A defect discovered in the unified extensible firmware interface (UEFI) of certain systems, allows an intruder to bypass the Secure Boot, the security standard used in recent versions of Windows to check the legality of loading software at startup.
According with a CERT bulletin (Computer Emergency Response Team) of the University Carnegie Mellon, some UEFI systems do not restrict access to the boot script used by the EFI S3 Resume Boot Path, which may allow a local attacker to bypass firmware-enforced write protections.
Apart from bypassing Secure Boot, another risk that exists is that the software of the platform can be replaced with a different one that allows unsigned software to run during the process of booting a system.
The implications of this flaw are very serious because the Startup Script is deployed before any security mechanism is started, which means that an attacker can gain persistent access to system regardless of the owner's efforts and means of protection.
"The startup script starts quite early, when other important platform security mechanisms have not yet been configured. For example, BIOS_CNTL, which helps protect the firmware, is not locked. "TSEGMB, which protects SMRAM from DMA, is also unlocked," said Rafal Wojtczuk of Bromium and Corey Kallenberg of MITRE. Rafal Wojtczuk and Corey Kallenberg are the researchers who discovered the vulnerability at UEFI.
