Technology

Secure Boot has a major security issue — hundreds of devices from Dell, Supermicro and more all affected, here’s what we know

July 26, 2024

A supply chain vulnerability, present in hundreds of devices from numerous vendors, has been discovered after hiding in plain sight for 12 years.

The PKfail vulnerability revolves around a test Secure Boot “master key” which if abused, can grant threat actors the ability to completely take over the vulnerable endpoints, and install malware and other dangerous code as they see fit.

The flaw was found by cybersecurity researchers from the Binarly Research Team, who noted it starts with a Secure Boot “master key”, also known as a Platform Key (PK), which is generated by American Megatrends International (AMI).

A decade-old supply-chain flaw

A PK is an essential component in the architecture of the Unified Extensible Firmware Interface (UEFI) Secure Boot process, designed to ensure that a computer boots only with software trusted by the Original Equipment Manufacturer (OEM). When it first generates a PK, AMI labels it as “DO NOT TRUST”, notifying upstream vendors to replace it with their own, securely generated key.

However, it seems that many vendors didn’t do it. Acer, Aopen, Dell, Formelife, Fujitsu, Gigabyte, HP, Intel, Lenovo, and Supermicro, all apparently failed to do so, putting hundreds of computers at risk. Allegedly, more than 800 products are affected.

When a threat actor has access to a vulnerable device, they can exploit this problem to manipulate the Key Exchange Key (KEK) database, the Signature Database (db) and the Forbidden Signature Database (dbx), and thus effectively bypass Secure Boot. That, in turn, allows them to sign malicious code, which allows them to deploy UEFI malware.

“The first firmware vulnerable to PKfail was released back in May 2012, while the latest was released in June 2024. Overall, this makes this supply-chain issue one of the longest-lasting of its kind, spanning over 12 years,” Binarly added.

“The list of affected devices, which at the moment contains almost 900 devices, can be found in our BRLY-2024-005 advisory. A closer look at the scan results revealed that our platform extracted and identified 22 unique untrusted keys.”

Via BleepingComputer

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

LEAVE A REPLY Cancel reply

EDITOR PICKS

POPULAR POSTS

QUICK LINKS

ABOUT US

FOLLOW US

Cookie bar