PKFail Secure Boot Vulnerability Risks Millions of Devices
Several vendors for consumer and enterprise PCs share a compromised crypto key that should never have been on the devices in the first place.
Attackers can bypass the Secure Boot process on millions of Intel and ARM microprocessor-based computing systems from multiple vendors, because they all share a previously leaked cryptographic key used in the device startup process.
The so-called Platform Key (PK) from American Megatrends International (AMI) serves as the root of trust during the Secure Boot PC startup chain, and verifies the authenticity and integrity of a device’s firmware and boot software.
Unfortunately, researchers from firmware security vendor Binarly discovered that the key had been publicly exposed in a data leak back in 2018. “This key was likely included in [AMI’s] reference implementation with the expectation that it would be replaced with another safely generated key by downstream entities in the supply chain,” Binarly said in a posting on the issue this week.
The PKFail Secure Boot Issue
What appears to have happened is that an original equipment manufacturer (OEM) used the AMI test key for firmware it produced for different Intel and ARM-based device makers. The result is there are potentially millions of consumer and enterprise devices around the world that are currently using the same compromised AMI PK during the secure bootup process, says Alex Matrosov, CEO and founder of Binarly. Affected vendors include Lenovo, HP, Asus, and SuperMicro.
“An attacker with access to the private part of the PK can easily bypass Secure Boot by manipulating the Key Exchange Key database, the Signature Database, and the Forbidden Signature Database,” says Matrosov, who has dubbed the issue as “PKFail.” The issue makes it easier for attackers to, among other things, deploy Unified Extensible Firmware Interface (UEFI) bootkits like last year’s BlackLotus, which offer persistent kernel access and privileges.
“The fix is easy: the compromised key needs to be replaced, and device vendors need to ship a firmware update,” Matrosov says. Several have already done so, he notes. However, in many cases — as with data center servers, for instance, or for systems used in critical applications — the firmware updates could take some time to be deployed.
“Exploitation of this issue is trivial in the case that the device is impacted,” he says, pointing to a proof-of-concept exploit (PoC) that Binarly developed for PKFail. Matrosov recommends that organizations disconnect devices with the leaked AMI PK from critical networks until they are able to deploy a firmware upgrade.
A Master Key and a Really Big Deal
The PKfail issue is a big deal because it makes it easy for hackers to bypass Secure Boot, which is like having a master key that unlocks many houses, said Rogier Fischer, CEO of Netherlands-based Hadrian in an emailed comment. “Since the same keys are used across different devices, one breach can affect many systems, making the problem widespread,” he said.
PKFail is the latest manifestation of a problem that has been around for more than a decade, which is the tendency by OEMs and device-makers to use non-production and test cryptographic keys in production firmware and devices, Matrosov says. The AMI PK, for instance, was clearly meant to be treated as completely untrusted, and yet it ended up in devices from multiple vendors.
Binarly’s report pointed to an incident in 2016 tracked as CVE-2016-5247, where security researchers discovered multiple Lenovo devices that shared the same AMI test PK. At the time, the National Vulnerability Database described the issue as allowing “local users or physically proximate attackers to bypass the Secure Boot protection mechanism by leveraging an AMI test key.”
Ultimately, PKFail is a manifestation of poor cryptographic key management practices in the device supply chain, Binarly said in its report.
“This is a huge problem,” Matrosov says. “If you think about an apartment complex where all the door locks have the same keys. If one key goes missing, it could create problems for everyone.”
PKfail Vulnerability Allows Attackers to Bypass Secure Boot and Install UEFI Malware
Hundreds of UEFI products across ten major vendors are vulnerable to a significant firmware supply-chain issue known as PKfail. This critical flaw allows attackers to bypass Secure Boot and install malware, posing a severe threat to device security.
Discovery and Impact
The Binarly Research Team uncovered that affected devices utilize a test Secure Boot “master key,” or Platform Key (PK), generated by American Megatrends International (AMI). This key was labeled “DO NOT TRUST,” indicating that it should be replaced by securely generated keys from upstream vendors. Unfortunately, many OEMs and device manufacturers did not replace this key, resulting in devices being shipped with untrusted keys.
Affected Vendors
The vulnerability spans 813 products from vendors including Acer, Aopen, Dell, Formelife, Fujitsu, Gigabyte, HP, Intel, Lenovo, and Supermicro.
Supply Chain Security Incidents
In May 2023, Binarly identified a security incident involving leaked private keys from Intel Boot Guard, affecting multiple vendors. This incident was first reported by BleepingComputer, highlighting that the Money Message extortion gang had leaked MSI source code for firmware used in the company’s motherboards. This leak included image signing private keys for 57 MSI products and Intel Boot Guard private keys for another 116 MSI products.
Earlier in the year, a private key from AMI related to the Secure Boot “master key” was also leaked, affecting various enterprise device manufacturers. Alarmingly, these compromised keys are still in use and have been found in recently released enterprise devices.
Exploitation and Risks
According to Binarly, exploiting the PKfail vulnerability allows attackers with access to vulnerable devices and the private part of the Platform Key to bypass Secure Boot. They achieve this by manipulating the Key Exchange Key (KEK) database, the Signature Database (db), and the Forbidden Signature Database (dbx). Once they compromise the entire security chain from firmware to the operating system, they can sign malicious code, enabling the deployment of UEFI malware such as CosmicStrand and BlackLotus.
Historical Context
The first firmware vulnerable to PKfail was released in May 2012, with the most recent release in June 2024. This makes PKfail one of the longest-lasting supply-chain issues, spanning over 12 years. The BRLY-2024-005 advisory details almost 900 affected devices, with 22 unique untrusted keys identified through scan results.
Mitigation Recommendations
To address PKfail, vendors should adhere to cryptographic key management best practices, such as using Hardware Security Modules (HSMs) for generating and managing Platform Keys. It is crucial to replace any test keys provided by independent BIOS vendors like AMI with securely generated keys.
Users are advised to monitor firmware updates from device vendors and promptly apply any security patches that address the PKfail issue. Additionally, Binarly has launched the pk.fail website, which offers a free tool for users to scan firmware binaries to detect PKfail-vulnerable devices and malicious payloads.
To Sum Up
The PKfail vulnerability underscores the importance of robust key management practices in securing firmware supply chains. Vendors and users must remain vigilant, ensuring that devices are protected against such critical flaws to maintain the integrity of the Secure Boot process and overall system security.