Firmware security firm Eclypsium has discovered that about 200,000 Linux systems from Framework include signed UEFI components vulnerable to Secure Boot bypass. These components allow attackers to install persistent bootkits by exploiting a memory modification command. Framework is addressing the issue with updates for affected models.
Eclypsium, a firmware security company, reported that approximately 200,000 Linux systems shipped by Framework contain signed UEFI shells vulnerable to Secure Boot bypass. These shells, intended as legitimate diagnostic tools signed with trusted certificates, include a "memory modify" (mm) command that provides direct read/write access to system memory. This functionality can be abused to overwrite the gSecurity2 UEFI variable with NULL, disabling signature verification and module checks during the boot process.
The attack targets the global variable gSecurity2, which points to the Security Architectural Protocol used by the LoadImage function to verify digital signatures before loading UEFI modules. As detailed in Eclypsium's report, "Once the address is identified, the mm command can overwrite the security handler pointer with NULL or redirect it to a function that always returns 'success' without performing any verification." Attackers can locate the pointer using UEFI shell commands, patch it to disable checks, and then load unsigned bootkits or rootkits. For persistence, they can drop a startup.nsh script to rerun the bypass on every boot, granting pre-OS control even when Secure Boot appears enabled.
Researchers developed Python and shell scripts to detect the mm command and confirmed its presence in Framework-signed shells, affecting over 200,000 devices. Some models have received fixes, such as version 3.08 for 13th Gen Intel and 3.16 for Ryzen 7040 series, while others await updates. Framework is issuing DBX updates to blacklist the vulnerable shells.
This vulnerability highlights ongoing risks in signed UEFI components, similar to past issues like CVE-2022-34302, CVE-2023-48733, and CVE-2024-7344. Eclypsium warns, "The attack surface 'below' the operating system, encompassing firmware, bootloaders, and hardware components, presents a ripe target for threat actors. As our research demonstrates, attackers who can operate at this level can bypass virtually every security control we've built above it." To mitigate, experts recommend updating UEFI revocation lists, using BIOS passwords, managing custom Secure Boot keys, and scanning firmware.