A significant vulnerability in the UEFI Secure Boot process, known as “PKfail,” has been uncovered by researchers at Binarly. This flaw poses a serious risk to the security of a wide range of devices due to the mishandling of Platform Keys (PK), which are essential for Secure Boot functionality.
Discovery of the Vulnerability
The PKfail vulnerability was identified during an investigation into a data leak involving American Megatrends International (AMI). This leak revealed the private Platform Key used in Secure Boot, which was accidentally made public. The exposed key is utilized in the firmware of numerous devices, including some recently launched enterprise models, and was found to be a non-production cryptographic key.
Earlier in 2023, Binarly had reported a similar issue concerning Intel Boot Guard, where private keys were leaked and misused in production environments. These recurring incidents highlight ongoing vulnerabilities in supply chain security within the tech industry.
Scope and Implications
The PKfail vulnerability impacts hundreds of device models across the UEFI ecosystem. The core issue arises from the use of test Platform Keys generated by Independent BIOS Vendors (IBVs) like AMI, which were not replaced by subsequent entities in the supply chain. These untrusted keys, originally intended for testing, were embedded in firmware images from various manufacturers.
A thorough analysis of UEFI firmware images, covering tens of thousands of devices from major companies like Lenovo, Dell, HP, and Intel, revealed that over 10% of these images contained untrusted Platform Keys. The earliest identified vulnerable firmware dates back to May 2012, with the most recent instance found in June 2024, indicating a prolonged period of potential security vulnerabilities.
Technical Overview of PKfail
The PKfail vulnerability is characterized by several critical issues:
- Poor Cryptographic Management: Private keys were found in code repositories with hardcoded paths in build scripts.
- Non-Production Keys in Production: Non-production cryptographic keys were improperly used in production firmware.
- Lack of Key Rotation: The same cryptographic keys were reused across different product lines and devices, increasing risk.
- Cross-OEM Key Usage: Shared keys among various manufacturers heightened exposure to vulnerabilities.
source – CyberInsider
Mitigation Strategies
To combat the PKfail vulnerability, Binarly has introduced a free scanning tool available at PK.fail, designed to help the security community identify vulnerable devices and firmware. This tool utilizes advanced Binary Intelligence technology and boasts a near-zero false positive rate.
Binarly has collaborated with CERT/CC and various vendors, including Dell, to address the vulnerability. Dell notably employed the Binarly Transparency Platform to identify and resolve the issue across their product lines. Although some Dell devices were initially found to be vulnerable, effective mitigations have since been implemented.
Recommendations
For Vendors:
Ensure Platform Key generation and management adhere to best practices, utilizing Hardware Security Modules (HSMs).
Replace any test keys from IBVs with securely generated keys.
For Users:
Stay updated on firmware releases and promptly apply security patches.
Follow best practices for device and network security, including restricting physical access to devices.
Check for signs of PKfail on your devices by visiting pk.fail.
This discovery underscores the importance of robust security practices in the tech industry, particularly regarding supply chain vulnerabilities.
Leave a Reply