Mitigating firmware security risks, protecting system firmware storage, screwed drivers part 2 and more ...
Eclypsium Threat Report—October 2019
Gartner Report: How to Mitigate Firmware Security Risks in Data Centers, and Public and Private Clouds
Firmware vulnerability gives attackers entry into systems that is invisible and persistent with total control of the server, storage or network device. In this report, Gartner analyst Tony Harvey addresses four key firmware security challenges for infrastructure and operations leaders and provides practical recommendations on how to overcome them.
Modern computing platforms are made of multiple hardware components, each with its own registers containing critical bits that carry nuanced meaning. Everything needs to be set just right in order to fully configure protection. Vulnerabilities tied to missing protections are common, and were at the heart of last year’s Lojax attack. Learn how these vulnerabilities work, and how to protect yourself.
Screwed Drivers Part Two - An Update on the Common Design Flaw In Dozens of Device Drivers That Allows Widespread Windows Compromise
Nov 12 at 1PM ET, 10AM PT
Eclypsium researchers Jesse Michael and Mickey Shaktov will give you an inside look at new disclosures related to their latest research on insecure drivers, and discuss methods that security professionals can use to protect their organizations from device driver vulnerabilities.
FBI Warns High-impact Ransomware Attacks Threaten U.S. Businesses And Organizations. Ransomware attacks are becoming more targeted, sophisticated, and costly. Ransomware actors have targeted health care organizations, industrial companies, and the transportation sector as well as state and local government. Recommended cyber defense best practices include patching the operating system, software, and firmware on devices.
NCSC’s Joyce Corell at ICIT Fall Briefing described the surge in software supply chain attacks. By some estimates, software supply chain attacks have increased by 78 percent and the trend is increasing. "Our adversaries are using companies as attack vectors."
How FISMA Requirements Relate to Firmware Security. Eclypsium’s John Loucaides discusses how federal guidelines can help all organizations pragmatically and meaningfully improve their firmware security.
Firmware: A New Attack Vector Requiring Industry Leadership. Tony Surak revisits the question of responsibility and accountability for full device security. Highlighting regulatory directives such as the emerging Cybersecurity Maturity Model Certification (CMMC) as a signal to where expectations may evolve, attacks at the firmware layer make it a part of the attack surface that now must be managed and addressed.
32 hardware and firmware vulnerabilities. This breakdown of the most commonly exploited hardware and firmware vulnerabilities provides a good framework to assess an organization’s overall security posture and risk with respect to hardware/firmware attacks.
Security Research
Planting Tiny Spy Chips in Hardware Can Cost as Little as $200—This research and proof of concept reinforces what the security industry has witnessed for years - that ideas can move from impossible to plausible to proof of concept quickly as compared to the industry’s readiness to acknowledge the risk and take actions to mitigate it. Monta Elkin’s research should also serve to dispel illusions that firmware layer attacks require significant resources - “With only a $150 hot-air soldering tool, a $40 microscope, and some $2 chips ordered online.”
A New Memory Type Against Speculative Side Channel Attacks—Intel's Strategic Offensive Research and Mitigations (STORM) team has published a research paper proposing a new type of Speculative Access Protected Memory to safeguard against speculative execution side-channel attacks such as Meltdown, Spectre, Zombieload, MDS and others.
FirmFuzz: Automated IoT Firmware Introspection and Analysis—An automated, device-independent emulation and dynamic analysis framework for Linux-based firmware images that provides targeted and deterministic bug discovery within a firmware image.
Oracle Critical Patch Update Advisory - October 2019—Among the vulnerabilities released in October by Oracle were several that affected XCP firmware that is incorporated into other vendor hardware; most of these vulnerabilities were remotely exploitable with CVSS scores from 5.9 - 9.8.
Intel NUC Advisory—Potential security vulnerabilities in system firmware for Intel NUC may allow escalation of privilege, denial of service and/or information disclosure.
Tools
Saumil Shah is preparing to release his ARM Firmware Emulation Framework on his website armx.exploitlab.net - his presentation is available via slideshare.
cpu_rec is a tool that recognizes cpu instructions in an arbitrary binary file. It can be used as a standalone tool, or as a plugin for binwalk.
More Suggested Reading
Open Source Firmware—Jessie Frazelle provides an introduction to the world of open source firmware.
Modern laptops and servers are comprised of dozens, and often up to a hundred or more underlying components that are essential to the function of the device. We designed our Know Your Own Device page to provide a resource to better understand the complex firmware attack surface. And, thanks to your feedback, an updated version is now live, with a new section on runtime system firmware and more data and links to the threat examples.
Upcoming Presentations
PacSec 2019 Conference Nov 5-6, 2019 • Tokyo, Japan
Get Off The Kernel If You Can't Drive
Mickey Shaktov and Jesse Michael, Principal Researchers, Eclypsium
For software to communicate with hardware, it needs to talk to a kernel-mode driver that serves as a middle-man between the two, helping to make sure everything operates as it should. In Windows that is done using the Kernel-Mode Driver Framework (KMDF). However, as the code in these drivers runs with the same privileges as the rest of the kernel, malicious drivers can be used to compromise the security of the platform.
Alex Ivkin, Director of Solutions Engineering, Eclypsium
With Kubernetes becoming a de-facto container orchestration platform, it's only a matter of time before it becomes a major target. While there are some widely publicized Kubernetes vulnerabilities, this talk is not about them. Instead of taking Kubernetes head on, learn how to do a recon on the k8s clusters and the common sets of sidecar containers. Then dive deep through the attack surface exposed by popular service meshes and API gateways, down to Helm and Tiller, into static pods and daemon sets, deeper to nodes and the control planes, and off to the docker registries, containers and images.
Adversaries attack firmware because they know it's a blind spot for most organizations, and because firmware level threats are persistent, stealthy, and able to bypass existing security measures. This talk will discuss firmware risks and threats that are pertinent to financial organizations, and how they can approach mitigating them across their assets and operations, from protecting traveler and high risk laptops, to scanning newly purchased devices for supply chain compromise, to continuous monitoring of IT infrastructure.