Millions of Devices Vulnerable to PKFail Secure Boot Bypass Issue

  /     /     /  
Publicated : 23/11/2024   Category : security


Millions of Devices Vulnerable to PKFail Secure Boot Bypass Issue


Several vendors for consumer and enterprise PCs share a compromised crypto key that should never have been on the devices in the first place.



Attackers can
bypass the Secure Boot process
on millions of Intel and ARM microprocessor-based computing systems from multiple vendors, because they all share a previously leaked cryptographic key used in the device startup process.
The so-called Platform Key (PK) from American Megatrends International (AMI) serves as the root of trust during the Secure Boot PC startup chain, and verifies the authenticity and integrity of a devices firmware and boot software.
Unfortunately, researchers from firmware security vendor Binarly discovered that the key had been publicly exposed in a data leak back in 2018. This key was likely included in [AMIs] reference implementation with the expectation that it would be replaced with another safely generated key by downstream entities in the supply chain,
Binarly said in a posting on the issue
this week.
What appears to have happened is that an original equipment manufacturer (OEM) used the AMI test key for firmware it produced for different Intel and ARM-based device makers. The result is there are potentially millions of consumer and enterprise devices around the world that are currently using the same compromised AMI PK during the secure bootup process, says Alex Matrosov, CEO and founder of Binarly. Affected vendors include Lenovo, HP, Asus and SuperMicro.
An attacker with access to the private part of the PK can
easily bypass Secure Boot
by manipulating the Key Exchange Key database, the Signature Database, and the Forbidden Signature Database, says Matrosov, who has dubbed the issue as PKFail. The issue makes it easier for attackers to, among other things, deploy Unified Extensible Firmware Interface (UEFI) bootkits like last years
BlackLotus
, which offer persistent kernel access and privileges.
The fix is easy: the compromised key needs to be replaced, and device vendors need to ship a firmware update, Matrosov says. Several have already done so, he notes. However, in many cases — as with data center servers, for instance, or for systems used in critical applications — the firmware updates could take some time to be deployed.
Exploitation of this issue is trivial in the case that the device is impacted, he says, pointing to a proof-of-concept exploit (PoC) that Binarly developed for PKFail. Matrosov recommends that organizations disconnect devices with the leaked AMI PK from critical networks until they are able to deploy a firmware upgrade.
The PKfail issue is a big deal because it makes it easy for hackers to bypass Secure Boot, which is like having a master key that unlocks many houses, said Rogier Fischer, CEO of Netherlands-based Hadrian in an emailed comment. Since the same keys are used across different devices, one breach can affect many systems, making the problem widespread, he said.
PKFail is the only the latest manifestation of a problem that has been around for more than a decade, which is the tendency by OEMs and device-makers to use non-production and test cryptographic keys in production firmware and devices, Matrosov says. The AMI PK for instance was clearly meant to be treated as completely untrusted, and yet it ended up in devices from multiple vendors.
Binarlys report pointed to an incident in 2016 tracked as
CVE-2016-5247,

where security researchers discovered multiple Lenovo devices that shared the same AMI test PK. At the time, the National Vulnerability Database described the issue as allowing local users or physically proximate attackers to bypass the Secure Boot protection mechanism by leveraging an AMI test key.
Ultimately, PKFail is a manifestation of poor cryptographic key management practices in the device supply chain, Binarly said in its report.
This is a huge problem, Matrosov says. If you think about an apartment complex where all the door locks have the same keys. If one key goes missing, it could create problems for everyone.

Last News

▸ Senate wants changes to cybercrime law. ◂
Discovered: 23/12/2024
Category: security

▸ Car Sector Speeds Up In Security. ◂
Discovered: 23/12/2024
Category: security

▸ Making use of a homemade Android army ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Millions of Devices Vulnerable to PKFail Secure Boot Bypass Issue