CVE CyberSecurity Database News

CVE-2024-28920 - Explaining the Secure Boot Security Feature Bypass Vulnerability (with Exploit Demo)

Poster -

---

Recent months have brought a critical vulnerability to light, one that affects the very foundation of system security - Secure Boot. Labeled CVE-2024-28920, this vulnerability exposes a method to bypass Secure Boot’s intended protection, putting thousands of Windows and Linux systems at risk. In this comprehensive post, I’ll break down what CVE-2024-28920 means, how the exploit works, and what admins and security pros can do to protect their networks.

What is Secure Boot?

Secure Boot is a security standard developed to ensure that a device boots using software that is trusted by the Original Equipment Manufacturer (OEM). When enabled and correctly implemented, Secure Boot helps to block unauthorized firmware, bootloaders, and operating system loaders from running during the boot process.

But what happens if there’s a flaw in the process? That’s exactly what CVE-2024-28920 is about.

CVE-2024-28920: The Vulnerability Explained

Discovered by independent security researchers in early 2024 and reported to Microsoft, CVE-2024-28920 is a security feature bypass in Secure Boot implementation. Attackers with local administrative privileges can exploit this vulnerability to load unsigned or malicious bootloaders even while Secure Boot is enabled.

Severity: Critical
CVSS Score: 7.8 (High)
Impacted systems: Mainly Windows (Windows 10, 11, Server versions) and some Linux distributions on UEFI systems.

The official advisory can be found here:
🔗 Microsoft Security Response Center: CVE-2024-28920

How Is It Exploited?

Attackers who already have admin access to a system (for example, via a privilege escalation bug, weak passwords, or through phishing) misuse the way Secure Boot verifies authorized bootloaders. Due to a logic flaw in the bootloader signature validation, a specially crafted unsigned EFI bootloader can be executed by placing it in the EFI partition and modifying the boot configuration data (BCD).

Place malicious bootloader:

Attacker copies a tampered bootloader, for example, malbootx64.efi, into the \EFI\Microsoft\Boot\ partition.

Trigger reboot:

Upon restarting, the system loads the attacker's bootloader, bypassing verification, and potentially giving persistence or rootkit-level access.

Simple Code Example of the Exploit Scenario

Step 1: Place Malicious Bootloader (requires admin privileges)

# Copy the attacker's bootloader to EFI partition
Copy-Item "C:\Temp\malbootx64.efi" "X:\EFI\Microsoft\Boot\malbootx64.efi"

Step 2: Modify Bootloader Path Using bcdedit

# Set the boot entry to load the attacker's EFI file
bcdedit /set {bootmgr} path \EFI\Microsoft\Boot\malbootx64.efi

Step 3: Reboot and Exploit

Restart-Computer

After reboot, the malicious bootloader takes over — Secure Boot does not catch the unsigned file due to the vulnerability.

> Note: The above is for educational purposes only and requires admin right. On up-to-date systems WITH the patch, this exploit will not work.

Persistence: Malware loaded at boot can hide from antivirus and Windows Defender.

- Low-level control: Attackers can run code before the operating system loads, making detection and cleaning up extremely difficult.

Firmware updates from major vendors (Dell, HP, Lenovo, etc.).

- Blocklist updates for revoked bootloaders (more info).

Patch all affected systems immediately.

- Update motherboard/firmware when available.

How to check if you’re protected

# Check Secure Boot status
Confirm-SecureBootUEFI

# List current Bootmgr path
bcdedit /enum {bootmgr}

References and Further Reading

- Microsoft CVE-2024-28920 Advisory
- UEFI Secure Boot (Microsoft)
- Detailed write-up by Eclypsium
- Red Packet Security Blog

Conclusion

CVE-2024-28920 highlights that even the most foundational security assumptions need scrutiny and constant testing. Secure Boot is crucial, but no system is immune. If you haven’t yet, update your systems, review your boot partitions, and watch for further firmware and OS updates. Stay secure!


*This write-up is exclusive and simplified for clarity. For any questions or clarifications, please refer to the official advisories or contact your security vendor.*

Timeline

Published on: 04/09/2024 17:15:51 UTC
Last modified on: 04/10/2024 13:24:00 UTC