A supply chain vulnerability, present in hundreds of devices from numerous vendors, has been discovered after hiding in plain sight for 12 years. 

The PKfail vulnerability revolves around a test Secure Boot “master key” which if abused, can grant threat actors the ability to completely take over the vulnerable endpoints, and install malware and other dangerous code as they see fit.

The flaw was found by cybersecurity researchers from the Binarly Research Team, who noted it starts with a Secure Boot “master key”, also known as a Platform Key (PK), which is generated by American Megatrends International (AMI).

A decade-old supply-chain flaw

A PK is an essential component in the architecture of the Unified Extensible Firmware Interface (UEFI) Secure Boot process, designed to ensure that a computer boots only with software trusted by the Original Equipment Manufacturer (OEM). When it first generates a PK, AMI labels it as “DO NOT TRUST”, notifying upstream vendors to replace it with their own, securely generated key.

However, it seems that many vendors didn’t do it. Acer, Aopen, Dell, Formelife, Fujitsu, Gigabyte, HP, Intel, Lenovo, and Supermicro, all apparently failed to do so, putting hundreds of computers at risk. Allegedly, more than 800 products are affected.

When a threat actor has access to a vulnerable device, they can exploit this problem to manipulate the Key Exchange Key (KEK) database, the Signature Database (db) and the Forbidden Signature Database (dbx), and thus effectively bypass Secure Boot. That, in turn, allows them to sign malicious code, which allows them to deploy UEFI malware.

“The first firmware vulnerable to PKfail was released back in May 2012, while the latest was released in June 2024. Overall, this makes this supply-chain issue one of the longest-lasting of its kind, spanning over 12 years,” Binarly added.

“The list of affected devices, which at the moment contains almost 900 devices, can be found in our BRLY-2024-005 advisory. A closer look at the scan results revealed that our platform extracted and identified 22 unique untrusted keys.”

Via BleepingComputer

More from TechRadar Pro

Services MarketplaceListings, Bookings & Reviews

Entertainment blogs & Forums

30 yr old married.