CVE-2024-28921 - Secure Boot Security Feature Bypass Explained (With Exploit Code!)

---

In March 2024, a new vulnerability shook the foundations of trusted boot processes: CVE-2024-28921. It revealed how attackers could easily bypass Secure Boot—a feature trusted by many organizations to prevent unauthorized code from running during startup.

Let’s break down what this means, how it works, and even show some code you can use to test it out (in a safe way!).

What is Secure Boot?

Secure Boot is a feature of modern UEFI (Unified Extensible Firmware Interface) firmware. It's supposed to keep your PC safe from malware that tries to run before Windows or Linux fully loads. Secure Boot only lets trusted software with a correct digital signature (signed by Microsoft, for example) run during the boot process.

Severity: High

In short: CVE-2024-28921 allows attackers to load unsigned or unauthorized bootloaders, or modify components, even if Secure Boot is active.

The Technical Details

Microsoft's patch notes (Reference) are vague, but researchers found that an error in the Secure Boot enforcement policy allows an attacker to substitute a non-trusted boot manager (even a malicious one).

The bypass works because Secure Boot fails to verify the signature of some critical files (like the boot manager or shim), or allows old, vulnerable bootloaders on the "allowed" list.

Initial Access: Attacker either has physical access or admin rights on the target system.

2. Deploy Modified Bootloader: The attacker modifies or replaces parts of the boot sequence, for example, copies a vulnerable or unsigned boot manager.
3. Next Boot: On restart, even with Secure Boot ON, the system loads the attacker's fake boot manager.
4. Payload: The fake loader can now launch arbitrary code—malware, ransomware, or even rootkits—before your OS antivirus can detect it!

You can check if your boot manager is properly signed using PowerShell

# Check Secure Boot status
Confirm-SecureBootUEFI

# Find your boot manager
$bcd = Get-WmiObject -Class Win32_ComputerSystem
$bmPath = "$env:SystemDrive\EFI\Microsoft\Boot\bootmgfw.efi"

# Check digital signature
Get-AuthenticodeSignature $bmPath | Format-List

If the Status shows anything other than Valid, your bootloader may be vulnerable!

Proof of Concept: Exploiting CVE-2024-28921

Warning: Do NOT try this on a business or production PC!

Researchers have demonstrated exploits similar to this (see GitHub - BlackLotus PoC).

A simplified *conceptual* example for educational purposes

# 1. Download an old, known-vulnerable bootmgfw.efi (pre-2021)
# 2. Replace current bootmanager with the vulnerable one (requires admin or physical access)
sudo cp ./bootmgfw_old.efi /boot/efi/EFI/Microsoft/Boot/bootmgfw.efi

# 3. On reboot, Secure Boot should block it, but with CVE-2024-28921, it boots anyway!

This makes it possible for attackers to load drivers or code capable of disabling security protections like BitLocker or even removing built-in antivirus.

How Do I Fix or Mitigate This?

- Update Your Firmware & OS! Microsoft and most hardware vendors released patches. Install all UEFI and Windows Updates since March 2024.
- Revoke Old Bootloaders: Use Microsoft’s Secure Boot DBX updates to block vulnerable files.

References

- CVE-2024-28921 Microsoft Advisory
- Microsoft Secure Boot explained
- Secure Boot DBX Updates
- BlackLotus Bootkit Explanation (arstechnica.com)

Final Thoughts

CVE-2024-28921 is a shining example of why just enabling Secure Boot isn’t enough. Stay patched, stay vigilant, and keep your bootchain tight! If you run any public or cloud-connected computers, patch right now—or risk a silent compromise before your antivirus even loads.

Timeline

Published on: 04/09/2024 17:15:52 UTC
Last modified on: 04/10/2024 13:24:00 UTC