UEFI shims undermining Secure Boot
9 hours ago
- #UEFI Secure Boot
- #Vulnerability
- #Bootkit
- ESET identified 11 old UEFI shim bootloaders (version 0.9 and below) signed by Microsoft that can bypass UEFI Secure Boot on systems trusting Microsoft's third-party UEFI CA 2011 certificate.
- Exploitation allows attackers to execute untrusted code during boot, enabling deployment of bootkits like Bootkitty or BlackLotus, even on Secure Boot-enabled systems, without needing the affected software installed.
- Vulnerable shims were revoked in Microsoft's June 9th, 2026 Patch Tuesday update via dbx; Windows and Linux systems should update to block them.
- The attack surface extends to outdated second-stage bootloaders (e.g., GRUB 2) trusted by these shims, which may have known vulnerabilities like CVE-2015-5281, allowing Secure Boot bypass via unsigned code loading.
- Older shims lack modern security features like MOK denylist enforcement (introduced in shim 0.9) and SBAT enforcement (from version 15.3), ignoring revocations and policies.
- A shim vulnerability (CVE-2026-10797) in versions ≤0.9 allows bypassing certificate-based revocations by tampering with signature length fields in second-stage bootloaders.
- Microsoft's UEFI certificate expiration does not affect Secure Boot trust; revoked hashes are required to block vulnerable binaries, highlighting the need for better transparency in third-party UEFI signing.