SBN

June Firmware Threat Report

Not just one, but four. That’s how many vulnerabilities Eclypsium researchers discovered in Dell’s BIOSConnect feature. Taken together, this chain of vulnerabilities has a CVSS score of 8.3 (High) because it allows a privileged network adversary to impersonate Dell.com and gain arbitrary code execution at the BIOS/UEFI level. As readers of this report will know, that is the absolute worst-case scenario, enabling any well-positioned attacker to take over the device’s boot process and completely subvert the OS and any of its related security controls. Tens of millions of Dell consumer and enterprise-grade devices, even ones protected by Secure Boot and Secure-core technology, are vulnerable. In fact, in this case, not even Bitlocker serves as a mitigating control to protect the OS/files from a compromised UEFI attack scenario.

After two decades of industry awareness around TLS implementation vulnerabilities, we still find these “no-excuse” flaws at this critical UEFI layer of device trust and integrity; the very foundation upon which the rest of modern computing sits.

For attackers like those behind the SolarWinds attacks (or even just a red-teamer with moderate skills), these vulnerabilities present an ideal pretext for an overall strategy of blending in with legitimate processes, abusing (certificate) trust, and evading detection for as long as possible. Here, attackers can spend less than $100 to provision their own certificate from any of the certificate authorities that are trusted by the UEFI update process, and are then able to send arbitrary malicious executables to the UEFI, which blindly executes them. Don’t have $100? Ok, just grab a certificate from GitHub: Sadly there are plenty of them there (that shouldn’t be) whose CA is trusted by this process.

All in, even with SecureBoot enabled, on a Secure-Core PC, a skilled red-teamer or attacker can implant (or even brick) an affected device at the motherboard/UEFI level; and do so without having to first obtain a privileged position at the OS level. This contrasts with other recent campaigns targeting the UEFI like LoJax, MossaicRegressor, and TrickBot’s TrickBoot. Worse, from there they can disable any OS-level controls they want to, and enjoy an entire UEFI network stack that is never logged by the OS kernel, providing indefinite persistence, C2, exfiltration, and powerful control…all from a position the victim is unlikely to ever discover. That is unless they can monitor firmware integrity as Eclypsium’s platform readily does.

How’s that for a giant June bug! If you want to learn more, here is the link to our blog, here is the link to Dell’s DSA, and the link to our webinar on mitigation. Want to learn even more? We’ll see you at DEF CON where we’ll be presenting further updates and insights related to this research.

Still want more firmware and device bugs? Check the links below to find flaws in VPN devices from Sophos, SonicWall, Pulse Secure, Fortinet, and a South Korean VPN maker that shall remain nameless (note that these are all being exploited in the wild as you read this). These VPN-related attacks have risen 20x in some cases – hard to even fathom.

More still? Bugs from Nvidia, HPE, CISCO, Apple, and others await you below.

Threats in the Wild

VPN attacks up nearly 2000% as companies embrace a hybrid workplace

“As companies return to a hybrid workplace, it’s crucial that they are aware of the evolving threat landscape.”

Read More >

Industry News

Microsoft acquires ReFirm Labs to enhance IoT security

“ReFirm Labs is joining Microsoft to enrich our firmware analysis and security capabilities across devices …”

Read More >

Security Advisories

Pulse Connect Secure Samba Buffer Overflow

“Pulse Connect Secure (PCS) gateway contains a buffer overflow vulnerability in Samba-related code that may allow an authenticated remote attacker to execute arbitrary code.”

Read More >

Security Research

“Half-Double”: Next-Row-Over Assisted Rowhammer

“Using Half-Double, we were able to induce errors on commercial systems using recent generations of DRAM chips …”

Read More >

Tools and Education

Hardwear.io Security Trainings and Conference

“Listen to top-of-the-line security professionals presenting their innovative & cutting-edge research exclusively at Hardwear.io.”
Discount Code: HWEclypsium10

Read More >

Webinars and Events

New Research from Eclypsium – BIOS Disconnect

In this webinar, Eclypsium will share information on multiple new vulnerabilities that our research team has identified in Dell devices. We will discuss the significant risks this poses to the integrity of these devices, and what steps can be taken to mitigate this threat.

Join us>

Webinars and Events

The Cybersecurity EO, Firmware, and Unseeing the Rabbit

The president’s recently released “Executive Order on Improving the Nation’s Cybersecurity” presents new perspectives and directions on preventing increasingly destructive ransomware and cyber attacks. While all ten sections in the executive order provide instructions for federal agencies and CISOs in the commercial sector, two particular sections notably break away from traditional best practices and call for new approaches.

  • The first of these, Section 3, calls for “Modernizing Federal Government Cybersecurity,” focusing especially on the design and implementation of Zero Trust architectures in government networks.
  • The second, Section 4, concentrates on strengthening and securing the complex, multi-headed software supply chain.

Both of these sections have profound implications for firmware security. What’s more, they introduce new firmware requirements that few cybersecurity professionals are ready to demonstrate, let alone understand.

Join us>

*** This is a Security Bloggers Network syndicated blog from Eclypsium authored by Eclypsium. Read the original post at: https://eclypsium.com/2021/06/24/june-firmware-threat-report-2021/