Replace 1/22/23: Title up to date as MSI deliberately modified this setting as per assertion under.
Over 290 MSI motherboards are reportedly affected by an insecure default UEFI Safe Boot setting settings that enables any working system picture to run no matter whether or not it has a unsuitable or lacking signature.
This discovery comes from a Polish safety researcher named Dawid Potocki, who claims that he didn’t obtain a response regardless of his efforts to contact MSI and inform them in regards to the situation.
The problem, based on Potocki, impacts many Intel and AMD-based MSI motherboards that use a latest firmware model, affecting even brand-new MSI motherboard fashions.
UEFI Safe Boot
Safe Boot is a safety function constructed into the firmware of UEFI motherboards that ensures solely trusted (signed) software program can execute in the course of the boot course of.
“When the PC begins, the firmware checks the signature of every piece of boot software program, together with UEFI firmware drivers (also called Choice ROMs), EFI functions, and the working system,” explains Microsoft in an article about Safe Boot.
“If the signatures are legitimate, the PC boots, and the firmware provides management to the working system.”
To validate the security of boot loaders, OS kernels, and different important system parts, Safe Boot checks the PKI (public key infrastructure) that authenticates the software program and determines its validity on each boot.
If the software program is unsigned or its signature has modified, probably as a result of it was modified, the boot course of will likely be stopped by Safe Boot to guard the information saved on the pc.
This safety system is designed to stop UEFI bootkits/rootkits (1, 2, 3) from launching on the pc and to warn customers that their working system has been tampered with after the seller shipped the system.
Default MSI settings trigger insecure boots
Potocki claims that MSI’s firmware updates launched between September 2021 and January 2022 modified a default Safe Boot setting on MSI motherboards in order that the system will boot even when it detects safety violations.
“I made a decision to setup Safe Boot on my new desktop with the assistance of sbctl. Sadly, I’ve discovered that my firmware was accepting each OS picture I gave it, irrespective of if it was trusted or not,” explains the researcher in his writeup.
“As I’ve later found on 2022-12-16, it wasn’t simply damaged firmware; MSI had modified their Safe Boot defaults to permit booting on safety violations(!!).”
This variation was to mistakenly set the “Picture Execution Coverage” setting within the Firmware to “All the time Execute” by default, permitting any picture in addition the machine as regular.
Supply: dawidpotocki.com
As you may see from the picture above, regardless that Safe Boot is enabled, it is ‘Picture Execution Coverage’ setting is ready to ‘All the time Execute’, permitting the system in addition even when there are safety violations.
This successfully breaks the Safe Boot function as untrusted pictures can nonetheless be used in addition the machine
Potocki explains that customers ought to set the Execution Coverage to “Deny Execute” for “Detachable Media” and “Fastened Media,” which ought to solely enable signed software program in addition.
The researcher says MSI by no means documented the change, so he needed to hint again the introduction of the insecure default utilizing IFR (UEFI Inner Kind Illustration) to extract configuration choices data.
Potocki then used this data to find out which MSI motherboards had been impacted by the difficulty. An entire record of the over 290 motherboards and the firmware variations affected by this insecure setting is out there on GitHub.
Should you’re utilizing an MSI motherboard in that record, go over to BIOS settings and verify that the “Picture Execution Coverage” is ready to a secure choice.
If you have not upgraded your motherboard firmware since January 2022, the introduction of a nasty default should not be a motive to postpone it any additional, as software program updates comprise essential safety fixes.
BleepingComputer has contacted MSI to request a touch upon the above and whether or not they plan to vary the default setting by way of a brand new replace, however we’re nonetheless ready to obtain a response.
Replace 1/18 – BleepingComputer has obtained clarifications from Dawid Potocki in regards to the susceptible firmware variations for every MSI motherboard mannequin and carried out the required corrections on the article.
Replace 1/20 – MSI is but to reply to BleepingComputer’s request for a remark, however the firm posted the next assertion on Reddit:
MSI applied the Safe Boot mechanism in our motherboard merchandise by following the design steering outlined by Microsoft and AMI earlier than the launch of Home windows 11.
We preemptively set Safe Boot as Enabled and “All the time Execute” because the default setting to supply a user-friendly setting that enables a number of end-users flexibility to construct their PC methods with hundreds (or extra) of parts that included their built-in choice ROM, together with OS pictures, leading to increased compatibility configurations.
For customers who’re extremely involved about safety, they’ll nonetheless set “Picture Execution Coverage” as “Deny Execute” or different choices manually to fulfill their safety wants.
In response to the report of safety issues with the preset bios settings, MSI will likely be rolling out new BIOS recordsdata for our motherboards with ”Deny Execute” because the default setting for increased safety ranges. MSI may also preserve a totally useful Safe Boot mechanism within the BIOS for end-users in order that they’ll modify it based on their wants.
