Experts at Cylance disclosed two UEFI flaws that can be exploited by attackers to install a backdoor on some Gigabyte BRIX mini PCs.
Experts at security firm Cylance have disclosed two UEFI vulnerabilities that can be exploited by attackers to install a backdoor on some Gigabyte BRIX mini PCs.
The experts tested the latest firmware for GB-BSi7H-6500 and GB-BXi7-5775 mini PCs and discovered that lack of some protection feature that could allow an attacker to exploit the flaws to deliver a ransomware payload that prevents the system from booting.
“These new mitigations, based on virtualization technologies in Windows 10, are vulnerable to UEFI-based attacks from System Management Mode (SMM). Because SMM allows direct access to physical memory, it’s possible to bypass the virtualization layer of isolation (Intel VT-x) . This kind of attack is already discussed in detail in ‘Attacking Hypervisors via Firmware and Hardware’. ” reads the analysis published by Cylance.
One of the issues, tracked as CVE-2017-3197, is related to the SMI handler and it could be exploited to execute code in System Management Mode (SMM). The researchers discovered that the American Megatrends (AMI) firmware running on the affected devices has disabled write-protection mechanisms. The security features are normally enabled by Gigabyte seems to have disabled it.
The flaw is very dangerous, an attacker can trigger it by tricking victims into visiting a specifically crafted website or by opening a weaponized document. Once triggered the flaw, the attacker can elevate privileges to achieve kernel-mode code execution. The attacker can exploit the SMI vulnerability to execute code in SMM and make direct changes to the flash memory.
Below the attack described by the experts:
1. User-mode execution (ring 3)
2. Kernel mode execution (ring 0)
3. SMM execution (ring -2)
4. SPI Flash Write
“The attacker gains user-mode execution through an application vulnerability such as a browser exploit or a malicious Word document with an embedded script. From there, the attacker elevates his privileges by exploiting the kernel or a kernel module such as Capcom.sys to execute code in ring 0. A vulnerable SMI handler allows the attacker to execute code in SMM mode (ring -2) where he finally can bypass any write protection mechanisms and install a backdoor into the system’s firmware.”
The second vulnerability tracked as CVE-2017-3198, is caused by the fact that the Gigabyte UEFI does not perform a cryptographic check to ensure the authenticity and integrity of a firmware update. This means that an attacker that exploited the issue is able to provide malicious firmware onto the device.
“The GIGABYTE UEFI firmware does not cryptographically validate images prior to updating the system firmware. Additionally, the firmware updates are served over HTTP without checksums for verifying authenticity.” reads a blog post published by Cylance.
An attacker can use the provided AMI Firmware Update (AFU) utility to write arbitrary code to the firmware.”
“As mentioned in our previous post, successful infection at such a low level has the potential to be disastrous. UEFI rootkits and ransomware, as we demonstrated at both RSA Conference and BlackHat Asia, could provide attackers with a degree of control that is difficult, if not near-impossible, to detect or rectify.” continues a blog post published by Cylance.
The security flaws were discovered just before Christmas and the experts reported it to Gigabyte in mid-January. The company has already developed a firmware update, version vF7, that is currently in testing phase and will be soon released. However, the update will only be available for GB-BSi-7H-6500 as the GB-BXi7-5775 model has reached.