Secure Boot has a major security issue — hundreds of devices from Dell, Supermicro and more all affected, here’s what we know

PKfail vulnerability allows threat actors to install UEFI malware

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

A supply chain vulnerability, present in hundreds of devices from numerous vendors, has been discovered after hiding in plain sight for 12 years.

The PKfail vulnerability revolves around a test Secure Boot “master key” which if abused, can grant threat actors the ability to completely take over the vulnerable endpoints, and installmalwareand other dangerous code as they see fit.

The flaw was found by cybersecurity researchers from the Binarly Research Team, who noted it starts with a Secure Boot “master key”, also known as a Platform Key (PK), which is generated by American Megatrends International (AMI).

A decade-old supply-chain flaw

A decade-old supply-chain flaw

A PK is an essential component in the architecture of the Unified Extensible Firmware Interface (UEFI) Secure Boot process, designed to ensure that a computer boots only with software trusted by the Original Equipment Manufacturer (OEM). When it first generates a PK, AMI labels it as “DO NOT TRUST”, notifying upstream vendors to replace it with their own, securely generated key.

However, it seems that many vendors didn’t do it.Acer, Aopen,Dell, Formelife, Fujitsu, Gigabyte,HP,Intel,Lenovo, and Supermicro, all apparently failed to do so, putting hundreds of computers at risk. Allegedly, more than 800 products are affected.

When a threat actor has access to a vulnerable device, they can exploit this problem to manipulate the Key Exchange Key (KEK) database, the Signature Database (db) and the Forbidden Signature Database (dbx), and thus effectively bypass Secure Boot. That, in turn, allows them to sign malicious code, which allows them to deploy UEFI malware.

“The first firmware vulnerable to PKfail was released back in May 2012, while the latest was released in June 2024. Overall, this makes this supply-chain issue one of the longest-lasting of its kind, spanning over 12 years,” Binarly added.

Are you a pro? Subscribe to our newsletter

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

“The list of affected devices, which at the moment contains almost 900 devices, can be found in our BRLY-2024-005 advisory. A closer look at the scan results revealed that our platform extracted and identified 22 unique untrusted keys.”

ViaBleepingComputer

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

This new phishing strategy utilizes GitHub comments to distribute malware

Should your VPN always be on?

Phishing attacks surge in 2024 as cybercriminals adopt AI tools and multi-channel tactics