CVE-2022-34301: 
vulnerability analysis and mitigation

A security feature bypass vulnerability (CVE-2022-34301) was discovered in CryptoPro Secure Disk bootloaders before 2022-06-01. The vulnerability affects signed third-party UEFI bootloaders and allows attackers to bypass the UEFI Secure Boot feature during the system boot process (CERT VU).

The vulnerability exists in signed third-party UEFI bootloaders that are authenticated by Microsoft. The CryptoPro Secure Disk bootloader can be exploited through EFI shell execution to bypass Secure Boot protections. The vulnerability allows execution of unsigned code prior to the initialization of the Operating System's boot process, making it difficult to monitor through standard OS or Endpoint Detection and Response (EDR) tools (CERT VU).

An attacker who successfully exploits this vulnerability can bypass the system's Secure Boot feature at startup and execute arbitrary code before the operating system loads. This early boot phase execution can provide persistence to an attacker, potentially enabling the loading of arbitrary kernel extensions that survive both reboot and re-installation of an OS. The attack may also evade common OS-based and EDR security defenses (CERT VU).

Microsoft has worked with the affected vendors to address the vulnerability and has blocked the previously issued certificates with the July 2022 Security Update Release. Users should apply vendor-provided security updates that address these vulnerabilities to block vulnerable firmware from bypassing Secure Boot. Microsoft has provided details in their KB5012170 article released on August 9th, 2022 (CERT VU).