Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

UEFI Vulnerabilities Found in Gigabyte Mini PCs

Endpoint security firm Cylance has disclosed the details of two potentially serious UEFI vulnerabilities that can be exploited to install a backdoor on some Gigabyte BRIX mini PCs. The vendor is working on a firmware update that will address the flaws.

Endpoint security firm Cylance has disclosed the details of two potentially serious UEFI vulnerabilities that can be exploited to install a backdoor on some Gigabyte BRIX mini PCs. The vendor is working on a firmware update that will address the flaws.

Cylance said it had tested the latest firmware for GB-BSi7H-6500 and GB-BXi7-5775 mini PCs and discovered that some important protection mechanisms are missing. The company has described an attack scenario where a malicious actor exploits the vulnerabilities to deliver a ransomware payload that prevents the system from booting.

One of the vulnerabilities found by researchers, tracked as CVE-2017-3197, is related to the SMI handler and it allows an attacker to execute code in System Management Mode (SMM). The American Megatrends (AMI) firmware present on affected devices does normally provide write-protection mechanisms designed to prevent unauthorized changes, but these protections have not been enabled by Gigabyte.

Hackers can exploit this flaw for malicious attacks by first gaining access to the targeted system via a browser or document exploit. The attacker can then elevate privileges to achieve kernel mode code execution. Since write-protection mechanisms are not enabled, the attacker can exploit the SMI vulnerability to execute code in SMM and make changes to the flash memory.

The second vulnerability, identified as CVE-2017-3198, is related to the fact that the Gigabyte UEFI does not perform a cryptographic check to ensure that a firmware update is legitimate. Furthermore, firmware updates are served over HTTP.

An attacker who obtains access to the targeted system can install the legitimate UEFI update utility and use it to push a malicious firmware onto the device.

“Successful infection at such a low level has the potential to be disastrous,” Cylance researchers said in a blog post. “UEFI rootkits and ransomware could provide attackers with a degree of control that is difficult, if not near-impossible, to detect or rectify.”

The vulnerabilities were discovered on December 20 and they were reported to Gigabyte in mid-January. The vendor says it has prepared a firmware update, version vF7, that is in the final phase of testing. However, the update will only be available for GB-BSi-7H-6500 as the GB-BXi7-5775 model has reached end of life.

Related: Firmware Zero-Day Allows Hackers to Disable Security Features

Related: Secure Boot Vulnerability Exposes Windows Devices to Attacks

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Vulnerabilities

Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.