A significant security flaw known as ‘PKFail’ has been discovered, impacting potentially millions of devices that utilize Intel and ARM microprocessors. Researchers have revealed that a compromised cryptographic key, which they say should never have been on consumer or enterprise PCs, allows attackers to bypass the Secure Boot process, exposing these devices to potential malware attacks.
This occurred because the key, intended as a test key, was included in AMI’s reference implementation with the expectation that it would be replaced by downstream entities in the supply chain, but never was. The PKFail vulnerability affects major vendors such as Lenovo, HP, Asus, and SuperMicro, making it possible for attackers to manipulate key security databases and deploy malicious firmware.
Despite some vendors already issuing firmware updates to replace the compromised key, many devices remain at risk due to the slow deployment of these patches in critical systems. Organizations are advised to disconnect vulnerable devices from critical networks until updates are applied.
Why It Matters: The PKFail vulnerability represents a critical security risk because it undermines the Secure Boot process, a fundamental feature designed to protect the integrity of devices from startup. This flaw can lead to severe consequences, including persistent malware infections and compromised system security, affecting both consumer and enterprise environments. Rogier Fischer, CEO of Netherlands-based Hadrian, likens it to having a master key that unlocks many houses, emphasizing that since the same keys are used across different devices, one breach can affect many systems, making the problem widespread.
- Compromised Platform Key: The PKFail issue arises from a compromised Platform Key (PK) from American Megatrends International (AMI), leaked in 2018 and improperly used by several vendors in their devices. This key is crucial in the Secure Boot process, which ensures the integrity of a device’s firmware and boot software.
- Security Implications: Attackers with access to the private part of the PK can bypass Secure Boot by manipulating key security databases. This allows the deployment of Unified Extensible Firmware Interface (UEFI) bootkits, leading to persistent malware infections and elevated privileges.
- Historical Context and Ongoing Risks: The PKFail issue highlights longstanding problems with cryptographic key management in the device supply chain. Previous incidents, such as the 2016 CVE-2016-5247, also involved shared test keys. The widespread use of non-production keys in production environments continues to pose significant security risks.
Go Deeper -> Millions of Devices Vulnerable to ‘PKFail’ Secure Boot Bypass Issue – Dark Reading
PKfail Secure Boot Bypass Lets Attackers Install UEFI Malware – Bleeping Computer