Level 10
The glitch stems from a functionality intended to allow updates to the UEFI firmware.

Las Vegas – Researchers said they found buffer overflow flaws in the firmware for ASRock and ASUS, potentially enabling bad actors to remotely launch man-in-the-middle attacks.

The findings, presented at Black Hat USA this week by researchers from Eclypsium, show that ASRock and ASUS firmware contain flaws in their update mechanisms: Specifically, the problem exists in the Unified Extensible Firmware Interface (UEFI), a specification defining the software interface between the OS and the platform firmware.

“The remote aspect is really important, it’s the first time someone publicly disclosed the exploit against UEFI remotely,” Yuriy Bulygin, CEO and founder of Eclypsium, told Threatpost. “While a lot of research so far require malicious code running on the box, we’ve discovered that these vulnerabilities in networks can now be exploited remotely.”

Read more: Update Mechanism Flaws Allow Remote Attacks on UEFI Firmware