Introduction
A critical vulnerability [3] [5] [8] [9], identified as CVE-2024-7344 [4] [9], has been discovered in the Unified Extensible Firmware Interface (UEFI) Secure Boot mechanism. This flaw poses significant risks to UEFI security practices, particularly affecting systems with Microsoft’s third-party UEFI signing enabled [2] [8] [9]. The vulnerability allows privileged attackers to execute untrusted code during the boot process, impacting several real-time system recovery software suites [5] [8] [9].
Description
A significant vulnerability [5] [7] [8] [9], tracked as CVE-2024-7344 [1] [6] [9], has been identified in the Unified Extensible Firmware Interface (UEFI) Secure Boot mechanism, posing substantial risks to UEFI security practices. Discovered by ESET researchers [5], this flaw primarily affects UEFI-based systems with Microsoft’s third-party UEFI signing enabled [2] [9], allowing privileged attackers to execute untrusted code during the boot process. The vulnerability impacts several real-time system recovery software suites from vendors including Howyar Technologies [9], Greenware Technologies [2] [3] [8] [9], Radix Technologies [2] [3] [8] [9], Sanfong [3] [4] [5] [8], WASAY Software Technology [3] [8] [9], Computer Education System [3] [8] [9], and Signal Computer [3] [4] [5] [8] [9]. Specifically, the vulnerable products include Howyar SysReturn (versions prior to 10.2.023_20240919) [3] [8], Greenware GreenGuard (versions prior to 10.2.023-20240927) [3] [5] [8], Radix SmartRecovery (versions prior to 11.2.023-20240927) [3] [5] [8], Sanfong EZ-back System (versions prior to 10.3.024-20241127) [3] [5] [8], WASAY eRecoveryRX (versions prior to 8.4.022-20241127) [3] [5] [8], CES NeoImpact (versions prior to 10.1.024-20241127) [8], and SignalComputer HDD King (versions prior to 10.3.021-20241127) [3] [5]. All of these products utilize “reloader.efi,” a Microsoft-signed Extensible Firmware Interface (EFI) file [4].
The root cause of CVE-2024-7344 lies in the improper use of a custom PE loader within the reloader.efi application, which fails to perform necessary integrity checks and allows the loading of unsigned binaries from a specially crafted file named cloak.dat, irrespective of the Secure Boot state [3] [9]. This flaw effectively creates a backdoor that bypasses UEFI Secure Boot protections, enabling attackers to replace legitimate bootloader binaries with malicious ones on the EFI System Partition (ESP) [5]. Exploitation requires elevated privileges [8] [9], such as local administrator rights on Windows or root access on Linux [5], and can lead to the deployment of malicious UEFI bootkits [3], including Bootkitty and BlackLotus [5], even when Secure Boot is enabled [5].
CVE-2024-7344 has been assigned a medium severity rating of 6.5 on the Common Vulnerability Scoring System (CVSS) [4], as exploitation necessitates administrator privileges. The vulnerability was reported to the CERT Coordination Center (CERT/CC) in June 2024 [3], which facilitated communication with affected vendors [3]. Microsoft coordinated a fix for the January 14, 2025 Patch Tuesday update [9], revoking the old binaries [9]. However, the incident raises broader concerns about the security practices of third-party UEFI software and the code-signing process for UEFI applications.
Experts caution that while no real-world exploitation attempts have been detected [5], vulnerabilities like CVE-2024-7344 could be weaponized by sophisticated threat actors if left unpatched [5]. The increasing number of UEFI vulnerabilities and the slow response in patching or revoking vulnerable binaries suggest that UEFI Secure Boot [2], implemented since 2012 to establish a chain-of-trust by verifying the digital signatures of firmware components and the OS bootloader [1], should not be viewed as an impenetrable barrier [2]. Users are advised to promptly update their systems with the latest UEFI revocations from Microsoft or their respective operating system vendors [5], with Windows users receiving updates automatically through Windows Update and Linux users obtaining updates via the Linux Vendor Firmware Service [5]. Additional protective measures include managed access to files on the EFI system partition [3], UEFI Secure Boot customization [3], and remote attestation with TPM [3]. Mitigation of CVE-2024-7344 can be achieved by applying these updates, emphasizing the importance of robust firmware security practices and timely patch management [5].
The discovery of CVE-2024-7344 underscores ongoing concerns regarding the security of UEFI applications [3], particularly the use of unsafe techniques in third-party UEFI software [3]. This vulnerability follows a similar incident (CVE-2022-34302) involving a Microsoft-signed UEFI application with an unsafe PE loader [3], raising questions about the prevalence of such vulnerabilities in signed UEFI applications and the need for greater transparency from Microsoft in the signing process to enhance security and facilitate quicker reporting of unsafe applications.
Conclusion
The identification of CVE-2024-7344 highlights significant vulnerabilities within UEFI Secure Boot mechanisms, emphasizing the need for improved security practices and timely updates. While no exploitation attempts have been detected [5], the potential for sophisticated threat actors to exploit such vulnerabilities remains a concern. Users are urged to apply the latest updates and consider additional protective measures to safeguard their systems. The incident also calls for greater transparency and scrutiny in the UEFI code-signing process to prevent similar vulnerabilities in the future.
References
[1] https://weeklygeek.net/tech/microsoft-patches-windows-to-eliminate-secure-boot-bypass-threat/
[2] https://www.techtarget.com/searchSecurity/news/366618102/ESET-details-UEFI-Secure-Boot-bypass-vulnerability
[3] https://www.welivesecurity.com/en/eset-research/under-cloak-uefi-secure-boot-introducing-cve-2024-7344/
[4] https://www.darkreading.com/vulnerabilities-threats/trusted-apps-bug-uefi-boot-process
[5] https://cybersecuritynews.com/uefi-secure-boot-bypass-vulnerability/
[6] https://arstechnica.com/security/2025/01/microsoft-patches-windows-to-eliminate-secure-boot-bypass-threat/
[7] https://cyber.vumetric.com/security-news/2025/01/16/new-uefi-secure-boot-bypass-vulnerability-discovered-cve-2024-7344/
[8] https://www.helpnetsecurity.com/2025/01/16/uefi-secure-boot-bypass-vulnerability-cve-2024-7344/
[9] https://news.hackreports.com/new-uefi-secure-boot-vulnerability-could-allow-attackers-to-load-malicious-bootkits/
