CVE-2024-7344 (INSYDE-SA-2024021)

[JohnAZoidberg]

Splitting this out from #63.

INSYDE-SA-2024021 is GHSA-7xfj-4r7x-3733
This is not a vulnerability in Insyde BIOS, it's a third party application that's signed by the Microsoft UEFI keys.
Because we include the Microsoft public keys to be able to boot Windows, we are vulnerable to that.

The mitigation is simple, in future updates we will include dbx entries to blacklist this third party application.

But before that, it's also really easy to mitigate:

For Windows users the 2025 January 14 Update includes a DBX Update
For Linux users DBX can be updated using LVFS and an updated one is already available: fwupd.org/lvfs/devices/com.microsoft.dbx.x64.firmware

[JohnAZoidberg]

For LVFS/FWUPD, see: https://blogs.gnome.org/hughsie/2025/01/20/fwupd-2-0-4-and-dbxupdate-20241101/

I'm trying with 2.0.8 on Framework 13 (13th Gen Intel Core).

First checking the currrent DBX:

> fwupdtool get-devices --plugins uefi-dbx                                                                                          
Loading…                 [************************************** ]                                                                                  
Framework Laptop (13th Gen Intel Core)                                                                                                              
│                                                                                                                                                   
└─UEFI dbx:                                                                                                                                         
      Device ID:          362301da643102b9f38477387e2193e57abaa590                                                                                  
      Summary:            UEFI revocation database                                                                                                  
      Current version:    20230501                                                                                                                  
      Minimum Version:    20230501                                                                                                                  
      Vendor:             UEFI:Microsoft                                                                                                            
      Install Duration:   1 second                                                                                                                  
      GUIDs:              f8ba2887-9411-5c36-9cee-88995bb39731 ← UEFI\CRT_A1117F516A32CEFCBA3F2D1ACE10A87972FD6BBE8FE0D0B996E09E65D802A503&ARCH_X64 
                          f35e120a-eb92-570d-8d38-78aa8ffdeebe ← UEFI\CRT_AD53C146418710CD810BE527FE414C8EC093BE04CE92CABBF11E7A96E4B53B4D&ARCH_X64 
      Device Flags:       • Internal device                                                                                                         
                          • Updatable                                                                                                               
                          • Supported on remote server                                                                                              
                          • Needs a reboot after installation                                                                                       
                          • Cryptographic hash verification is available                                                                            
                          • Device is usable for the duration of the update                                                                         
                          • Only version upgrades are allowed                                                                                       
                          • Signed Payload                                                                                                          
                          • Can tag for emulation                                                                                                   

Now updating:

> sudo ./venv/bin/fwupdtool get-updates --plugins uefi-dbx
Loading…                 [************************************** ]
Framework Laptop (13th Gen Intel Core)
│
└─UEFI dbx:
  │   Device ID:          362301da643102b9f38477387e2193e57abaa590
  │   Summary:            UEFI revocation database
  │   Current version:    20230501
  │   Minimum Version:    20230501
  │   Vendor:             UEFI:Microsoft
  │   Install Duration:   1 second
  │   GUIDs:              f8ba2887-9411-5c36-9cee-88995bb39731 ← UEFI\CRT_A1117F516A32CEFCBA3F2D1ACE10A87972FD6BBE8FE0D0B996E09E65D802A503&ARCH_X64
  │                       f35e120a-eb92-570d-8d38-78aa8ffdeebe ← UEFI\CRT_AD53C146418710CD810BE527FE414C8EC093BE04CE92CABBF11E7A96E4B53B4D&ARCH_X64
  │   Device Flags:       • Internal device
  │                       • Updatable
  │                       • Supported on remote server
  │                       • Needs a reboot after installation
  │                       • Cryptographic hash verification is available
  │                       • Device is usable for the duration of the update
  │                       • Only version upgrades are allowed
  │                       • Signed Payload
  │                       • Can tag for emulation
  │ 
  └─Secure Boot dbx Configuration Update:
        New version:      20241101
        Remote ID:        lvfs
        Release ID:       105821
        Summary:          UEFI Secure Boot Forbidden Signature Database
        Variant:          x64
        License:          Proprietary
        Size:             15.1 kB
        Created:          2025-01-17
        Urgency:          High
        Vendor:           Linux Foundation
        Duration:         1 second
        Release Flags:    • Trusted metadata
                          • Is upgrade
        Description:      
        This updates the list of forbidden signatures (the "dbx") to the latest release from Microsoft.
        
        An insecure version of Howyar's SysReturn software was added, due to a security vulnerability that allowed an attacker to bypass UEFI Secure Boot.
        Issues:           529659
                          CVE-2024-7344
        Checksum:         d661d4a0aaca09dfa9e56967ca2467b0575fc07cb704d182fa8c68225452957f

> sudo fwupdtool update
╔══════════════════════════════════════════════════════════════════════════════╗
║ Upgrade UEFI dbx from 20230501 to 20241101?                                  ║
╠══════════════════════════════════════════════════════════════════════════════╣
║ This updates the list of forbidden signatures (the "dbx") to the latest      ║
║ release from Microsoft.                                                      ║
║                                                                              ║
║ An insecure version of Howyar's SysReturn software was added, due to a       ║
║ security vulnerability that allowed an attacker to bypass UEFI Secure Boot.  ║
║                                                                              ║
╚══════════════════════════════════════════════════════════════════════════════╝
Perform operation? [Y|n]: y
An update requires a reboot to complete. Restart now? [y|N]: 

After update and reboot.

> sudo fwupdtool get-devices --plugins uefi-dbx
Framework Laptop (13th Gen Intel Core)
│
└─UEFI dbx:
      Device ID:          362301da643102b9f38477387e2193e57abaa590
      Summary:            UEFI revocation database
      Current version:    20241101
      Minimum Version:    20241101
      Vendor:             UEFI:Microsoft
      Install Duration:   1 second
      GUIDs:              f8ba2887-9411-5c36-9cee-88995bb39731 ← UEFI\CRT_A1117F516A32CEFCBA3F2D1ACE10A87972FD6BBE8FE0D0B996E09E65D802A503&ARCH_X64
                          f35e120a-eb92-570d-8d38-78aa8ffdeebe ← UEFI\CRT_AD53C146418710CD810BE527FE414C8EC093BE04CE92CABBF11E7A96E4B53B4D&ARCH_X64
      Device Flags:       • Internal device
                          • Updatable
                          • Supported on remote server
                          • Needs a reboot after installation
                          • Cryptographic hash verification is available
                          • Device is usable for the duration of the update
                          • Only version upgrades are allowed
                          • Signed Payload
                          • Can tag for emulation

[JohnAZoidberg]

To confirm that the vulnerability is mitigated, you can do the following:

First see that the hash of the x64 Howyar executable is CDB7C90D3AB8833D5324F5D8516D41FA990B9CA721FE643FFFAEF9057D9F9E48, see microsoft/secureboot_objects

Then you can check your system does include this hash in the dbx and therefore blocks execution of that vulnerable binary.

> efi-readvar | grep -i CDB7C90D3AB8833D5324F5D8516D41FA990B9CA721FE643FFFAEF9057D9F9E48
        Hash:cdb7c90d3ab8833d5324f5d8516d41fa990b9ca721fe643fffaef9057d9f9e48

[JohnAZoidberg]

Note that the windows and LVFS updates to DBX are NOT a BIOS update.
This makes the update process much simpler, only the EFI variable is updated and reboot is just a normal reboot.

[JohnAZoidberg]

On Windows you can check if DBX is up to date using: https://github.com/cjee21/Check-UEFISecureBootVariables