A supply chain vulnerability has been discovered, present in hundreds of devices from numerous suppliers, that remained hidden in plain sight for 12 years.
The PKfail vulnerability revolves around a test secure boot “master key” that, if abused, can grant threat actors the ability to completely take over vulnerable endpoints and install malware and other dangerous code as they see fit.
The flaw was discovered by cybersecurity researchers from the Binarly research team, who noted that it starts with a secure boot “master key,” also known as a platform key (PK), which is generated by American Megatrends International (AMI).
A decade-long supply chain failure
A boot key (PK) is an essential component in the architecture of the Unified Extensible Firmware Interface (UEFI) secure boot process, designed to ensure that a computer boots only with software trusted by the original equipment manufacturer (OEM). When you generate a boot key for the first time, AMI labels it as “UNTRUSTED,” notifying upstream vendors to replace it with their own securely generated key.
However, it appears that many manufacturers have not done so. Acer, Aopen, Dell, Formelife, Fujitsu, Gigabyte, HP, Intel, Lenovo and Supermicro have not done so, putting hundreds of computers at risk. More than 800 products are reportedly affected.
When a threat actor gains access to a vulnerable device, they can exploit this issue to manipulate the key exchange key database (KEK), signature database (db), and forbidden signature database (dbx), effectively bypassing Secure Boot. That, in turn, allows them to sign malicious code, enabling them to deploy UEFI malware.
“The first firmware vulnerable to PKfail was released in May 2012, while the last one was released in June 2024. Overall, this makes this supply chain issue one of the longest-running of its kind, lasting for over 12 years,” Binarly added.
“The list of affected devices, which currently contains almost 900 devices, can be found in our advisory BRLY-2024-005. Further analysis of the scan results revealed that our platform extracted and identified 22 unique untrusted keys.”
Through Computer beeping