About 200K Linux systems from Framework shipped with signed UEFI components vulnerable to Secure Boot bypass, allowing bootkit installation and persistence.
Firmware security company Eclypsium warns that about 200,000 Linux systems from Framework are shipped with signed UEFI components vulnerable to Secure Boot bypass, allowing bootkit installation and persistence.
The experts pointed out that signed UEFI shells aren’t traditional backdoors placed by threat actors, instead, they’re legitimate diagnostic tools signed with trusted certificates that support functionality that can be abused to bypass security controls in the boot process.
Eclypsium found that Framework shipped signed UEFI shells containing a “memory modify” (mm) command granting direct read/write access to system memory. “mm” was integrated for diagnostic purposes, but it can be exploited to overwrite the gSecurity2 UEFI variable with NULL, breaking Secure Boot’s signature verification and disabling module signature checks.
“The attack targets a global variable called gSecurity2, which points to the Security Architectural Protocol. This protocol is called by the LoadImage function to verify digital signatures before loading any UEFI modules.” reads the report published by the cybersecurity firm. “Once the address is identified, the mm command can overwrite the security handler pointer with NULL or redirect it to a function that always returns “success” without performing any verification”
Attackers locate the UEFI security pointer gSecurity2 (used by LoadImage to verify signatures), find its memory address via UEFI shell commands, and patch the handler pointer to NULL or a no-op using mm, disabling signature checks. Once verification is disabled, attackers can load unsigned bootkits or rootkits.
They can drop a startup.nsh to rerun the bypass at every boot. Result: persistent, pre-OS control even though Secure Boot still appears enabled.
The researchers built Python and shell scripts to detect the “mm” command in UEFI shells and confirmed Framework-signed shells could alter memory and bypass Secure Boot. Further analysis revealed over 200,000 Framework devices were impacted. Fixes vary by model, e.g., 13th Gen Intel (3.08) and Ryzen 7040 (3.16) are fixed, while others await updates. Framework is issuing DBX updates to blacklist vulnerable shells.
Signed UEFI shells remain a major security risk, as past flaws (e.g., CVE-2022-34302, CVE-2023-48733, CVE-2024-7344) have allowed attackers to bypass Secure Boot. Once exploited, this can give nation-state or ransomware actors persistent, pre-OS access for espionage or sabotage. To defend, experts recommend updating UEFI revocation lists (DBX), using BIOS passwords, managing custom Secure Boot keys, and scanning firmware for vulnerable components.
“The attack surface “below” the operating system, encompassing firmware, bootloaders, and hardware components, presents a ripe target for threat actors. As our research demonstrates, attackers who can operate at this level can bypass virtually every security control we’ve built above it.” concludes the report.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Secure Boot)
