Round 200,000 Linux laptop methods from American laptop maker Framework have been shipped with signed UEFI shell parts that might be exploited to bypass Safe Boot protections.
An attacker may take benefit to load bootkits (e.g. BlackLotus, HybridPetya, and Bootkitty) that may evade OS-level security controls and persist throughout OS re-installs.
Highly effective mm command
In keeping with firmware security firm Eclypsium, the issue stems from together with a ‘reminiscence modify’ (mm) command in legitimately signed UEFI shells that Framework shipped with its methods.
The command offers direct learn/write entry to system reminiscence and is meant for low-level diagnostics and firmware debugging. Nevertheless, it will also be leveraged to interrupt the Safe Boot belief chain by concentrating on the gSecurity2 variable, a important part within the means of verifying the signatures of UEFI modules.
The mm command could be abused to overwrite gSecurity2 with NULL, successfully disabling signature verification.
“As soon as the handle is recognized, the mm command can overwrite the security handler pointer with NULL or redirect it to a operate that at all times returns “success” with out performing any verification,” – Eclypsium
“This command writes zeros to the reminiscence location containing the security handler pointer, successfully disabling signature verification for all subsequent module hundreds.”
The researchers additionally notice that the assault could be automated by way of startup scripts to persist throughout reboots.
Round 200,000 methods impacted
Framework is a US-based {hardware} firm recognized for designing modular and simply repairable laptops and desktops.
The presence of the dangerous mm command shouldn’t be the results of a compromise however seems extra of an oversight. After studying of the problem, Framework began to work on remediating the vulnerabilities.
Eclypsium researchers estimates that the issue has impacted roughly 200,000 Framework computer systems:
- Framework 13 (eleventh Gen Intel), repair deliberate in 3.24
- Framework 13 (twelfth Gen Intel), mounted in 3.18, DBX replace deliberate in 3.19
- Framework 13 (thirteenth Gen Intel), mounted in 3.08, DBX replace issued in 3.09
- Framework 13 (Intel Core Extremely), mounted in 3.06
- Framework 13 (AMD Ryzen 7040), mounted in 3.16
- Framework 13 (AMD Ryzen AI 300), mounted in 3.04, DBX replace deliberate in 3.05
- Framework 16 (AMD Ryzen 7040), mounted in 3.06 (Beta), DBX replace issued in 3.07
- Framework Desktop (AMD Ryzen AI 300 MAX), mounted in 3.01, DBX replace deliberate in 3.03
Impacted customers are really helpful to use the accessible security updates. The place a patch is not accessible but, secondary safety measures like bodily entry prevention is essential. One other momentary mitigation is to delete Framework’s DB key by way of the BIOS.
Be a part of the Breach and Attack Simulation Summit and expertise the way forward for security validation. Hear from high consultants and see how AI-powered BAS is remodeling breach and assault simulation.
Do not miss the occasion that may form the way forward for your security technique
