Microsoft UEFI Firmware Arbitrary Write Vulnerability Allowing Secure Boot Bypass

A vulnerability in Microsoft-signed UEFI firmware allows for arbitrary memory writes, enabling code execution of untrusted software and bypassing Secure Boot. This vulnerability affects several UEFI applications, including 'DTBios' and 'BiosFlashShell', all signed by the 'Microsoft Corporation UEFI CA 2011' key. The issue arises from improper handling of a runtime NVRAM variable, 'IhisiParamBuffer', which can be manipulated to overwrite critical firmware settings, such as those governing Secure Boot. Exploitation of this vulnerability could lead to the execution of malicious UEFI bootkits before the operating system is fully loaded, compromising system integrity and evading detection by conventional security measures.

Impact

Exploitation of this vulnerability allows for a bypass of UEFI Secure Boot, enabling the execution of unsigned or malicious code during the boot process. This could lead to the deployment of persistent malware or kernel rootkits, with the potential to compromise the operating system and evade detection by endpoint security tools.

Reproduction

The vulnerability can be reproduced by setting the 'IhisiParamBuffer' NVRAM variable to an address that points to a writable memory location. Once the variable is set, the vulnerable UEFI application can be executed, which will use the 'IhisiParamBuffer' variable to perform arbitrary memory writes. This can be done from a privileged operating system shell by enrolling a key exchange key and using it to authenticate the variable write. After the vulnerable application is executed, it will disable Secure Boot by manipulating the 'gSecurity2' variable, allowing unsigned code to run during the boot process.

Remediation

To address this vulnerability, the affected UEFI applications must be updated to remove the vulnerable code. Additionally, the 'Dtbios-efi64-71.22.efi' module should be added to the UEFI Forbidden Signature Database (DBX) to prevent its execution under Secure Boot. This vulnerability has been found in multiple versions of the 'DTBios' application, so all variations should be added to the DBX database.