A recently disclosed vulnerability, CVE-2024-7344, has raised alarm bells in the cybersecurity community due to its ability to bypass UEFI Secure Boot protections. This flaw is linked to the “Reloader” UEFI application, developed by Howyar, and its custom Portable Executable (PE) loader, which allows unsigned software to execute during system startup.
Understanding CVE-2024-7344
UEFI Secure Boot is a crucial feature designed to ensure that only trusted software is executed during the system boot process. However, the Reloader application deviates from the standard UEFI practices by implementing a custom PE loader. Unlike UEFI’s LoadImage and StartImage functions, which enforce signature verification, this custom loader allows unsigned UEFI binaries to run from a hardcoded path.
This vulnerability, present in both 32-bit and 64-bit versions of Reloader, opens the door for attackers to execute arbitrary and unsigned code during the boot process. This capability poses significant risks, as it can be used to install UEFI bootkits, which are notoriously difficult to detect and remove.
Scope of the Vulnerability
Reloader is embedded in several system recovery and disk management tools, including:
- Howyar SysReturn (versions before 10.2.023_20240919)
- Greenware GreenGuard (versions before 10.2.023-20240927)
- Radix SmartRecovery (versions before 11.2.023-20240927)
- Sanfong EZ-back System (versions before 10.3.024-20241127)
- WASAY eRecoveryRX (versions before 8.4.022-20241127)
- CES NeoImpact (versions before 10.1.024-20241127)
- SignalComputer HDD King (versions before 10.3.021-20241127).
Although these specific tools are affected, the vulnerability is not limited to systems with these applications installed. Attackers can manually introduce the vulnerable reloader.efi binary and a malicious cloak.dat file into any UEFI-based system where Microsoft’s third-party UEFI certificate is enrolled, effectively bypassing Secure Boot.
Potential Impact
Exploitation of this flaw enables the execution of untrusted code at boot, facilitating the deployment of persistent threats like UEFI bootkits. These malicious components can operate with high privileges, evade detection, persist through reboots, and even survive operating system reinstallation, making them highly dangerous.
Mitigation Steps
To address CVE-2024-7344, the affected vendors have released updates that fix the vulnerability. Additionally, Microsoft has revoked the certificates of the vulnerable UEFI applications in its January 14, 2025, Patch Tuesday update. This revocation prevents the execution of compromised binaries on systems with Secure Boot enabled.
For users running Linux or other operating systems, updating the UEFI Secure Boot Forbidden Signature Database (DBX) is recommended. This database contains revoked certificates, ensuring the system blocks vulnerable binaries. Updates for the DBX can typically be obtained from the Linux Vendor Firmware Service or the system manufacturer.
Recommendations for Users
- Apply Patches Immediately: Update affected software to the latest versions released by vendors.
- Update Windows: Ensure your system has the latest updates, particularly the January 2025 Patch Tuesday update.
- Revise UEFI Configurations: For Linux systems, update the DBX to include revoked certificates.
- Monitor System Integrity: Regularly verify boot settings and configurations to ensure Secure Boot is functioning correctly.
CVE-2024-7344 underscores the importance of adhering to established security protocols in UEFI applications. By bypassing Secure Boot, this vulnerability exposes systems to persistent and highly privileged threats. Users and administrators must act quickly by applying patches and updates to safeguard their systems from potential exploitation.
About the Author
