Around 200,000 Linux computer systems from American computer maker Framework were shipped with signed UEFI shell components that could be exploited to bypass Secure Boot protections.
An attacker could take advantage to load bootkits (e.g. BlackLotus, HybridPetya, and Bootkitty) that can evade OS-level security controls and persist across OS re-installs.
Powerful mm command
According to firmware security company Eclypsium, the problem stems from including a 'memory modify' (mm) command in legitimately signed UEFI shells that Framework shipped with its systems.
The command provides direct read/write access to system memory and is intended for low-level diagnostics and firmware debugging. However, it can also be leveraged to break the Secure Boot trust chain by targeting the gSecurity2 variable, a critical component in the process of verifying the signatures of UEFI modules.
The mm command can be abused to overwrite gSecurity2 with NULL, effectively disabling signature verification.
"Once the address is identified, the mm command can overwrite the security handler pointer with NULL or redirect it to a function that always returns "success" without performing any verification," - Eclypsium
"This command writes zeros to the memory location containing the security handler pointer, effectively disabling signature verification for all subsequent module loads."
The researchers also note that the attack can be automated via startup scripts to persist across reboots.
Around 200,000 systems impacted
... continue reading