CISA Calls for Urgent Overhaul of UEFI Cybersecurity Measures

The Cybersecurity and Infrastructure Security Agency (CISA) is calling on the computer industry to bolster Unified Extensible Firmware Interface (UEFI) update mechanisms due to growing cybersecurity concerns. CISA suggests that UEFI attack surfaces are significantly under-researched and urges the industry to adopt a secure-by-design approach to strengthen UEFI's overall security environment.

UEFI, a crucial software standard in modern computing, replaces the older BIOS format, acting as a liaison between hardware and various operating systems. However, hackers have found ways to exploit UEFI implementation flaws, gaining persistence—the ability to maintain access to a compromised device despite defensive actions and system resets.

One such example of this growing threat is the BlackLotus UEFI bootkit malware. This malicious code often targets the earliest software stage of the boot process, making it highly efficient and persistent. The National Security Agency (NSA) has issued guidance on mitigating the BlackLotus malware, although the advice is aimed primarily at system administrators.

CISA's recent advisory, on the other hand, targets manufacturers, urging them to prioritize cybersecurity from the early design stages.

"Based on recent incident responses to UEFI malware such as BlackLotus, the cybersecurity community and UEFI developers appear to still be in learning mode," reads CISA's advisory.

CISA's advice notes in particular that UEFI secure boot developers have not universally adopted public key infrastructure (PKI) practices that facilitate patch distribution, stating, "the Linux ecosystem implements it well."

UEFI subversion could allow threat actors to maintain persistence through several mechanisms, making UEFI-focused threats challenging to overcome, the agency highlighted.

"More persistent malware leads to increased difficulty and costs for removing an attacker from an organization’s systems," CISA said.

The BlackLotus malware can leverage a fault in secure update distribution, allowing it to revert a file to a vulnerable version then exploit it. This vulnerability means that the UEFI update distribution channel on Windows is not secure enough.

Although Microsoft has made strides towards improving this by providing guidance on manually preventing rollbacks to vulnerable file versions and has plans to automate revocation in 2024, CISA believes more can be done to strengthen UEFI security. They propose several key measures, including:

• System owners should have the capacity to audit, manage, and update UEFI components
• Operational teams should be equipped to collect, analyze, and address event logs that identify UEFI-level activities, including changes and updates, as well as additions or removals
• UEFI component developers should operate within secure development environments
• The UEFI vendor community should ensure the adoption of reliable, uninterruptible update capabilities, avoiding problematic ones. For instance, users shouldn't manually revoke or exclude keys that sign vulnerable and updated boot files.