Malware News Gigabyte Firmware Flaws Allow the Installation of UEFI Ransomware

Solarquest

Moderator
Thread author
Verified
Staff Member
Malware Hunter
Well-known
Jul 22, 2014
2,525
Yesterday, at the BlackHat Asia 2017 security conference, researchers from cyber-security firm Cylance disclosed two vulnerabilities in the firmware of Gigabyte BRIX small computing devices, which allow an attacker to write malicious content to the UEFI firmware.

During their presentation, researchers installed a proof-of-concept UEFI ransomware, preventing the BRIX devices from booting, but researchers say the same flaws can be used to plant rootkits that allow attackers to persist malware for years.

Gigabyte preparing to release firmware updates
Cylance researchers said they've identified these flaws at the start of the year, and have worked with Gigabyte, American Megatrends Inc. (AMI), and CERT/CC to fix the flaws in time.

Affected Gigabyte devices include GB-BSi7H-6500 (firmware version vF6), and GB-BXi7-5775 (firmware version vF2).

Gigabyte is expected to release firmware vF7 for GB-BSi7H-6500 devices in the upcoming days. The GB-BXi7-5775 line is not being produced anymore and has reached EOL (End Of Life), so Gigabyte won't be releasing a new firmware for this series.

Vulnerabilities allow hackers to tamper UEFI firmware files
The two vulnerabilities discovered by Cylance researchers are CVE-2017-3197 and CVE-2017-3198. The first is a failure on Gigabyte's part to implement write protection for its UEFI firmware.

The second vulnerability is another lapse on Gigabyte's side, who forgot to implement a system that cryptographically signs UEFI firmware files. The second flaw also covers Gigabyte's insecure firmware update process, which doesn't check the validity of downloaded files using a checksum and uses HTTP instead of HTTPS. CERT/CC has issued an official Vulnerability Bote (VU#507496) for both flaws.

An attacker can exploit both flaws to execute code in the System Management Mode (SMM) and plant malicious code in the firmware itself. Cylance experts detail a possible attack as follows:

The attacker gains user-mode execution through an application vulnerability such as a browser exploit or a malicious Word document with an embedded script. From there, the attacker elevates his privileges by exploiting the kernel or a kernel module such as Capcom.sys to execute code in ring 0. A vulnerable SMI handler allows the attacker to execute code in SMM mode (ring -2) where he finally can bypass any write protection mechanisms and install a backdoor into the system's firmware. Write-protection mechanisms exist to prevent attackers from modifying the firmware; however, the affected systems do not enable them.

Gigabyte BRIX are small computers, similar to Intel NUCs, that can be used to replace bulky desktop towers. They are powerful devices and are very popular with businesses, due to their price, small size, and portability.
 

Solarquest

Moderator
Thread author
Verified
Staff Member
Malware Hunter
Well-known
Jul 22, 2014
2,525
Malware in Bios/uefi....this is really bad.
The day someone has the crazy and irresponsible idea of "sharing" a POC will be even worse...I hope to be wrong and never see a code available to the "public"..
 
  • Like
Reactions: frogboy
5

509322

Malware in Bios/uefi....this is really bad.
The day someone has the crazy and irresponsible idea of "sharing" a POC will be even worse...I hope to be wrong and never see a code available to the "public"..

PoCs are made public all the time.
 

Gapp

Level 2
Verified
Mar 26, 2017
81
OMG!!!! Mine is a Gigabyte! How to be safe from this one!??
 

jamescv7

Level 85
Verified
Honorary Member
Mar 15, 2011
13,070
Seems security companies should focus simultaneously about the threats attacking within hardware components, the connection of IOT and other minority is important cause it will bring huge damage to all operations.
 

Ink

Administrator
Verified
Jan 8, 2011
22,490
OMG!!!! Mine is a Gigabyte! How to be safe from this one!??
Please read the article, the information has been provided.
Cylance researchers said they've identified these flaws at the start of the year, and have worked with Gigabyte, American Megatrends Inc. (AMI), and CERT/CC to fix the flaws in time.

Affected Gigabyte devices include GB-BSi7H-6500 (firmware version vF6), and GB-BXi7-5775 (firmware version vF2).

Gigabyte is expected to release firmware vF7 for GB-BSi7H-6500 devices in the upcoming days. The GB-BXi7-5775 line is not being produced anymore and has reached EOL (End Of Life), so Gigabyte won't be releasing a new firmware for this series.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top