Researchers have identified several vulnerabilities in Microsoft’s third-party bootloaders that can affect all computer systems using x64 UEFI Secure Boot and Windows. The CVEs for these vulnerabilities are listed below.
Please see the Microsoft Security Update for the details including the required Microsoft Update: KB5012170: Security update for Secure Boot DBX
Supermicro BIOS update is not required. Please read this Microsoft KB4535680 update for performing Secure Boot DBX update.
Users who are not using a Microsoft OS or have not enabled the Secure Boot feature are not impacted by this issue.
The issues are present in the following bootloaders:
- CVE-2022-34301 - Eurosoft (UK) Ltd
- File name: Bootx64.efi
- SHA256 - 09F2E41661CBBD714D22986FBB36A2B5764A5544C85F9875D227F6A26E1C8C8B
- CVE-2022-34302 - New Horizon Datasys Inc
- File name: shdloader.efi
- SHA256 - C3D65E174D47D3772CB431EA599BBA76B8670BFAA51081895796432E2EF6461F
- CVE-2022-34303 - CryptoPro Secure Disk
- File name: shim.efi
- SHA256 - 51BD59697B4E1DF61DF32AD57CEBE394BE54E3E9DBFEB8DC00A3A176D13A5767