A recent vulnerability note from CERT/CC has exposed a significant security flaw in the Howyar Reloader UEFI bootloader, distributed as part of SysReturn prior to version 10.2.02320240919. Identified as CVE-2024-7344, this vulnerability enables attackers to bypass UEFI Secure Boot and execute unsigned software during the boot process, potentially allowing persistent threats to evade detection.
The Howyar Reloader bootloader—a UEFI application signed by the trusted Microsoft UEFI Certificate Authority (CA)—is designed to manage early boot processes on UEFI-compliant systems. However, researchers at ESET discovered that the bootloader allows execution of arbitrary software from a hard-coded path without signature verification. As the vulnerability note explains, “This occurs because the Reloader does not use UEFI’s standard BootServices LoadImage() API for safe application execution.”
This oversight allows attackers to install unsigned UEFI applications in the designated path, enabling high-privilege code execution in the UEFI context. Given that the bootloader is widely distributed and integrated into supply-chain software, the potential attack surface is vast, spanning multiple vendors and UEFI implementations.
An attacker exploiting CVE-2024-7344 can bypass Secure Boot and execute malicious code before the operating system loads. This early-stage compromise carries severe implications:
- Persistent Malware: Code executed in the UEFI context can persist across system reboots and even OS reinstallation.
- Kernel Manipulation: Attackers can load malicious kernel extensions, gaining long-term control over the system.
- Evasion of Detection: By operating below the OS level, malicious code can evade endpoint detection and response (EDR) tools and other security measures.
CERT/CC emphasizes the gravity of this vulnerability, noting, “Code executed in this early boot phase can persist on the system, potentially loading malicious kernel extensions that survive both reboots and OS reinstallation.”
To address this vulnerability, CERT/CC and Howyar Technologies recommend the following steps:
- Apply Patches: Install the updated version of the Howyar Reloader bootloader. Howyar Technologies has released a patched version, and users should follow their guidance for installation.
- Update the DBX File: The UEFI Secure Boot Forbidden Signature Database (DBX) must be updated to block the vulnerable version of the bootloader. Microsoft plans to release an updated DBX file around January 14, 2025, which will likely be distributed by OEMs or OS vendors.
- Audit UEFI Configurations: Ensure all UEFI-compliant systems are configured to prevent unauthorized updates and regularly review bootloader implementations for vulnerabilities.
Enterprises managing large-scale deployments must prioritize thorough testing of DBX updates to avoid system instability. As the vulnerability note advises, “Vendors are urged to thoroughly test the updates to ensure they do not render systems unusable.” Cloud providers and organizations handling sensitive data should ensure their virtual machine boot processes are safeguarded against unsigned binaries.
Related Posts:
- Xiaomi Limits HyperOS Bootloader Unlocking to One Device Per Account
- Stealthy UEFI Bootkit Targets Windows Kernel, Raising Security Concerns
- PKfail Vulnerability: A New Threat to UEFI Security Unveiled by Binarly Research Team
- CVE-2024-8105: An UEFI Flaw Putting Millions of Devices at Risk
- ESET Unveils “Bootkitty”: The First UEFI Bootkit Targeting Linux Systems
