Backdoor keys allow attackers to the bypass UEFI Secure Boot

Pierluigi Paganini August 11, 2016

Once again Microsoft failed in fixing a severe Secure Boot vulnerability that can be exploited to install rootkits on Windows devices.

Microsoft has accidentally leaked the Secret keys to Bypass UEFI Secure Boot. The Secure Boot is a UEFI (Unified Extensible Firmware Interface) feature that should prevent the execution of unauthorized code during the boot process. The Secure Boot is implemented in devices running Windows 8 and later, it ensures that every component loaded at boot is trustable because it is signed and validated.

The Secure Book prevents rootkit infections and also prevents the execution of non-Microsoft operating system on the device.

The Secret keys were disclosed by two security researchers, using the monikers MY123 and Slipstream.

The security duo discovered that Microsoft introduced a new policy for the Secure Boot during the development of Windows 10 Anniversary Update (v1607).

The experts discovered that the new policies, called “supplemental” policies, are loaded by the boot manager without implementing the proper checks.

The supplemental policy was implemented to allow developers to install self-signed third-party drivers on a Windows machine, the feature is also known as “test-signing.”

An attacker can exploit this feature to bypass the Secure Boot and load a rootkit at the device boot.

“The “supplemental” policy does NOT contain a DeviceID. And, because they were meant to be merged into a base policy, they don’t contain any BCD rules either, which means that if they are loaded, you can enable testsigning. Not just for windows (to load unsigned driver, ie rootkit), but for the {bootmgr} element as well, which allows bootmgr to run what is effectively an unsigned .efi (ie bootkit)!!! (In practise, the .efi file must be signed, but it can be self-signed) You can see how this is very bad!!” reads a blog post published by Slipstream. “A backdoor, which MS put into secure boot because they decided to not let the user turn it off in certain devices, allows for secure boot to be disabled everywhere!”

Secure boot uefi

The bad news for Microsoft is that it is impossible to fully revoke the leaked keys, this means that any Windows-based device can be potentially unlocked due to the presence of the backdoor.

Microsoft has recently released the August Patch Tuesday that tried to fix the issue in the Secure Boot, but for the second consecutive month, it evidently has failed.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Secure Boot, Microsoft)

you might also like

leave a comment