Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label TrickBoot. Show all posts

LogoFAIL: UEFI Vulnerabilities Unveiled

The discovery of vulnerabilities is a sharp reminder of the ongoing conflict between innovation and malevolent intent in the ever-evolving field of cybersecurity. The tech community has been shaken by the recent discovery of LogoFAIL, a set of vulnerabilities hidden in the Unified Extensible Firmware Interface (UEFI) code that could allow malicious bootkit insertion through images during system boot.

Researchers have delved into the intricacies of LogoFAIL, shedding light on its implications and the far-reaching consequences of exploiting image parsing vulnerabilities in UEFI code. The vulnerability was aptly named 'LogoFAIL' due to its origin in the parsing of logos during the boot process. The severity of the issue is evident from the fact that it can be exploited to inject malicious code, potentially leading to the deployment of boot kits — a type of malware capable of persistently infecting the system at a fundamental level.

The vulnerability was first brought to public attention through a detailed report by Bleeping Computer, outlining the specifics of the LogoFAIL bugs and their potential impact on system security. The report highlights the technical nuances of the vulnerabilities, emphasizing how attackers could exploit weaknesses in UEFI code to compromise the integrity of the boot process.

Further exploration of LogoFAIL is presented in a comprehensive set of slides from a Black Hat USA 2009 presentation by researcher Rafal Wojtczuk. The slides provide an in-depth analysis of the attack vectors associated with LogoFAIL, offering valuable insights into the technical aspects of the vulnerabilities.

In a more recent context, the Black Hat Europe 2023 schedule includes a briefing on LogoFAIL, promising to delve into the security implications of image parsing during system boot. This presentation will likely provide an updated perspective on the ongoing efforts to address and mitigate the risks that LogoFAIL poses.

The gravity of LogoFAIL is underscored by additional resources such as the analysis on binarly.io and the UEFI Forum's document on firmware security concerns and best practices. Collectively, these sources highlight the urgency for the industry to address and remediate the vulnerabilities in the UEFI code, emphasizing the need for robust security measures to safeguard systems from potential exploitation.

Working together to solve these vulnerabilities becomes critical as the cybersecurity community struggles with the consequences of LogoFAIL. The industry must collaborate to establish robust countermeasures for the UEFI code, guaranteeing system resilience against the constantly changing cyber threat environment.


Supermicro and Pulse Secure Issue Advisories Regarding 'TricBoot' Assaults

 

Supermicro, a U.S.-based information technology firm and VPN provider Pulse Secure have released their advisories regarding the vulnerabilities of their motherboards to the TrickBot malware’s Unified Extensible Firmware Interface (UEFI) firmware-infecting module, called Trickboot. 

Last year, cybersecurity companies Advanced Intelligence and Eclypsium launched a joint report regarding a new malicious firmware-targeting ‘TrickBoot’ module delivered by the well-known TrickBot malware. When the TrickBoot module is executed, it will examine a gadget’s UEFI firmware to determine if it has ‘compose defense’ disabled. If it is, the malware contains the performance to check out, compose, and remove the firmware.

This might allow the malware to execute numerous destructive activities, such as bricking a gadget, bypassing operating system security controls, or reinfecting a system even after a complete reinstall. 

To examine if a UEFI BIOS has 'write protection' enabled, the module utilizes the RwDrv.sys chauffeur from the RWEverything energy.

Cybersecurity firms Advanced Intelligence and Eclypsium released a joint statement reading – “All requests to the UEFI firmware stored in the SPI flash chip go through the SPI controller, which is part of the Platform Controller Hub (PCH) on Intel platforms. This SPI controller includes access control mechanisms, which can be locked during the boot process in order to prevent unauthorized modification of the UEFI firmware stored in the SPI flash memory chip.”

“Modern systems are intended to enable those BIOS write protections to prevent the firmware from being modified; however, these protections are often not enabled or misconfigured. If the BIOS is not write-protected, attackers can easily modify the firmware or even delete it completely,” it further reads.

The malware’s ability to examine a gadget’s firmware is presently limited to specific Intel platforms, including Skylake, Kaby Lake, Coffee Lake, and Comet Lake. 

In an advisory released by Supermicro and Pulse Secure, they are alerting that some of their X10 UP motherboards have susceptibilities to the TrickBoot malware and have actually launched a ‘vital’ BIOS upgrade to enable write protection.

The susceptible X10 UP-series (‘Denlow’) motherboards are noted below.

1. X10SLH-F (will EOL on 3/11/2021)
2. X10SLL-F (EOL’ed since 6/30/2015)
3. X10SLM-F (EOL’ed since 6/30/2015) 
4. X10SLL+-F (EOL’ed since 6/30/2015) 
5. X10SLM+-F (EOL’ed since 6/30/2015) 
6. X10SLM+-LN4F (EOL’ed since 6/30/2015)
7. X10SLA-F (EOL’ed since 6/30/2015) 
8. X10SL7-F (EOL’ed since 6/30/2015) 
9. X10SLL-S/-SF (EOL’ed since 6/30/2015) 

Supermicro has actually launched BIOS variation 3.4 to repair the vulnerability but has only released it openly for the X10SLH-F motherboard. Pulse Secure likewise issued an advisory as their Pulse Secure Device 5000 (PSA-5000), and Pulse Secure Device 7000 (PSA-7000) gadgets operate on susceptible Supermicro hardware.