February Firmware Threat Report

Unsigned firmware in peripheral devices remains a highly overlooked aspect of cybersecurity. Despite previous in-the-wild attacks, peripheral manufacturers have been slow to adopt the practice of signing firmware, leaving millions of Windows and Linux systems at risk to firmware attacks that can disrupt operations and more.

READ THE RESEARCH >

Listen to Eclypsium’s Principal Researcher, Jesse Michael and Principal Engineer, Rick Altherr answer questions about their new research.

LISTEN HERE >

INDUSTRY PERSPECTIVE

• In April 2019, it was discovered that there is a Kaspersky UEFI bootloader, signed by Microsoft, which will load additional unsigned code components that could be used to bypass Secure Boot. On February 11, Microsoft published an update (KB4524244) to revoke Kaspersky bootloader. The update, however, unexpectedly caused issues with some systems. Microsoft removed the update on February 14 due to these problems. More info here. 

• CISA Warns ‘Critical Industries’ Following a Cyberattack on Gas Pipeline Facility The U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) issued a ransomware advisory “to all industries operating critical infrastructures.” CISA is investigating a cyberattack that impacted the pipeline operations network of a natural gas compression facility. CISA’s list of mitigative measures and threat actor techniques is here.  

• Living off another land: Ransomware borrows vulnerable driver to remove security software Ransomware attacks deemed RobbinHood show the real danger of insecure drivers. In this case, the attackers used the “driver as a wedge so they could load a second, unsigned driver into Windows. This second driver then goes to great lengths to kill processes and files belonging to endpoint security products, bypassing tamper protection, to enable the ransomware to attack without interference.” The signed driver, part of a now-deprecated software package, has a known vulnerability (CVE-2018-19320). 

• Guarding Against Supply Chain Attacks – Part 2: Hardware Risks Do you know all the vendors in your supply chain, and do they have security built into their manufacturing and shipping processes?

• National Institute of Standards and Technology (NIST) recommends that organizations “identify those systems/components that are most vulnerable and will cause the greatest organizational impact if compromised.”  

FIRMWARE SECURITY RESEARCH

• Five critical, zero-day vulnerabilities in various implementations of the Cisco Discovery Protocol (CDP) can allow remote attackers to completely take over devices  without any user interaction. CDP is implemented in virtually all Cisco products including switches, routers, IP phones and cameras. The CERT Coordination Center has also issued an advisory.

• Escaping the Chrome Sandbox with RIDL This Google Project Zero post looks at the impact of RIDL and similar hardware vulnerabilities when used from a compromised renderer. Chrome’s IPC mechanism Mojo is based on secrets for message routing. Leaking these secrets allows attackers to send messages to privileged interfaces and perform actions that the renderer shouldn’t be allowed to do. 

• These HiSilicon-Based Security Cams And DVRs Are Vulnerable To Sneaky Firmware Backdoor Warnings of a backdoor that exists in firmware for digital video recorder (DVR) and network video recorder (NVR) powered by HiSilicon system-on-chip (SoC) hardware have surfaced. This is a zero-day vulnerability that could allow an attacker to gain root access to a compromised device, thereby giving them full control.

• Netgear’s routerlogin.com HTTPS cert snafu now has a live proof of concept An infosec researcher, Saleem Rashid, has published a JavaScript-based proof of concept for the Netgear routerlogin.com vulnerability revealed at the end of January. As reported, Netgear was bundling valid, signed TLS certificates along with private keys embedded in firmware that anyone could freely download. The researcher described his findings in a blog post, along with a downloadable proof-of-concept package.

• CopyCat: Controlled Instruction-Level Attacks on Enclaves for Maximal Key Extraction Researchers show that you can mimic the entire execution flow of an enclave, which enables much better crypto and non-crypto attacks.They demonstrate new algorithmic attacks on Public Key schemes running inside Intel SGX to extract cryptographic keys with a single shot and in a deterministic fashion.

FIRMWARE SECURITY ADVISORIES

• According to an Intel firmware security advisory (INTEL-SA-00307) the Intel Converged Security and Management Engine (CSME) is subject to firmware vulnerabilities, which if exploited, allows local threat actors to launch escalation of privilege, denial of service, and information disclosure attacks. Tracked as CVE-2019-14598, the vulnerability has been awarded a CVSS base score of 8.2, which deems the issue critical. Intel has released a firmware update to mitigate the vulnerability. Also, this month Intel updated a security advisory (INTEL-SA-00213) related to the original CSME CVE-2019-0090. To read about two particularly tricky bugs click here and here. 

• KB4494174 firmware secures Windows 10 PCs The Microarchitectural Data Sampling (MDS) vulnerability in Intel CPUs is still an issue for the industry. “Both Microsoft and Intel have been releasing regular OS and firmware updates to fix the problem that exposes on-premises and cloud-based Windows 10 machines to cyber attacks.” This particular update package includes the micro-code update. 

• A vulnerability in the firmware of the Cisco UCS C-Series Rack Servers could allow an attacker to bypass UEFI Secure Boot validation checks and load a compromised software image on an affected device. “The vulnerability is due to improper validation of the server firmware upgrade images. An attacker could exploit this vulnerability by installing a server firmware version that would allow the attacker to disable UEFI Secure Boot.”

TOOLS

Sponsorships Available

Sponsorships Available

Sponsorships Available

• The Intel CSME Version Detection Tool assists with detection of the security vulnerabilities described in previous Intel security advisories some of which addressed firmware vulns (SA-00241, SA-00086 and SA-00125). 

• hal-fuzz: An HLE-based fuzzer for blob firmware hal-fuzz is a generic emulator (tool) based on the principle of High Level Emulation (HLE), hal-fuzz is the sleeker, faster, fuzzing-oriented version of HALucinator.

ADDITIONAL READING & LISTENING

FIRMWARE SECURITY WEBINARS

• Rick Alther, Principal Engineer and Jesse Michael, Principal Researcher, discuss their latest research, Perilous Peripherals: Unsigned firmware in WiFi adapters, USB hubs, trackpads, laptop cameras and network interface cards. LISTEN HERE >

• Eclypsium Principal Researchers Mickey Shkatov and Jesse Michael take you inside their recent research on DMA Attacks in this recorded Q&A session. LISTEN HERE >

UPCOMING ECLYPSIUM TRAINING

March 3, 2020

Join Eclypsium on March 3 for Anatomy of a Firmware Attack. In this webinar, Eclypsium explores the techniques of successful firmware attacks as they apply to stages of a kill chain. This webinar is designed to help you assess and defend enterprise devices from firmware and hardware threats. REGISTER NOW >

March 14-16, 2020

During the upcoming hands-on training at CanSecWest 2020 Eclypsium’s Jesse Michael, Mickey Shkatov and Rick Altherr will teach you all about firmware implants, how they are made, how they work, and how to detect and defend against them. Participants will walk away with a UEFI and BIOS foundation to build on, an understanding of how to build a firmware implant and lastly, how to search and detect firmware implants. 

1. Mar 14-15 Practical Firmware Implants. REGISTER NOW >

2. Mar 16-17 Finding Firmware Implants. REGISTER NOW >