July 30, 2024
Announcement: PKFail Response
On Friday July 26th, Protectli learned of the “PKFail” vulnerability as published by Binarly (CVE Unknown). We have worked diligently since to determine Protectli’s exposure and to appropriately address any vulnerabilities on Protectli devices.
PKFail is a supply chain security issue in which encryption keys used to assure platform security of devices secured with Secure Boot used non production, or previously leaked keys. This vulnerability would theoretically allow an attacker to sign device firmware that could bypass the protections that Secure Boot enables, compromising the trust chain of the device firmware and operating system.
This vulnerability only affects users who have explicitly turned on Secure Boot with a device running AMI firmware and an Operating System that supports Secure Boot.
Our Analysis has found that all Protectli devices are vulnerable to PKFail. We have found “DO NOT TRUST – AMI Test PK” platform keys in Protectli AMI firmware images for all Protectli devices that run AMI firmware. Protectli’s Open Source firmware alternative,“coreboot” is not affected by PKFail.
Protectli can not and does not track any data about our customer and what Operating System or firmware they are using. However, we estimate less than 5% of Protectli customers potentially run a configuration that would be affected by PKFail. Exploiting this vulnerability requires either root privileges or physical access to the hardware. The only Protectli users who could be affected by PKFail must meet all the following requirements.
- You must be running a Protectli Vault, and
- You must have AMI firmware installed (coreboot firmware is not affected), and
- You must have Secure Boot explicitly enabled, and
- You must be running an operating system that supports Secure Boot (examples include Windows 10, Windows 11, Ubuntu 22.04 or later).
The vast majority of Protectli customers use our hardware to run network firewall operating systems such as pfSense or OPNsense, both of which do not support Secure Boot by default. As such, this vulnerability does not affect these installations. For those who have enabled Secure Boot, mitigation of this vulnerability on Protectli hardware is most easily accomplished by installing coreboot instead of AMI. Protectli publishes a tool called flashli for installing coreboot on Protectli devices.
Protectli will release updated AMI BIOS images with properly secured Platform Keys for each of our affected devices in the coming months.
As always, Protectli support can be reached should you have any questions. https://ca.protectli.com/resources/