UEFI
The unified expanded interface for embedded software (Unified Extensible Firmware Interface - UEFI) - the standard intermediary between the operating system and microprograms operating low-level functions of the equipment. The main purpose of UEFI is to correctly initialize the equipment when the system is turned on, transfer control to the loader or directly to the operating system kernel. In addition, UEFI performs the functions of a BIOS, that is, an interface that was used by all IBM PC-compatible personal computers. The first UEFI specification was developed by Intel for Itanium processors. UEFI is currently being developed by the Unified EFI Forum.
Content |
History
2024: FSTEC recommends closing a vulnerability that stealth programs can exploit
In early September FSTEC , she sent out a warning with recommendations for updating UEFI () BIOS from various manufacturers of processors and motherboards. The recommendation is related to the presence in products of companies such as,,,, Intel Fujitsu AMD NVIDIA Ampere Computing Marvell Semiconductor,,, and Dell SuperMicro Gigabyte some other vulnerabilities BDU:2024-06694[1] Detected[2] attackers to embed code into systems that will be executed before the operating system itself boots. Typically, this feature is used by stealth programs (), which are rootkit very difficult to detect by local methods. Therefore, although the vulnerability CVSSv3 index is not very large - 8.2 out of 10, however, the vulnerability can pose a serious threat to secure information systems.
The vulnerability itself was discovered by[3] Ecosystem specialists] at the end[4] July this year, and it was associated with cryptographic test "master keys" for Secure Boot, which were supplied to motherboard manufacturers. These test keys for secure loading Windows using Secure Boot were issued to hardware developers by American Megatrends International (AMI), which, in fact, created the UEFI code.
It was assumed that hardware manufacturers would replace these test keys, which were marked as untrusted, with their own, issued by the developer Secure Boot - Microsoft. However, it turned out that motherboard manufacturers forgot about this requirement, which allowed running extraneous code signed with a test master key as legitimate and trusted.
This vulnerability is exploited only locally, at the level before the operating system boots, "said Albert Antonov, head of the OSINT group at the SOC CyberART Innostage Cyber Threat Countermeasures Center, in a conversation with TAdviser. - A remote attacker cannot use it, so this vulnerability is one of many non-critical. If available, companies need to update the motherboard BIOS to the current version. |
Actually, it is precisely because of the impossibility of remote exploitation of the vulnerability that its rating in CVSS is reduced, however, such a vulnerability is usually used not to penetrate the system, but to fix it in it. That is, the malware penetrates the device using another vulnerability, and then, due to PKfail, takes root in the system, becoming invisible to the operating system. Cleaning out malware that has such a hidden component is very difficult, since you need to study and modify the OS boot procedure.
Therefore, FSTEC recommends getting rid of the very possibility of using PKfail to fix malware in the system in advance. But if UEFI for some reason cannot be updated, then at least it is necessary to integrate a trusted download tool (electronic lock) into the system, which independently controls the download path of software components without using UEFI.
The FSTEC of Russia has already issued recommendations regarding protection against the exploitation of this vulnerability, "Anton Kvardakov, deputy head of the technical protection department of confidential information at Cloud Networks, told TAdviser . - However, I would like to dwell on another problem - the equipment that falls under this vulnerability cannot officially receive an update on the manufacturer's website due to sanctions restrictions. For example, if you go to the site with the recommendations of the Intel manufacturer, then we see a message about the suspension of activities in the Russian Federation and Belarus. In this regard, another problem is brewing: the need to revise the availability of undeclared opportunities. |
Indeed, some manufacturers of vulnerable devices have stopped supporting their products in Russia, so updating UEFI for them may be a difficult task. Owners of such devices will either have to receive updates through parallel import channels, or install an electronic lock, which at one time Russian developers created enough.
Notes
- ↑ BDU:2024-06694: Vulnerability in UEFI firmware (BIOS) or PKfail
- ↑ Products vulnerable to PKfail, which allows
- ↑ [https://www.binarly.io/blog/pkfail-untrusted-platform-keys-undermine-secure-boot-on-uefi-ecosystem Binarly PKfail: Untrusted Platform Keys Underground Secure Boot on UEFI
- ↑ of