A supply chain vulnerability that has been invisible for 12 years has been discovered in hundreds of devices from multiple vendors.
The PKfail vulnerability revolves around a Secure Boot test key that, if exploited, could allow attackers to completely take over the vulnerable endpoints and install malware and other dangerous code as they see fit.
The vulnerability was discovered by cybersecurity researchers from the Binarly Research Team, who noted that it starts with a Secure Boot “master key”, also known as a Platform Key (PK), which is generated by American Megatrends International (AMI).
A decades-old flaw in the supply chain
A PK is a critical component in the architecture of the Unified Extensible Firmware Interface (UEFI) Secure Boot process, designed to ensure that a computer boots only with software trusted by the Original Equipment Manufacturer (OEM). When a PK is first generated, AMI labels it as “NOT TRUST”, and informs upstream vendors to replace it with their own securely generated key.
However, it appears that many vendors have not done so. Acer, Aopen, Dell, Formelife, Fujitsu, Gigabyte, HP, Intel, Lenovo, and Supermicro all apparently failed to do so, leaving hundreds of computers at risk. Reportedly, over 800 products are affected.
Once a threat actor has access to a vulnerable device, they can exploit this issue to manipulate the Key Exchange Key (KEK) database, the Signature Database (db), and the Forbidden Signature Database (dbx), effectively bypassing Secure Boot. This in turn allows them to sign malicious code, allowing them to deploy UEFI malware.
“The first firmware vulnerable to PKfail was released in May 2012, while the last one was released in June 2024. Overall, this supply chain issue is one of the longest-running of its kind, with a duration of more than 12 years,” Binarly added.
“The list of affected devices, which currently includes nearly 900 devices, can be found in our BRLY-2024-005 advisory. A closer look at the scan results revealed that our platform extracted and identified 22 unique, untrusted keys.”
Through BleepingComputer