A newly discovered vulnerability, identified as CVE-2024-7344, affects Microsoft-signed UEFI applications, posing a serious security risk even when Secure Boot is enabled. The issue could allow attackers to deploy bootkits, malicious software that runs before the operating system loads.
Bootkits are particularly dangerous because they are hard to detect and can survive even an OS re-install. The vulnerable UEFI applications are primarily found in system recovery tools from third-party developers, which assist with tasks like disk maintenance and backups.
The root cause of the vulnerability lies in how the affected UEFI applications use a custom PE loader. This loader bypasses the standard UEFI security mechanisms, such as ‘LoadImage’ and ‘StartImage,’ which are designed to validate binary files against trusted databases.
Instead, the loader decrypts and loads files from an encrypted image file called ‘cloak.dat,’ which may contain a malicious binary. By circumventing the built-in validation steps, the loader opens the door for attackers to exploit the flaw and load an unsigned, harmful payload.
An attacker could exploit the vulnerability by replacing the system’s default OS bootloader with the vulnerable ‘reloader.efi’ binary and placing a malicious ‘cloak.dat’ file in the appropriate location. When the system starts, the custom loader decrypts and executes the malicious code without Secure Boot’s interference. This method would enable the attacker to gain control of the system before the operating system begins loading, making it difficult for security tools to detect and stop the attack.
The scope of this vulnerability is limited to UEFI applications used for specific functions like system recovery and disk maintenance, rather than general-purpose UEFI apps. According to a report from ESET, several versions of products from vendors such as Howyar, Greenware, Radix, and others are affected.
While this vulnerability is primarily tied to specific versions of these tools, attackers could exploit it by deploying just the vulnerable ‘reloader.efi’ binary, even if the associated recovery tools are not installed on the target machine. Therefore, users of these affected applications should update to newer versions immediately to mitigate the risk.
To address this vulnerability, Microsoft released a patch for CVE-2024-7344, and on January 14, 2025, revoked the certificates for the affected UEFI applications. This action prevents the execution of the malicious binaries associated with the flaw.
ESET, which discovered the vulnerability in July 2024, worked with vendors and coordinated with CERT/CC to disclose the issue and implement fixes. The patch is automatically applied to users who have installed the latest Windows updates. For system administrators, ESET also provided PowerShell commands to manually verify if the certificate revocations have been applied successfully.