430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

UEFI Vulnerabilities allow to fully compromise Gigabyte Mini PCs

Experts at Cylance disclosed two UEFI flaws that can be exploited by attackers to install a backdoor on some Gigabyte BRIX mini PCs. Experts at security firm Cylance have disclosed two UEFI vulnerabilities that can be exploited by attackers to install a backdoor on some Gigabyte BRIX mini PCs. The experts tested the latest firmware […]

UEFI Vulnerabilities allow to fully compromise Gigabyte Mini PCs

Experts at Cylance disclosed two UEFI flaws that can be exploited by attackers to install a backdoor on some Gigabyte BRIX mini PCs.

Experts at security firm Cylance have disclosed two UEFI vulnerabilities that can be exploited by attackers to install a backdoor on some Gigabyte BRIX mini PCs.

The experts tested the latest firmware for GB-BSi7H-6500 and GB-BXi7-5775 mini PCs and discovered that lack of some protection feature that could allow an attacker to exploit the flaws to deliver a ransomware payload that prevents the system from booting.

“These new mitigations, based on virtualization technologies in Windows 10, are vulnerable to UEFI-based attacks from System Management Mode (SMM). Because SMM allows direct access to physical memory, it’s possible to bypass the virtualization layer of isolation (Intel VT-x) . This kind of attack is already discussed in detail in ‘Attacking Hypervisors via Firmware and Hardware’. ” reads the analysis published by Cylance.

One of the issues, tracked as CVE-2017-3197, is related to the SMI handler and it could be exploited to execute code in System Management Mode (SMM). The researchers discovered that the American Megatrends (AMI) firmware running on the affected devices has disabled write-protection mechanisms. The security features are normally enabled by Gigabyte seems to have disabled it.

The flaw is very dangerous, an attacker can trigger it by tricking victims into visiting a specifically crafted website or by opening a weaponized document. Once triggered the flaw, the attacker can elevate privileges to achieve kernel-mode code execution. The attacker can exploit the SMI vulnerability to execute code in SMM and make direct changes to the flash memory.

Below the attack described by the experts:

1.      User-mode execution (ring 3)
2.      Kernel mode execution (ring 0)
3.      SMM execution (ring -2)
4.      SPI Flash Write

“The attacker gains user-mode execution through an application vulnerability such as a browser exploit or a malicious Word document with an embedded script. From there, the attacker elevates his privileges by exploiting the kernel or a kernel module such as Capcom.sys to execute code in ring 0. A vulnerable SMI handler allows the attacker to execute code in SMM mode (ring -2) where he finally can bypass any write protection mechanisms and install a backdoor into the system’s firmware.”

gigabyte

The second vulnerability tracked as CVE-2017-3198, is caused by the fact that the Gigabyte UEFI does not perform a cryptographic check to ensure the authenticity and integrity of a firmware update. This means that an attacker that exploited the issue is able to provide malicious firmware onto the device.

“The GIGABYTE UEFI firmware does not cryptographically validate images prior to updating the system firmware. Additionally, the firmware updates are served over HTTP without checksums for verifying authenticity.” reads a blog post published by Cylance. 

An attacker can use the provided AMI Firmware Update (AFU) utility to write arbitrary code to the firmware.”

“As mentioned in our previous post, successful infection at such a low level has the potential to be disastrous. UEFI rootkits and ransomware, as we demonstrated at both RSA Conference and BlackHat Asia, could provide attackers with a degree of control that is difficult, if not near-impossible, to detect or rectify.” continues a blog post published by Cylance. 

The security flaws were discovered just before Christmas and the experts reported it to Gigabyte in mid-January. The company has already developed a firmware update, version vF7, that is currently in testing phase and will be soon released. However, the update will only be available for GB-BSi-7H-6500 as the GB-BXi7-5775 model has reached

Unfortunately, the update will only be available for GB-BSi-7H-6500 because the GB-BXi7-5775 model has reached end of life.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – hack proof satellite system, hacking)