AI Security AI安全 7h ago Updated 2h ago 更新于 2小时前 46

11 Old Microsoft-Signed Linux UEFI Shims Could Let Attackers Bypass Secure Boot 11个旧的微软签名Linux UEFI Shim可能导致攻击者绕过安全启动

Researchers identified 11 outdated, Microsoft-signed Linux UEFI shim bootloaders (versions 0.9 and earlier) that allow attackers to bypass Secure Boot protections. These vulnerable components enable the execution of arbitrary code and UEFI bootkits like BlackLotus before the operating system initializes, evading EDR solutions. The exploit leverages the Bring Your Own Vulnerable Driver (BYOVD) technique to subvert Secure Boot Advanced Targeting (SBAT) and MOK denylists. Microsoft revoked these sp ESET发现11个旧版微软签名的Linux UEFI Shim加载器存在漏洞,允许攻击者在启用Secure Boot的情况下绕过安全保护。 攻击者可利用这些过时的Shim执行任意代码,部署UEFI Bootkit(如Bootkitty、BlackLotus),且能规避MOK黑名单和SBAT撤销机制。 微软已在2026年6月补丁星期二更新中撤销了相关证书,但CERT/CC指出供应商未及时更新其特定版本的引导加载器,导致长期供应链暴露。 该漏洞涉及CVE-2026-8863和CVE-2026-10797,使恶意软件能在操作系统和安全软件初始化前运行,从而绕过EDR检测并实现持久化。

65
Hot 热度
70
Quality 质量
60
Impact 影响力

Analysis 深度分析

TL;DR

  • Researchers identified 11 outdated, Microsoft-signed Linux UEFI shim bootloaders (versions 0.9 and earlier) that allow attackers to bypass Secure Boot protections.
  • These vulnerable components enable the execution of arbitrary code and UEFI bootkits like BlackLotus before the operating system initializes, evading EDR solutions.
  • The exploit leverages the Bring Your Own Vulnerable Driver (BYOVD) technique to subvert Secure Boot Advanced Targeting (SBAT) and MOK denylists.
  • Microsoft revoked these specific shims in the June 2026 Patch Tuesday update following responsible disclosure, addressing CVE-2026-8863 and CVE-2026-10797.

Why It Matters

This discovery highlights a critical failure in the UEFI firmware supply chain where legacy, trusted binaries remain executable despite known vulnerabilities, undermining the core promise of Secure Boot. For AI and security practitioners, it underscores the necessity of monitoring not just software updates but also firmware-level trust anchors and bootloader integrity to prevent persistent, low-level threats.

Technical Details

  • Vulnerable Components: 11 specific UEFI shim applications from vendors including Red Hat, Oracle, OpenSUSE, and Spyrus, primarily based on shim version 0.9 or lower.
  • Attack Vector: Attackers can replace current shims with these older, Microsoft-signed versions to bypass MOK denylists and SBAT revocation mechanisms, achieving arbitrary code execution during the early boot phase.
  • Security Mechanisms Subverted: The exploit circumvents Secure Boot Advanced Targeting (SBAT), which is designed to block vulnerable boot chain generations, and Machine Owner Key (MOK) allowlists.
  • Remediation: Microsoft revoked the affected certificates via the DBX revocation list in the June 2026 Patch Tuesday update, rendering the old shims unbootable on updated systems.

Industry Insight

Organizations must audit their firmware and bootloader configurations to ensure that legacy, signed components are actively revoked or blocked, rather than relying solely on OS-level security patches. Security strategies should incorporate continuous monitoring of UEFI certificate authorities and SBAT levels to detect attempts to load outdated, vulnerable bootloaders. Additionally, hardware manufacturers and OS distributors need to coordinate faster revocation processes to close the window where trusted but vulnerable binaries remain executable.

TL;DR

  • ESET发现11个旧版微软签名的Linux UEFI Shim加载器存在漏洞,允许攻击者在启用Secure Boot的情况下绕过安全保护。
  • 攻击者可利用这些过时的Shim执行任意代码,部署UEFI Bootkit(如Bootkitty、BlackLotus),且能规避MOK黑名单和SBAT撤销机制。
  • 微软已在2026年6月补丁星期二更新中撤销了相关证书,但CERT/CC指出供应商未及时更新其特定版本的引导加载器,导致长期供应链暴露。
  • 该漏洞涉及CVE-2026-8863和CVE-2026-10797,使恶意软件能在操作系统和安全软件初始化前运行,从而绕过EDR检测并实现持久化。

为什么值得看

这篇文章揭示了固件层安全机制(Secure Boot)在供应链管理和证书生命周期维护中的重大缺陷,即使主流安全功能开启,老旧组件仍可能成为突破口。对于系统管理员和安全从业者而言,理解SBAT和MOK机制的局限性以及供应商响应滞后带来的风险,对于加固启动链至关重要。

技术解析

  • 漏洞原理:攻击者利用受信任但已过时的Microsoft UEFI CA 2011证书签名的Shim加载器(版本0.9及更早),通过“Bring Your Own Vulnerable Driver”(BYOVD)技术在启动早期执行未授权代码。
  • 绕过机制:尽管引入了MOK黑名单和SBAT(Secure Boot Advanced Targeting)来撤销脆弱组件,但攻击者可以通过替换为旧版Shim并利用允许列表仍信任旧证书的特性,成功绕过这些撤销机制。
  • 影响范围:受影响的主要是依赖旧版Shim的Linux发行版和管理工具,包括Red Hat Enterprise Linux 7.2、CentOS 7.2、Oracle Linux 7.2、openSUSE以及Spyrus、Blancco等厂商的管理套件。
  • 修复状态:上游项目已修复,微软于2026年6月通过DBX撤销列表吊销了相关证书,但部分供应商尚未发布更新后的二进制文件,导致漏洞持续存在。

行业启示

  • 供应链安全需动态监控:硬件固件和引导加载器的安全性不仅取决于初始签名,更依赖于持续的维护和及时更新。企业应定期审查UEFI组件版本,确保其未被列入撤销列表。
  • 安全机制并非绝对:SBAT和MOK等现代安全机制虽提升了安全性,但仍存在被利用逻辑漏洞的风险。安全架构设计需考虑多层防御,不能单一依赖Secure Boot。
  • 供应商响应时效性关键:从漏洞披露到证书吊销再到终端用户防护之间存在时间窗口,厂商需建立更快的补丁分发机制,以缩短供应链暴露期。

Disclaimer: The above content is generated by AI and is for reference only. 免责声明:以上内容由 AI 生成,仅供参考。

Security 安全 Research 科学研究