PKfail Scandal: Critical Firmware Flaw Allows Attackers to Bypass Secure Boot

Secure Boot, a cornerstone of platform security, remains vulnerable due to fundamental flaws in its design and implementation. While hardware-based enhancements like Intel Boot Guard have been introduced, the underlying UEFI framework, Tianocore EDK2, has not evolved sufficiently to mitigate persistent threats. 

Recent supply chain incidents involving leaked private keys from Intel Boot Guard and American Megatrends International (AMI) underscore the severity of the issue, with compromised devices still in active use. The exposure of AMI’s Platform Key, a master key for Secure Boot, poses a critical risk to the security of numerous enterprise devices. 

chronological order of the events that led to the investigation of PKfail

The PKfail issue exposes critical device supply chain vulnerabilities. Private cryptographic keys appear directly in code repositories with hardcoded paths, indicating poor key management. 

Non-production keys are used for securing production firmware and devices, compromising platform security, while a lack of key rotation across product lines and even OEMs increases attack surface, as evidenced by key reuse in client, server, and Intel Boot Guard contexts. 

Researchers identified a PKfail vulnerability in Dell XPS 8960 Desktop firmware due to the use of a default non-production Platform Key from AMI, which exposed the device and other product lines to unauthorized firmware modifications. 

Dell had implemented a mitigation in the DellSecureBootSmm module for certain product lines by correctly setting Secure Boot variables with hardcoded Dell values, preventing the PKfail attack. Successful collaboration with Dell facilitated responsible disclosure and remediation efforts. 

live firmware dumps of affected products

According to the Binarly Research Team, PKfail is a critical UEFI supply chain vulnerability stemming from the widespread reuse of untrusted Platform Keys (PKs) across diverse device models. 

Generated by Independent BIOS Vendors (IBVs) and shared among multiple vendors, these PKs, intended to safeguard Secure Boot integrity, are compromised due to a lack of key rotation by OEMs. 

Untrusted test key

Consequently, attackers can exploit this weakness to manipulate Secure Boot databases, bypassing security protections and potentially compromising device firmware and data, which affect both x86 and ARM architectures, underscoring its broad impact on the UEFI ecosystem. 

A scan of tens of thousands of UEFI firmware images revealed that over 10% of them, including devices from major vendors, are vulnerable to PKfail, allowing attackers to bypass Secure Boot and execute arbitrary code during the boot process by using 22 identified untrusted keys. 

The root causes include poor cryptographic key management, reuse of keys across product lines and manufacturers, and a lack of key rotation, enabling the deployment of UEFI bootkits like BlackLotus. 

Also Read:

Kaaviya
Kaaviyahttps://cyberpress.org/
Kaaviya is a Security Editor and fellow reporter with Cyber Press. She is covering various cyber security incidents happening in the Cyber Space.

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here