A security feature bypass vulnerability has been uncovered in three signed third-party Unified Extensible Firmware Interface (UEFI) boot loaders that allow bypass of the UEFI Secure Boot feature.
研究人员在三个签名的第三方统一可扩展固件接口(UEFI)引导加载程序中发现了一个安全功能绕过漏洞,允许绕过UEFI安全引导功能。
"These vulnerabilities can be exploited by mounting the EFI System Partition and replacing the existing bootloader with the vulnerable one, or modifying a UEFI variable to load the vulnerable loader instead of the existing one," hardware security firm Eclypsium said in a report shared with The Hacker News.
硬件安全公司Eclypsium在与《黑客新闻》分享的一份报告中说:“这些漏洞可以通过安装EFI系统分区并将现有引导加载程序替换为易受攻击的引导加载程序,或者修改UEFI变量以加载易受攻击加载程序而不是现有加载程序来利用。”。
The following vendor-specific boot loaders, which were signed and authenticated by Microsoft, have been found vulnerable to the bypass and have been patched as part of the tech giant's Patch Tuesday update released this week -
以下由微软签署和认证的特定于供应商的引导加载程序被发现易受攻击,并作为这家科技巨头本周发布的补丁周二更新的一部分进行了修补
Secure Boot is a security standard designed to thwart malicious programs from loading when a computer starts up (boots) and ensure only the software that is trusted by the Original Equipment Manufacturer (OEM) is launched.
安全引导是一种安全标准,设计用于在计算机启动(引导)时阻止恶意程序加载,并确保仅启动原始设备制造商(OEM)信任的软件。
"The firmware boot loaders boot the UEFI environment and hands over control to UEFI applications written by the SoC vendor, Microsoft, and OEMs," Microsoft notes in its documentation. "The UEFI environment launches the Windows Boot Manager, which determines whether to boot to Full Flash Update (FFU) image flashing or device reset mode, to the update OS, or to the main OS."
“固件引导加载程序引导UEFI环境,并将控制权移交给SoC供应商、微软和OEM编写的UEFI应用程序,”微软在其文档中指出。UEFI环境启动Windows引导管理器,该管理器确定是引导到完全闪存更新(FFU)映像闪烁还是设备重置模式,是引导到更新操作系统,还是引导到主操作系统
In a nutshell, successful exploitation of the flaws identified by Eclypsium could permit an adversary to circumvent security guardrails at startup and execute arbitrary unsigned code during the boot process.
简而言之,成功利用Eclypsium 发现的漏洞可以让攻击者在启动时绕过安全护栏,并在启动过程中执行任意未签名的代码。
This can have further knock-on effects, enabling a bad actor to gain entrenched access and establish persistence on a host through in a manner that can survive operating system reinstalls and hard drive replacements, not to mention completely bypassing detection by security software.
这可能会产生进一步的连锁反应,让一个攻击者能够以一种能够在操作系统重新安装和硬盘更换后存活下来的方式获得根深蒂固的访问权并在主机上建立持久性,更不用说完全绕过安全软件的检测了。
Calling CVE-2022-34302 "far more stealthy," Eclypsium noted the New Horizon Datasys vulnerability is not only trivial to exploit in the wild, but can also "enable even more complex evasions such as disabling security handlers."
Eclypsium称CVE-2022-34302“更加隐蔽”,并指出新地平线数据系统的漏洞不仅在野外很容易被利用,而且“可以实现更复杂的规避,例如禁用安全处理程序。”
Security handlers, for instance, can include Trusted Platform Module (TPM) measurements and signature checks, Eclypsium researchers Mickey Shkatov and Jesse Michael said.
例如,Eclypsium研究人员米奇·什卡托夫和杰西·迈克尔说,安全处理程序可以包括可信平台模块(TPM)测量和签名检查。
It's worth noting that exploiting these vulnerabilities requires an attacker to have administrator privileges, although gaining local privilege escalation is not considered insurmountable owing to the fact that Microsoft doesn't treat User Account Control (UAC) bypass as a security risk.
值得注意的是,利用这些漏洞需要攻击者具有管理员权限,尽管由于Microsoft不将用户帐户控制(UAC)旁路视为安全风险,因此获得本地权限提升并非不可克服的。
"Much like BootHole, these vulnerabilities highlight the challenges of ensuring the boot integrity of devices that rely on a complex supply chain of vendors and code working together," the researchers concluded, adding "these issues highlight how simple vulnerabilities in third-party code can undermine the entire process."
研究人员总结道:“与BootHole非常相似,这些漏洞突出了确保依赖于供应商和代码共同工作的复杂供应链的设备的引导完整性的挑战,”并补充道,“这些问题突出了第三方代码中的简单漏洞会如何破坏整个过程。”
我有三宝,持而保之:一曰慈,二曰俭,三曰不敢为天下先。
——《道德经.第六十七章》
本文翻译自:
https://thehackernews.com/2022/08/researchers-uncover-uefi-secure-boot.html
如若转载,请注明地址
翻译水平有限 :(
有歧义的地方,请以译文为准:)
| 留言与评论(共有 0 条评论) “” |
