A vulnerability in trusted system restoration applications might permit privileged attackers to inject malware straight into the system startup course of in Unified Extensible Firmware Interface (UEFI) gadgets.
Seven real-time restoration merchandise — Howyar SysReturn, Greenware GreenGuard, Radix SmartRecovery, Sanfong EZ-back System, WASAY eRecoveryRX, CES NeoImpact, and SignalComputer HDD King — all make use of “reloader.efi,” the Microsoft-signed Extensible Firmware Interface (EFI) file at concern.
The issue, ESET explains in a brand new report, is that reloader.efi makes use of a customized loader that allows the appliance to load even unsigned binaries in the course of the boot course of. In essence, it is a backdoor for sneaking any form of file right into a system’s startup, previous UEFI Safe Boot. The problem has been assigned CVE-2024-7344, and earned a “medium” 6.5 Widespread Vulnerability Scoring System (CVSS) score, because it requires administrator privileges to take advantage of.
Backdoor to the UEFI Boot Course of
The usual approach to load, put together, and execute UEFI photos in system reminiscence is with the autological LoadImage and StartImage capabilities. The Microsoft-approved “reloader” utility goes its personal method, utilizing a customized mechanism that enables it to load any binary, trusted or in any other case, at startup.
“Possibly it is a lack of safe coding consciousness,” Martin Smolár, malware researcher at ESET, guesses of the builders’ motives in implementing the customized loader. “Or perhaps it is as a result of they discovered it handy to create such a performance. As a result of when a developer makes a change [to a signed program] they should ship it to Microsoft to get it re-signed. Which means that they need not each time they create a brand new replace or one thing like that.”
Reloader.efi masses arbitrary binaries from a particular, encrypted file, “cloak.dat.” When ESET decrypted cloak.dat, it discovered that it contained an unsigned executable primarily designed for classroom environments. “Its core operate is to offer real-time system restoration, making certain that college students from totally different courses can work in a teacher-predefined pc surroundings inside shared pc labs,” Smolár says, although he provides that the identical part may be utilized in different settings, like public Web cafes. The bigger level is that the unsigned executable is run in the course of the startup course of, fully bypassing UEFI Safe Boot checks.
This odd classroom restoration software program is completely trustworthy, however an attacker might simply swap it out for one thing worse. If they might simply come up with administrator privileges on a focused machine, an attacker might entry the EFI system partition (ESP) and substitute their very own malicious file instead of cloak.dat. Then all they’d want is a fast system reboot to drop any malicious file they wished into the startup course of.
Why UEFI Bugs Are So Dangerous
UEFI is a form of sacred house — a bridge between firmware and working system, permitting a machine in addition up within the first place.
Any malware that invades this house will earn a dogged persistence by reboots, by reserving its personal spot within the startup course of. Safety applications have a tougher time detecting malware at such a low degree of the system. Much more importantly, by loading first, UEFI malware will merely have a head begin over these safety checks that it goals to keep away from. Malware authors benefit from this order of operations by designing UEFI bootkits that may hook into safety protocols, and undermine essential safety mechanisms like UEFI Safe Boot or HVCI (Hypervisor-Protected Code Integrity), Home windows’ expertise for blocking unsigned code within the kernel.
To make sure that none of this may occur, the UEFI Boot Supervisor verifies each boot utility binary in opposition to two lists: “db,” which incorporates all signed and trusted applications, and “dbx,” together with all forbidden applications. However when a weak binary is signed by Microsoft, the matter is moot.
Microsoft maintains a record of necessities for signing UEFI binaries, however the course of is a bit obscure, Smolár says. “I do not know if it includes solely working by this record of necessities, or if there are another actions concerned, like guide binary critiques the place they search for not essentially malicious, however insecure habits,” he says. Microsoft has beforehand alluded to UEFI binaries being “permitted by guide assessment.” Darkish Studying has reached out to the corporate for extra readability on this level.
ESET first found CVE-2024-7344 in July 2024. Since then, all weak functions have been fastened, and Microsoft revoked the outdated, weak binaries in its Jan. 14, 2025, Patch Tuesday replace.