Giveaway of the Day Forums

1. 

   mikiem2
   Moderator

   I didn't find anything in the way of guidance when Gigabyte, who made the motherboard in this PC, added a new note to the latest BIOS version they offer for my motherboard:

   Major vulnerabilities updates, customers are strongly encouraged to update to this release at the earliest.
   Credits to "Assaf Carlsbad and Itai Liba from SentinelOne"

   I did find mention of something similar regarding a new Asus BIOS version for one of their motherboards, but that was it. Now Binarly, a security company specializing in firmware, has released documentation concerning several UEFI BIOS vulnerabilities that were introduced by the SDK [Software Development Kit] used by many devs to write UEFI BIOS. From reading their post I believe that those vulnerabilities, which were present in many well known brands, e.g. HP, have been patched since their discovery in Sept. 2021. Sadly that doesn't mean consumers were alerted by those manufacturers, perhaps because they feared a backlash from customers whose PCs/laptops did not get a BIOS update. I have not seen anything more specific about these UEFI BIOS vulnerabilities, and at least some [most? All?] manufacturers haven't published any details.

   insyde[.]com/press_news/press-releases/insyde%C2%AE-software-credits-binarly%E2%80%99s-ai-powered-firmware-threat-detection

   binarly[.]io/posts/An_In_Depth_Look_at_the_23_High_Impact_Vulnerabilities/index.html

   Exploits targeting UEFI BIOS are not nearly as common as other paths to infection used by cyber criminals -- BIOS exploits are more difficult to develop then say phishing campaigns. But cyber crime is such a huge biz nowadays that many crews are now offering their work as a service, sort of a franchise biz model where anyone can take part, usually by promising a portion of their future ill gotten gains as payment. There's little reason to think that BIOS exploits won't become a feature of these new malware as a service offerings in the future.

   Posted 3 years ago #
2. 

   mikiem2
   Moderator

   zdnet[.]com/article/firmware-vulnerabilities-affecting-fujitsu-intel-and-more-discovered/

   This ZDNet article is an easier read than the Binarly blog post, with more details than Insyde posted.

   Researchers have discovered 23 "high-impact vulnerabilities" affecting any vendors that adopted Independent BIOS Developers (IBV) code into their Unified Extensible Firmware Interface (UEFI) firmware.

   Binarly explained the vulnerabilities in a blog post this week, confirming that "all these vulnerabilities are found in several of the major enterprise vendor ecosystems" including Fujitsu, Siemens, Dell, HP, HPE, Lenovo, Microsoft, Intel and Bull Atos. CERT/CC confirmed that Fujitsu, Insyde and Intel were affected but left the others tagged as "unknown," urging anyone affected to update to the latest stable version of firmware.

   According to the blog, the majority of the vulnerabilities disclosed lead to code execution with SMM privileges and had severity ratings of between 7.5 - 8.2.

   "A local attacker with administrative privileges (in some cases a remote attacker with administrative privileges) can use malicious software to perform any of the following: Invalidate many hardware security features (SecureBoot, Intel BootGuard), Iinstall persistent software that cannot be easily erased and create backdoors and back communications channels to exfiltrate sensitive data," CERT/CC explained.

   Mike Parkin, engineer at Vulcan Cyber, said any vulnerabilities that let an attacker manipulate or alter a system's BIOS can have potentially devastating consequences.

   "Fortunately, the attack described here requires privileged access to execute. This isn't uncommon with BIOS attacks in that they require some level of privilege or physical access to implement. But that doesn't mean we can ignore them. For a threat actor, the value of embedding malicious code in the BIOS makes the effort worthwhile," Parkin said.

   Posted 2 years ago #

RSS feed for this topic

Reply

You must log in to post.