Security Advisory regarding UEFI Administrator Password Bypass via Windows Recovery Environment (WinRE)

Affected Products: Certain GIGABYTE Motherboards and Notebooks supporting UEFI Administrator Passwords and Windows Recovery Environment (WinRE).

Overview

GIGABYTE has become aware of a security behavior (coordinated as CERT/CC Case VU#226679) where the UEFI administrator password may be bypassed when a system is rebooted into an external boot device via the Windows Recovery Environment (WinRE) "Use a device" functionality.

This behavior is an inherent characteristic of the current industry-standard UEFI trust model. Under this model, firmware typically trusts boot requests via the BootNext variable initiated by a running, trusted operating system. Consequently, when the request originates from within WinRE, the system may proceed to boot the external media without re-prompting for the UEFI administrator password.

Impact

An attacker with local physical access (commonly associated with "Evil Maid" attack scenarios) or a valid local user session may be able to boot the system from an external medium (e.g., a USB drive) despite the presence of a UEFI administrator password. This could potentially allow an unauthorized user to:

• Boot an unauthorized operating system.
• Bypass OS-level endpoint security controls.
• Weaken the effectiveness of full-disk encryption protections and access local storage data offline (if full-disk encryption is not enabled).

Mitigation & Recommendations

GIGABYTE recommends a defense-in-depth approach to secure systems against this behavior. Since this is an ecosystem-level design trade-off between UEFI firmware and the OS recovery environment, the following controls are the most effective mitigations:

1. Enable Full-Disk Encryption (FDE):
   We strongly recommend enabling BitLocker (with TPM + PIN or Startup Key). This ensures that even if an attacker bypasses the UEFI password and boots from an external device, the data on the local drive remains encrypted and inaccessible.
2. Restrict Access to WinRE:
   For high-security deployments, administrators should consider disabling the Windows Recovery Environment (WinRE) or restricting access to "Advanced Startup" options via Group Policy (GPO) to prevent users from reaching the "Use a device" menu.
3. Physical Security Controls:
   Implement physical security measures to prevent the unauthorized insertion of external boot media (USB/Optical drives) into the system.
4. Restrict External Media:
   Limit the use of pluggable media containing EFI System Partitions (ESP) and restrict unauthorized modifications to UEFI NVRAM variables where operationally feasible.

Conclusion

GIGABYTE is committed to the security of our platforms. We are continuing to monitor coordination with industry partners and OS vendors to evaluate potential improvements to the UEFI-OS trust boundary.

Reference

For more detailed technical information regarding this behavior, please refer to the following resources:

• CERT/CC Vulnerability Note: VU#226679
• Technical Analysis by Researcher: WinRE UEFI Bypass Analysis