UEFI

History

2024: FSTEC recommends closing a vulnerability that stealth programs can exploit

In early September FSTEC , she sent out a warning with recommendations for updating UEFI () BIOS from various manufacturers of processors and motherboards. The recommendation is related to the presence in products of companies such as,,,, Intel Fujitsu AMD NVIDIA Ampere Computing Marvell Semiconductor,,, and Dell SuperMicro Gigabyte some other vulnerabilities BDU:2024-06694^[1] Detected^[2] attackers to embed code into systems that will be executed before the operating system itself boots. Typically, this feature is used by stealth programs (), which are rootkit very difficult to detect by local methods. Therefore, although the vulnerability CVSSv3 index is not very large - 8.2 out of 10, however, the vulnerability can pose a serious threat to secure information systems.

The vulnerability itself was discovered by^[3] Ecosystem specialists] at the end^[4] July this year, and it was associated with cryptographic test "master keys" for Secure Boot, which were supplied to motherboard manufacturers. These test keys for secure loading Windows using Secure Boot were issued to hardware developers by American Megatrends International (AMI), which, in fact, created the UEFI code.

Binarly

It was assumed that hardware manufacturers would replace these test keys, which were marked as untrusted, with their own, issued by the developer Secure Boot - Microsoft. However, it turned out that motherboard manufacturers forgot about this requirement, which allowed running extraneous code signed with a test master key as legitimate and trusted.

GitHub

This vulnerability is exploited only locally, at the level before the operating system boots, "said Albert Antonov, head of the OSINT group at the SOC CyberART Innostage Cyber ​ ​ Threat Countermeasures Center, in a conversation with TAdviser. - A remote attacker cannot use it, so this vulnerability is one of many non-critical. If available, companies need to update the motherboard BIOS to the current version.

Actually, it is precisely because of the impossibility of remote exploitation of the vulnerability that its rating in CVSS is reduced, however, such a vulnerability is usually used not to penetrate the system, but to fix it in it. That is, the malware penetrates the device using another vulnerability, and then, due to PKfail, takes root in the system, becoming invisible to the operating system. Cleaning out malware that has such a hidden component is very difficult, since you need to study and modify the OS boot procedure.

Therefore, FSTEC recommends getting rid of the very possibility of using PKfail to fix malware in the system in advance. But if UEFI for some reason cannot be updated, then at least it is necessary to integrate a trusted download tool (electronic lock) into the system, which independently controls the download path of software components without using UEFI.

The FSTEC of Russia has already issued recommendations regarding protection against the exploitation of this vulnerability, "Anton Kvardakov, deputy head of the technical protection department of confidential information at Cloud Networks, told TAdviser . - However, I would like to dwell on another problem - the equipment that falls under this vulnerability cannot officially receive an update on the manufacturer's website due to sanctions restrictions. For example, if you go to the site with the recommendations of the Intel manufacturer, then we see a message about the suspension of activities in the Russian Federation and Belarus. In this regard, another problem is brewing: the need to revise the availability of undeclared opportunities.

Intel

Indeed, some manufacturers of vulnerable devices have stopped supporting their products in Russia, so updating UEFI for them may be a difficult task. Owners of such devices will either have to receive updates through parallel import channels, or install an electronic lock, which at one time Russian developers created enough.

Notes