A vulnerability in the digital signature verification process does not properly validate variable attributes which allows an attacker to bypass signature verification by creating a non-authenticated NVRAM variable. An attacker may to execute arbitrary signed UEFI code and bypass Secure Boot.
Credits
Thanks to Nikolaj Schlej, independent firmware security researcher, for reporting the vulnerability and engaging in this coordinated disclosure.
