A new vulnerability, CVE-2024-7344, has been discovered in UEFI Secure Boot, affecting Microsoft-signed applications in third-party system recovery tools. The flaw allows attackers to bypass Secure Boot and deploy bootkits, which can persist even after OS reinstalls.
The issue stems from a custom PE loader in the vulnerable UEFI applications that bypasses trusted binary validation, enabling malicious binaries to be loaded. Attackers can exploit this by replacing the default OS bootloader with a malicious 'reloader.efi' and planting a compromised 'cloak.dat' file.
The vulnerability affects recovery and backup tools from several software vendors, including Howyar, Greenware, and Radix, though attackers can exploit the flaw without these specific tools on the target system. Microsoft has released a patch, and affected vendors have updated their products to fix the issue.
ESET has shared mitigations, including PowerShell commands for admins to verify if the patch has been applied.
Read more...