CISA Issues a Call to Action for Improved UEFI Security

On August 3, 2023, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a call to action addressing the challenges we face securing UEFI and responding to incidents where attackers have leveraged weaknesses in UEFI implementations. The article “A Call to Action: Bolster UEFI Cybersecurity Now” underscores the importance of securing the UEFI ecosystem. 

CISA stated what we here at Eclypsium have long believed: UEFI represents an important software component of a critical attack surface that must be protected, even going so far as to call it the mechanism that “gets you from an intricate brick of lifeless silicon to your operating system.”

In addition to explicitly calling out BlackLotus (a threat we tracked and warned the community about in the article BlackLotus – A Threat Coming To A System Near You) as an active threat that takes advantage of weaknesses in UEFI (and the certificate revocation process), CISA underscored the persistence attackers achieve when exploiting UEFI:

“Attackers have exploited UEFI implementation flaws to gain persistence – that is, the ability to maintain access to a compromised system despite system resets and defensive actions. Based on recent incident responses to UEFI malware such as BlackLotus, the cybersecurity community and UEFI developers appear to still be in learning mode.”

BlackLotus is a recent example of an in-the-wild attack targeting UEFI (and Secure Boot). We’ve documented several recent campaigns that use exploits and malware specifically targeting UEFI and summarized them in the article Firmware Attacks: An Endpoint Timeline. This article also defines several attacker motives for targeting UEFI including persistence, impact on the operations of a system, the ability to provide stealth to the attackers, and allow attackers to gain the highest levels of privilege.

CISA goes on to identify vulnerability response, including key/revocation list management and processes, as being an integral part of the solution:

“UEFI vulnerability response, including timely and effective update mechanisms with standard PKI, needs to be designed into UEFI software engineering.“

Eclypsium has discovered numerous vulnerabilities in UEFI (and other firmware) including Supply Chain Risk from Gigabyte App Center Backdoor (a backdoor not a vulnerability, yet still a threat),  One Bootloader to Rule them All, Everyone Gets A Rootkit, BootHole, and presented on Secure Boot dating as far back as 2013 at Black Hat USA in a talk titled “A Tale of One Software Bypass of Windows 8 Secure Boot.” The remediation discussed in the context of this research focuses on the two items CISA calls out: updating firmware in an effective manner and managing PKI and revocation in a timely manner. If you would like more context on PKI (and keys in general) within Intel systems, as an example, refer to our article The Keys To The Kingdom and The Intel Boot Process

CISA listed several recommendations for improvising UEFI cybersecurity that included:

  • “System owners should be able to audit, manage, and update UEFI components just like any other software that is being acquired”
  • “Operational teams should expect to be able to collect, analyze, and respond to event logs that identify UEFI-related activities (e.g., changes, updates, add/remove components)”

Firmware, such as UEFI, should be treated the same as other software that resides on the system. Many guidelines and compliance regulations offer guidance on how organizations deal with software updates, vulnerabilities, and patching. CISA states that UEFI should get the same treatment, and we agree: our product makes it easier for IT and Security teams to audit, manage, and update UEFI components. CISA calls for event logs to help identify UEFI-related activities and while this is a good starting point we do have the ability to dig deeper. Our solution allows you to trigger specific UEFI security-related events in addition to identifying firmware that may have been tampered with by an attacker.

Organizations should heed CISA’s call to action and consider how to start treating their firmware and larger infrastructure attack surface as first-class citizens when it comes to implementing basic security controls. CISA recommends reading a UEFI securing guide developed by Carnegie Mellon University (And funded by CISA) titled Securing UEFI: An Underpinning Technology for Computing and following the NSA’s BlackLotus Mitigation Guide. Eclypsium has also published guidance on this subject, including a recent paper titled “The Ultimate Guide to Supply Chain Security”. Eclypsium’s solution helps enterprises monitor and track firmware threats throughout the infrastructure supply chain as outlined in both of the aforementioned documents, including the detection of BlackLotus, tampering of bootloaders and firmware, and supporting the firmware updates critical to remediation. Organizations should also be aware that UEFI is but one type of firmware that is exploited within the supply chain. Recently the Eclypsium team has detailed flaws in BMCs (Baseboard Management Controllers) (see BMC&C: Lights Out Forever) and network appliances (see Understanding the Latest Attacks on Network Devices and Services and What You Can Do About It). For more information and continuing coverage of firmware and supply chain topics, you can also listen to our Below The Surface podcast where we discuss recent threats with cybersecurity experts.