The PKfail vulnerability is a significant security issue affecting over 200 device models of Secure Boot. PKfail is a critical firmware supply-chain issue that undermines the Secure Boot process in the UEFI ecosystem.
Secure Boot ensures that only trusted software is loaded during the boot process, preventing unauthorized code execution. However, PKfail compromises this security feature by exploiting weaknesses in managing Platform Keys (PKs).
- Platform Key (PK): The PK is a “master key” in the UEFI Secure Boot architecture, responsible for managing Secure Boot databases and maintaining the chain of trust from firmware to the operating system.
- Untrusted Keys: The vulnerability arises because many devices ship with untrusted test keys generated by Independent BIOS Vendors (IBVs) like American Megatrends International (AMI). These test keys are often not replaced by Original Equipment Manufacturers (OEMs) or device vendors with securely generated keys.
- Leaked Keys: Private keys from Intel Boot Guard and AMI were leaked, allowing attackers to bypass Secure Boot by manipulating the Key Exchange Key (KEK) database, the Signature Database (db), and the Forbidden Signature Database (dbx).
PKfail allows attackers to completely bypass Secure Boot protections, which are important for keeping the boot process safe. Attackers can potentially install persistent UEFI malware like bootkits, which can survive operating system reinstalls and are very difficult to detect and remove.
Join our free webinar to learn about combating slow DDoS attacks, a major threat today.
The Binarly Research Team found that many products use a test Platform Key created by American Megatrends International (AMI). This key was probably included in their reference implementation with the expectation that it would be replaced with another key generated safely.
The vulnerability is so widespread that it could be used to launch large-scale attacks on multiple vendors in the supply chain.
PKfail Vulnerability Affects Multiple vendors
The PKfail vulnerability affects hundreds of UEFI products from multiple vendors, including Acer, Dell, Fujitsu, HP, Intel, Lenovo, and Supermicro. The issue spans over a decade, with the first vulnerable firmware released in May 2012 and the latest in June 2024. Exploiting this vulnerability allows attackers to:
- Bypass Secure Boot.
- Install UEFI malware such as CosmicStrand and BlackLotus.
- Compromise the entire security chain from firmware to the operating system.
To address the PKfail vulnerability, the following steps are recommended:
For Device Vendors:
- Replace Test Keys: Ensure that any test keys provided by IBVs are replaced with securely generated keys before shipping devices.
- Cryptographic Key Management: Follow best practices for cryptographic key management, such as using Hardware Security Modules (HSMs) to generate and store keys securely.
- Firmware Updates: Issue firmware updates to replace untrusted keys and address vulnerabilities. Continuous monitoring and updating of firmware are crucial to maintaining security.
For Users:
- Apply Security Patches: Regularly check for and apply firmware updates from device vendors to address PKfail vulnerabilities.
- Monitor Devices: Use tools like the PKfail scanner provided by Binarly to detect vulnerable devices and malicious payloads. The scanner is available for free at pk.fail.
General Best Practices:
- Stay Informed: Keep up-to-date with security advisories and updates from device manufacturers.
- Secure Boot Configuration: Ensure that Secure Boot is properly configured and that only trusted keys are used in the Secure Boot databases.
The PKfail vulnerability reveals significant vulnerabilities in the UEFI ecosystem’s supply chain security. By following the recommended strategies to reduce the risk of exploitation, both device vendors and users can improve their devices’ overall security.
Protect Your Business Emails From Spoofing, Phishing & BEC with AI-Powered Security | Free Demo