Critical PKfail Vulnerability Exposes Hundreds of UEFI Devices to Malware
PKfail Supply-Chain Vulnerability
Hundreds of UEFI products from 10 vendors are susceptible to compromise due to a critical firmware supply-chain issue known as PKfail, which allows attackers to bypass Secure Boot and install malware.
Discovery by Binarly Research Team
As the Binarly Research Team found, affected devices use a test Secure Boot “master key”—also known as Platform Key (PK)—generated by American Megatrends International (AMI). This key, tagged as “DO NOT TRUST,” was meant to be replaced by OEMs or device vendors with their own securely generated keys but often was not.
Vendor Impact
“The Platform Key, which manages the Secure Boot databases and maintains the chain of trust from firmware to the operating system, is often not replaced by OEMs or device vendors, resulting in devices shipping with untrusted keys,” the Binarly Research Team said. The UEFI device makers who used untrusted test keys across 813 products include Acer, Aopen, Dell, Formelife, Fujitsu, Gigabyte, HP, Intel, Lenovo, and Supermicro.]
Vulnerable Intel firmware (BleepingComputer)
See Also: So, you want to be a hacker?
Offensive Security, Bug Bounty Courses
Discover your weakest link. Be proactive, not reactive. Cybercriminals need just one flaw to strike.
Past and Present Security Incidents
In May 2023, Binarly discovered a supply chain security incident involving leaked private keys from Intel Boot Guard, impacting multiple vendors. As first reported by BleepingComputer, the Money Message extortion gang leaked MSI source code for firmware used by the company’s motherboards. The code contained image signing private keys for 57 MSI products and Intel Boot Guard private keys for another 116 MSI products.
Earlier this year, a private key from AMI related to the Secure Boot “master key” was also leaked, affecting various enterprise device manufacturers. The impacted devices are still in use, and the key is being used in recently released enterprise devices.
PKfail Impact and Exploitation
As Binarly explains, successfully exploiting this issue allows threat actors with access to vulnerable devices and the private part of the Platform Key to bypass Secure Boot by manipulating the Key Exchange Key (KEK) database, the Signature Database (db), and the Forbidden Signature Database (dbx). After compromising the entire security chain, from firmware to the operating system, they can sign malicious code, allowing them to deploy UEFI malware like CosmicStrand and BlackLotus.
Duration and Scale of the Vulnerability
“The first firmware vulnerable to PKfail was released back in May 2012, while the latest was released in June 2024. Overall, this makes this supply-chain issue one of the longest-lasting of its kind, spanning over 12 years,” Binarly added. “The list of affected devices, which at the moment contains almost 900 devices, can be found in our BRLY-2024-005 advisory. A closer look at the scan results revealed that our platform extracted and identified 22 unique untrusted keys.”
Trending: Deep Dive to Fuzzing for Maximum Impact
Trending: Recon Tool: FinalRecon
Mitigation Recommendations
To mitigate PKfail, vendors are advised to generate and manage the Platform Key by following cryptographic key management best practices, such as Hardware Security Modules. It’s also essential to replace any test keys provided by independent BIOS vendors like AMI with their own safely generated keys. Users should monitor firmware updates issued by device vendors and apply any security patches addressing the PKfail supply-chain issue as soon as possible.
User Resources
Binarly also published the pk.fail website, which helps users scan firmware binaries for free to find PKfail-vulnerable devices and malicious payloads.
Are u a security researcher? Or a company that writes articles about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing? If you want to express your idea in an article contact us here for a quote: [email protected]
Source: bleepingcomputer.com
Recent News
Offensive Security & Ethical Hacking Course
Begin the learning curve of hacking now!
Information Security Solutions
Find out how Pentesting Services can help you.
