Hasty Briefsbeta

Bilingual

UEFI shims undermining Secure Boot

9 hours ago
  • #UEFI Secure Boot
  • #Vulnerability
  • #Bootkit
  • ESET identified 11 old UEFI shim bootloaders (version 0.9 and below) signed by Microsoft that can bypass UEFI Secure Boot on systems trusting Microsoft's third-party UEFI CA 2011 certificate.
  • Exploitation allows attackers to execute untrusted code during boot, enabling deployment of bootkits like Bootkitty or BlackLotus, even on Secure Boot-enabled systems, without needing the affected software installed.
  • Vulnerable shims were revoked in Microsoft's June 9th, 2026 Patch Tuesday update via dbx; Windows and Linux systems should update to block them.
  • The attack surface extends to outdated second-stage bootloaders (e.g., GRUB 2) trusted by these shims, which may have known vulnerabilities like CVE-2015-5281, allowing Secure Boot bypass via unsigned code loading.
  • Older shims lack modern security features like MOK denylist enforcement (introduced in shim 0.9) and SBAT enforcement (from version 15.3), ignoring revocations and policies.
  • A shim vulnerability (CVE-2026-10797) in versions ≤0.9 allows bypassing certificate-based revocations by tampering with signature length fields in second-stage bootloaders.
  • Microsoft's UEFI certificate expiration does not affect Secure Boot trust; revoked hashes are required to block vulnerable binaries, highlighting the need for better transparency in third-party UEFI signing.