Endpoint security firm Cylance has disclosed the details of two potentially serious UEFI vulnerabilities that can be exploited to install a backdoor on some Gigabyte BRIX mini PCs. The vendor is working on a firmware update that will address the flaws.
Cylance said it had tested the latest firmware for GB-BSi7H-6500 and GB-BXi7-5775 mini PCs and discovered that some important protection mechanisms are missing. The company has described an attack scenario where a malicious actor exploits the vulnerabilities to deliver a ransomware payload that prevents the system from booting.
One of the vulnerabilities found by researchers, tracked as CVE-2017-3197, is related to the SMI handler and it allows an attacker to execute code in System Management Mode (SMM). The American Megatrends (AMI) firmware present on affected devices does normally provide write-protection mechanisms designed to prevent unauthorized changes, but these protections have not been enabled by Gigabyte.
Hackers can exploit this flaw for malicious attacks by first gaining access to the targeted system via a browser or document exploit. The attacker can then elevate privileges to achieve kernel mode code execution. Since write-protection mechanisms are not enabled, the attacker can exploit the SMI vulnerability to execute code in SMM and make changes to the flash memory.
The second vulnerability, identified as CVE-2017-3198, is related to the fact that the Gigabyte UEFI does not perform a cryptographic check to ensure that a firmware update is legitimate. Furthermore, firmware updates are served over HTTP.
An attacker who obtains access to the targeted system can install the legitimate UEFI update utility and use it to push a malicious firmware onto the device.
“Successful infection at such a low level has the potential to be disastrous,” Cylance researchers said in a blog post. “UEFI rootkits and ransomware could provide attackers with a degree of control that is difficult, if not near-impossible, to detect or rectify.”
The vulnerabilities were discovered on December 20 and they were reported to Gigabyte in mid-January. The vendor says it has prepared a firmware update, version vF7, that is in the final phase of testing. However, the update will only be available for GB-BSi-7H-6500 as the GB-BXi7-5775 model has reached end of life.
Related: Firmware Zero-Day Allows Hackers to Disable Security Features
Related: Secure Boot Vulnerability Exposes Windows Devices to Attacks
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Industry Reactions to Hive Ransomware Takedown: Feedback Friday
- US Reiterates $10 Million Reward Offer After Disruption of Hive Ransomware
- Hive Ransomware Operation Shut Down by Law Enforcement
- UK Gov Warns of Phishing Attacks Launched by Iranian, Russian Cyberspies
- Dozens of Cybersecurity Companies Announced Layoffs in Past Year
- Security Update for Chrome 109 Patches 6 Vulnerabilities
- New Open Source OT Security Tool Helps Address Impact of Upcoming Microsoft Patch
- Forward Networks Raises $50 Million in Series D Funding
Latest News
- Critical Vulnerability Impacts Over 120 Lexmark Printers
- BIND Updates Patch High-Severity, Remotely Exploitable DoS Flaws
- Industry Reactions to Hive Ransomware Takedown: Feedback Friday
- Microsoft Urges Customers to Patch Exchange Servers
- Iranian APT Leaks Data From Saudi Arabia Government Under New Persona
- US Reiterates $10 Million Reward Offer After Disruption of Hive Ransomware
- Cyberattacks Target Websites of German Airports, Admin
- US Infiltrates Big Ransomware Gang: ‘We Hacked the Hackers’
