好的,我现在需要帮用户总结这篇文章的内容,控制在100个字以内。首先,我得通读整篇文章,抓住关键点。 文章提到大约20万台来自Framework的Linux系统预装了有漏洞的签名UEFI组件,这些漏洞允许绕过Secure Boot。这意味着攻击者可以安装启动工具包并保持持久性。Eclypsium公司发现了这个问题,他们指出这些UEFI壳虽然看起来是诊断工具,但其实存在被滥用的风险。 进一步的信息是,这些UEFI壳包含一个“mm”命令,允许直接读写系统内存。攻击者可以利用这个命令修改gSecurity2变量,从而绕过签名验证。这会导致Secure Boot的保护失效,攻击者可以在启动时加载恶意软件,并通过脚本在每次启动时重复这个过程。 修复方面,不同型号的设备有不同的解决方案,部分已经修复,其他还在等待更新。建议用户更新UEFI撤销列表、使用BIOS密码等措施来防御。 总结下来,文章的核心是Framework的20万台Linux设备存在UEFI漏洞,导致Secure Boot被绕过,带来严重的安全风险。我需要用简洁的语言把这些要点浓缩到100字以内。 </think> 约20万台Framework Linux设备预装有漏洞的签名UEFI组件,允许绕过Secure Boot机制并安装恶意软件。攻击者可利用UEFI壳中的"mm"命令修改内存变量以禁用安全检查。此漏洞影响设备安全性和持久性控制。 2025-10-15 14:22:32 Author: securityaffairs.com(查看原文) 阅读量:12 收藏
200,000 Linux systems from Framework are shipped with signed UEFI components vulnerable to Secure Boot bypass
About 200K Linux systems from Framework shipped with signed UEFI components vulnerable to Secure Boot bypass, allowing bootkit installation and persistence.
Firmware security company Eclypsium warns that about 200,000 Linux systems from Framework are shipped with signed UEFI components vulnerable to Secure Boot bypass, allowing bootkit installation and persistence.
The experts pointed out that signed UEFI shells aren’t traditional backdoors placed by threat actors, instead, they’re legitimate diagnostic tools signed with trusted certificates that support functionality that can be abused to bypass security controls in the boot process.
Eclypsium found that Framework shipped signed UEFI shells containing a “memory modify” (mm) command granting direct read/write access to system memory. “mm” was integrated for diagnostic purposes, but it can be exploited to overwrite the gSecurity2 UEFI variable with NULL, breaking Secure Boot’s signature verification and disabling module signature checks.
“The attack targets a global variable called gSecurity2, which points to the Security Architectural Protocol. This protocol is called by the LoadImage function to verify digital signatures before loading any UEFI modules.” reads the report published by the cybersecurity firm. “Once the address is identified, the mm command can overwrite the security handler pointer with NULL or redirect it to a function that always returns “success” without performing any verification”
Attackers locate the UEFI security pointer gSecurity2 (used by LoadImage to verify signatures), find its memory address via UEFI shell commands, and patch the handler pointer to NULL or a no-op using mm, disabling signature checks. Once verification is disabled, attackers can load unsigned bootkits or rootkits.
They can drop a startup.nsh to rerun the bypass at every boot. Result: persistent, pre-OS control even though Secure Boot still appears enabled.
The researchers built Python and shell scripts to detect the “mm” command in UEFI shells and confirmed Framework-signed shells could alter memory and bypass Secure Boot. Further analysis revealed over 200,000 Framework devices were impacted. Fixes vary by model, e.g., 13th Gen Intel (3.08) and Ryzen 7040 (3.16) are fixed, while others await updates. Framework is issuing DBX updates to blacklist vulnerable shells.
Signed UEFI shells remain a major security risk, as past flaws (e.g., CVE-2022-34302, CVE-2023-48733, CVE-2024-7344) have allowed attackers to bypass Secure Boot. Once exploited, this can give nation-state or ransomware actors persistent, pre-OS access for espionage or sabotage. To defend, experts recommend updating UEFI revocation lists (DBX), using BIOS passwords, managing custom Secure Boot keys, and scanning firmware for vulnerable components.
“The attack surface “below” the operating system, encompassing firmware, bootloaders, and hardware components, presents a ripe target for threat actors. As our research demonstrates, attackers who can operate at this level can bypass virtually every security control we’ve built above it.” concludes the report.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Secure Boot)
如有侵权请联系:admin#unsafe.sh