Security Researcher Potocki claims that MSI’s firmware update version’ 7C02v3C,’ released on January 18, 2022, changed a default Secure Boot setting on MSI motherboards so that the system will boot even if it detects security violations. MSI Co, based in Taiwan, is one of the top 5 motherboard manufacturers of motherboards in the world. “I decided to set up Secure Boot on my new desktop with the help of sbctl. Unfortunately, I have found that my firmware was accepting every OS image I gave it, no matter if it was trusted or not,” explains the researcher in his writeup. Potocki went on to write, “I later discovered on 2022-12-16 that it wasn’t just broken firmware; MSI had changed their Secure Boot defaults to allow booting on security violations(!!).” This change was to mistakenly set the “Image Execution Policy” setting in the Firmware to “Always Execute” by default, allowing any image to boot the device as normal. The researcher says MSI never documented the change. A complete list of the over 290 motherboards affected by this insecure setting is available on GitHub.
Analyst Notes
Organizations using an MSI motherboard in that list should check within BIOS settings that the “Image Execution Policy” is set to a safe option. Users should set the Execution Policy to “Deny Execute” for “Removable Media” and “Fixed Media,” which should only allow signed software to boot. It is highly recommended to upgraded motherboard firmware for any device that has not done so since January 2022. The introduction of a bad default shouldn’t be a reason to postpone it any further, as software updates contain important security fixes.
Secure Boot is a security feature built into the firmware of UEFI motherboards that ensures only trusted (signed) software can execute during the boot process. “When the PC starts, the firmware checks the signature of each piece of boot software, including UEFI firmware drivers (also known as Option ROMs), EFI applications, and the operating system,” explains Microsoft in an article about Secure Boot. “If the signatures are valid, the PC boots and the firmware gives control to the operating system.” To validate the safety of boot loaders, OS kernels, and other essential system components, Secure Boot checks the PKI (public key infrastructure) that authenticates the software and determines its validity on every boot. If the software is unsigned or its signature has changed, possibly because it was modified, the boot process will be stopped by Secure Boot to protect the data stored on the computer. This security system is designed to prevent UEFI bootkits/rootkits from launching on the computer and to warn users that their operating system has been tampered with after the vendor shipped the system.
https://www.bleepingcomputer.com/news/security/msi-accidentally-breaks-secure-boot-for-hundreds-of-motherboards/
GitHub List: https://github.com/Foxboron/sbctl/issues/181
