Acer Fixes Bugs That Enable Attackers to Bypass Secure BootVulnerabilities May Allow Deployment of Malicious Bugs and System Privileges
Laptop maker Acer fixed high-severity bugs that hackers could use to override secure boot processes, marking the latest in a run of public disclosures highlighting vulnerabilities in the interface between computer operating systems and firmware.
Security researchers at Eset disclosed this latest vulnerability to the Taiwanese company after determining that an attacker with elevated privileges could modify a driver that checks whether or not to disable Unified Extensible Firmware Interface secure boot. The driver - its alphabet soup name is HQSwSmiDxe DXE - checks the "BootOrderSecureBootDisable" variable held in nonvolatile RAM. If a variable exists - Eset researchers say its value is unimportant - then the driver disables secure boot.
Secure boot is the industry standard for ensuring that only trusted operating systems can boot up a computer. The vulnerability is tracked as CVE-2022-4020. Acer says an update will be distributed as a critical Windows update, or affected users can directly download a firmware update from the manufacturer's website.
The vulnerability is similar to three vulnerabilities Eset disclosed just weeks ago in Lenovo laptops. One of the vulnerabilities, CVE-2022-3431, mirrors the Acer vulnerability almost exactly by allowing an attacker to set an NVRAM variable that triggers a driver to disable secure boot.
Eset in April also found two UEFI vulnerabilities affecting Lenovo laptops (see: Lenovo Fixes 3 Bugs That Target Employees Working From Home).
Vulnerabilities that let an attacker remotely manipulate secure boot settings from the operating system are risky, especially given that a Microsoft Windows user typically can get to UEFI settings by physically pressing a key during the boot up sequence or by restarting the computer by selecting the "advanced startup" option from the Recovery settings.
Bootkit malware is especially pernicious, since it can be used to establish permanent persistence in a laptop in a logical layer beyond the reach of ordinary antivirus detection.
Russian cybersecurity firm Kaspersky earlier this year spotted possible Chinese hackers modifying UEFI to implant malware known as CosmicStrand (see: Kaspersky Researchers Dissect Bootup Rootkit).