Flood of New Advisories Expose Massive Gaps in Firmware Security
It has been an incredibly busy and important week in firmware security marked by major security advisories from Intel and Cisco and new research from the industry. This included 77 newly disclosed Intel vulnerabilities, new weaknesses discovered in Cisco small business routers, and the discovery of new ZombieLoad issues that can expose data in processors.
Ongoing Eclypsium research into Windows kernel security mode shows how readily available drivers can be used to attack and gain control over firmware. This update reveals the most powerful drivers we have identified to date, providing an attacker with near-limitless control over a victim device.
Newly disclosed research has identified new vulnerabilities within the firmware of TPM (Trusted Platform Module) chips made by Intel and STMicroelectronics that could allow attackers to access the cryptographic keys normally protected by the TPM.
90% of retail hardware vulnerabilities are critical Bugcrowd's analysis of bug bounty programs for the retail industry found that 90% of submitted hardware vulnerabilities were classified as critical compared to 20% for software.
Open Source Titan Chip Announced Google announced a plan to release an open-source version of Titan known as OpenTitan. The OpenTitan SoC will provide an open-source approach to hardware Root-of-Trust (RoT) and will use the RISC-V open-source CPU instruction set architecture, and will be managed by lowRISC, the nonprofit full-stack engineering organization.
3 Ways to Stay Ahead on Supply Chain Security Analysis for federal agencies to build better supply chain security programs including the need for security assessments and the critical importance of supply chain technical skills.
Trends in Server Platform Security Recorded presentation from Rob Wood of the NCC Group where he discusses the need for improved security models to address the firmware and hardware layers of servers and data centers.
The Tragedy of the Commons in Platform Security Eclypsium's John Loucaides analyzes examples of a variety of platform vulnerabilities, approaches to solving them, and how the community can come together to make meaningful improvements.
Security Research
Malware attacking firmware of NAS devices Newly discovered malware is able to subvert security controls by injecting malicious code into the firmware QNAP network-attached storage devices. Using code in the firmware the malware is able to modify scheduled OS jobs, prevent firmware updates, prevent local security tools from running and more.
35 vulnerabilities in 8 enclave SDKs Researchers analyzed a variety of open-source enclave SDKs and found vulnerabilities that would allow an attacker to run malicious code inside the trusted execution environment (TEE) of a CPU.
Vulnerabilities Discovered in Das U-Boot Multiple vulnerabilities have been found in Das U-Boot, a universal bootloader commonly used in embedded devices like networking hardware, Amazon Kindles, and ARM Chromebooks. The bugs could allow attackers to gain full control of an impacted device’s CPU and modify anything they choose.
Breaking the UEFI firmware Authenticode security model In-depth analysis from Reversing Labs that identifies weaknesses within UEFI specification 2.1 and Microsoft Project Mu. The weaknesses show how it is possible to avoid Authenticode integrity checks in order to potentially run malicious UEFI firmware.
Exploiting Intel’s Management Engine Provides a great introduction to the Intel Management Engine (ME), then provides detailed analysis of how an ME exploit works, and how it can be used to gain control over other devices.
Security Advisories
November 2019 Intel Platform Update (IPU) Intel disclosed 77 new vulnerabilities across a broad spectrum of components, including 2 critical and 34 high severity bugs, some of which would allow an unauthenticated user to potentially enable escalation of privileges, information disclosure or denial of service.
Cisco Security Advisory Cisco disclosed multiple security issues affecting Cisco Small Business Routers (RV016, RV042, RV042G, and RV082). Firmware issues included the discovery of hardcoded root password hashes in /etc/shadow file, the presence of public/private key pair, and a variety of 3rd party firmware vulnerabilities.
Tools & Testing
OWASP Foundation announces Firmware Security Testing Methodology The OWASP Foundation introduces their Security Testing Methodology to guide security researchers, software developers, hobbyists, and InfoSec professionals with conducting firmware security assessments.
Crafting an EFI Emulator and Interactive Debugger An in depth analysis of building an EFI debugger that provides a very detailed hands-on view into how EFI works and the use of emulators and debuggers to capture important information that resides within the EFI.
Sgx-Step - A Practical Attack Framework For Precise Enclave Execution Control An introduction to Sgx-Step, an open-source framework to facilitate side-channel attack research on Intel SGX platforms. Provides an introduction to the Intel SDX enclave and a walkthrough of using the tool to mount a practical attack.
Eclypsium, 15455 Greenbrier Pkwy, #250, Beaverton, OR 97006, USA