Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

200,000 Linux systems from Framework are shipped with signed UEFI components vulnerable to Secure Boot bypass

About 200K Linux systems from Framework shipped with signed UEFI components vulnerable to Secure Boot bypass, allowing bootkit installation and persistence. Firmware security company Eclypsium warns that about 200,000 Linux systems from Framework are shipped with signed UEFI components vulnerable to Secure Boot bypass, allowing bootkit installation and persistence. The experts pointed out that signed […]

Linux systems from Framework shipped with signed UEFI components vulnerable to Secure Boot bypass

About 200K Linux systems from Framework shipped with signed UEFI components vulnerable to Secure Boot bypass, allowing bootkit installation and persistence.

Firmware security company Eclypsium warns that about 200,000 Linux systems from Framework are shipped with signed UEFI components vulnerable to Secure Boot bypass, allowing bootkit installation and persistence.

The experts pointed out that signed UEFI shells aren’t traditional backdoors placed by threat actors, instead, they’re legitimate diagnostic tools signed with trusted certificates that support functionality that can be abused to bypass security controls in the boot process.

Eclypsium found that Framework shipped signed UEFI shells containing a “memory modify” (mm) command granting direct read/write access to system memory. “mm” was integrated for diagnostic purposes, but it can be exploited to overwrite the gSecurity2 UEFI variable with NULL, breaking Secure Boot’s signature verification and disabling module signature checks.

“The attack targets a global variable called gSecurity2, which points to the Security Architectural Protocol. This protocol is called by the LoadImage function to verify digital signatures before loading any UEFI modules.” reads the report published by the cybersecurity firm. “Once the address is identified, the mm command can overwrite the security handler pointer with NULL or redirect it to a function that always returns “success” without performing any verification”

Attackers locate the UEFI security pointer gSecurity2 (used by LoadImage to verify signatures), find its memory address via UEFI shell commands, and patch the handler pointer to NULL or a no-op using mm, disabling signature checks. Once verification is disabled, attackers can load unsigned bootkits or rootkits.
They can drop a startup.nsh to rerun the bypass at every boot. Result: persistent, pre-OS control even though Secure Boot still appears enabled.

The researchers built Python and shell scripts to detect the “mm” command in UEFI shells and confirmed Framework-signed shells could alter memory and bypass Secure Boot. Further analysis revealed over 200,000 Framework devices were impacted. Fixes vary by model, e.g., 13th Gen Intel (3.08) and Ryzen 7040 (3.16) are fixed, while others await updates. Framework is issuing DBX updates to blacklist vulnerable shells.

Linux systems from Framework shipped with signed UEFI components vulnerable to Secure Boot bypass

Signed UEFI shells remain a major security risk, as past flaws (e.g., CVE-2022-34302, CVE-2023-48733, CVE-2024-7344) have allowed attackers to bypass Secure Boot. Once exploited, this can give nation-state or ransomware actors persistent, pre-OS access for espionage or sabotage. To defend, experts recommend updating UEFI revocation lists (DBX), using BIOS passwords, managing custom Secure Boot keys, and scanning firmware for vulnerable components.

“The attack surface “below” the operating system, encompassing firmware, bootloaders, and hardware components, presents a ripe target for threat actors. As our research demonstrates, attackers who can operate at this level can bypass virtually every security control we’ve built above it.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Secure Boot)