CVE-2024-7344: 
vulnerability analysis and mitigation

The Howyar UEFI Application "Reloader" (32-bit and 64-bit), discovered in January 2025, is vulnerable to execution of unsigned software in a hardcoded path (CVE-2024-7344). This vulnerability affects multiple software products including Howyar SysReturn before version 10.2.023_20240919, Greenware GreenGuard before version 10.2.023-20240927, Radix SmartRecovery before version 11.2.023-20240927, and several others (ESET Research).

The vulnerability stems from the application's use of a custom PE loader instead of utilizing the standard and secure UEFI functions LoadImage and StartImage. The vulnerable bootloader allows the loading of any UEFI binary, including unsigned ones, from a specially crafted file named cloak.dat during system start, regardless of the UEFI Secure Boot state. The vulnerability has received a CVSS v3.1 base score of 8.2 (HIGH) with the vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H (CERT Advisory).

An attacker who successfully exploits this vulnerability can bypass the UEFI Secure Boot feature and execute unsigned code during the boot process in the UEFI context. Code executed in this early boot phase can persist on the system, potentially loading malicious kernel extensions that survive both reboots and OS reinstallation. Additionally, it may evade detection by OS-based and endpoint detection and response (EDR) security measures (CERT Advisory).

To mitigate this vulnerability, organizations should install updated versions of the affected software products. Microsoft has released revocations for the vulnerable binaries in the January 14th, 2025 Patch Tuesday update. Additionally, systems should update their Secure Boot Forbidden Signature Database (DBX or Revocation List), supplied by the UEFI Forum. For Windows users, Microsoft provides tools to verify SecureBoot updates, and Linux users can follow guidance in fwupd-2.0.4 for implementing these updates (CERT Advisory).

The discovery has raised concerns in the cybersecurity community about the security of UEFI bootloaders. ESET researchers, who discovered the vulnerability, emphasize that bootkits are no longer just a threat to legacy systems but pose a real threat to the majority of modern UEFI firmware systems (ESET Blog).