a tougher time detecting malware at such a low degree of the system. Much more importantly, by loading first, UEFI malware will merely have a head begin over these safety checks that it goals to keep away from. Malware authors make the most of this order of operations by designing UEFI bootkits that may hook into safety protocols, and undermine essential safety mechanisms like UEFI Safe Boot or HVCI (Hypervisor-Protected Code Integrity), Home windows’ know-how for blocking unsigned code within the kernel.
To make sure that none of this may occur, the UEFI Boot Supervisor verifies each boot software binary in opposition to two lists: “db,” which incorporates all signed and trusted packages, and “dbx,” together with all forbidden packages. However when a weak binary is signed by Microsoft, the matter is moot.
Microsoft maintains a record of necessities for signing UEFI binaries, however the course of is a bit obscure, Smolár says. “I do not know if it entails solely operating via this record of necessities, or if there are another actions concerned, like handbook binary critiques the place they search for not essentially malicious, however insecure habits,” he says.
Microsoft has beforehand alluded to UEFI binaries being “permitted via handbook evaluate.” In response to an inquiry from Darkish Studying, a Microsoft spokesperson offered the next clarification:
“Our course of is designed to satisfy the evolving customary for evaluation of third-party binary code, whereas guaranteeing efficient scalability throughout our huge ecosystem. It begins with vetting and evaluation with the accomplice, understanding the elements they’re requesting to be signed, and features of the design and performance that will require extra safety measures. Submissions are run via automated safety evaluation and are manually reviewed via a rigorous course of. Because of this, we might require extra safety critiques, investigations with the submitting accomplice, or different mitigations. We stay dedicated to evolving our vetting course of to raised the safety of our ecosystem as we function inside this ever-changing menace panorama.”
ESET first found CVE-2024-7344 in July 2024. Since then, all weak purposes have been mounted, and Microsoft revoked the previous, weak binaries in its Jan. 14, 2025, Patch Tuesday replace.
