Talos: U-Boot Verified Boot issues with CUJO

[…]Device-local verified boot bypass (persistence methods): CUJO uses Das U-Boot’s “Verified Boot,” an open-source primary boot loader that aims to protect the boot process from unauthorized modifications, and as a consequence, at avoiding a persistent compromise of the device. Moreover, the first 16MB of CUJO’s eMMC have been permanently write-protected, so that it is not possible, even for the manufacturer, to modify the system’s bootloaders. We identified two vulnerabilities that bypass these protections. We identified an issue in Das U-Boot, affecting versions 2013.07-rc1 to 2014.07-rc2 (inclusive). TALOS-2018-0633 shows that U-Boot FIT images’ signatures are not enforced, since it is still possible to boot from legacy unsigned images. This behavior can be exploited by simply replacing a signed FIT image with a legacy (and thus unsigned) image. CUJO uses the OCTEON SDK, which in turn uses U-Boot version 2013.07, so they are both vulnerable to this issue. Because of this, and since products have no possibility to use the impacted U-Boot versions without avoiding the issue, this CVE has been assigned to U-Boot. As previously stated, since the U-Boot bootloader is unmodifiable, TALOS-2018-0633 cannot be fixed in CUJO. Note, however, that, in isolation, this is less severe of an issue. See our discussion below for more details. TALOS-2018-0634 describes an additional way to bypass the secure boot process. By modifying the `dhcpd.conf` file, it is possible to make the DHCP server execute shell commands. Since this file persists across reboots, it is possible to execute arbitrary commands as root at each boot, effectively compromising the system’s integrity.[…]

https://blog.talosintelligence.com/2019/03/vuln-spotlight-cujo.html

https://www.talosintelligence.com/reports/TALOS-2018-0633/

hardwear.io Call for Workshops & Villages – USA 2019

Hardwear.io has been based in Europe (Netherlands) since it’s start in 2015. But this year, it will not only be in Netherlands, but ALSO in Berlin and Santa Clara! The CfP is open for Santa Clara and Netherlands.

https://www.hardwear.io/

PS: Hardwear organizers:
Please consider submitting your events to https://www.cfptime.org/

 

Facebook: on internal usage of coreboot, u-root, and LinuxBoot

Facebook has a new blog post with information about their internal firmware usage:

https://code.fb.com/data-center-engineering/f16-minipack/

SSTIC 2019 program announced

Many interesting presentations at this event!

Side-Channel assessment of Open Source Hardware Wallets
Side-Channel Attack on Mobile Firmware Encryption
LEIA: the Lab Embedded ISO7816 Analyzer A Custom Smartcard Reader for the ChipWhisperer
iDRACKAR, integrated Dell Remote Access Controller’s Kind Approach to the RAM
WEN ETA JB? A 2 million dollars problem
Everybody be cool, this is a robbery!
IDArling, la première plateforme de rencontre entre reversers
Journey to a RTE-free X.509 parser
DLL shell game and other misdirections
Mirage : un framework offensif pour l’audit du Bluetooth Low Energy
GUSTAVE : Fuzz It Like It’s App
Dissection de l’hyperviseur VMware
Watermarking électromagnétique de drones
RĂ©sultats et solution du challenge
Russian Style (Lack of) Randomness
Le quantique, c’est fantastique !
Ethereum: chasse aux contrats intelligents vulnérables
Analyse de sĂ©curitĂ© d’un portefeuille matĂ©riel sur smartphone
V2G Injector: Whispering to cars and charging units through the Power-Line
Analyse de firmwares de points d’accès, rĂ©tro-ingĂ©nierie et Ă©lĂ©vation de privilèges
Under the DOM: Instrumentation de navigateurs pour l’analyse de code JavaScript
SourceFu, utilisation de l’interprĂ©tation partielle pour la “deobfuscation” de sources

https://www.sstic.org/2019/programme/

IPMI Promoters: No further updates to the spec are planned

A Joint Message from the IPMI Promoters (Dell, Hewlett Packard Enterprise, NEC, Intel Corporation):

No further updates to the IPMI specification are planned or should be expected. The IPMI promoters encourage equipment vendors and IT managers to consider a more modern systems management interface which can provide better security, scalability and features for existing datacenters and be supported on the requisite platforms and devices. DMTF’s Redfish standard (from dmtf.org/redfish) is an example of one such interface.
Note: the above statement applies only to the IPMI Specification, and should have no impact on existing IPMI implementations.

https://www.intel.com/content/www/us/en/servers/ipmi/ipmi-home.html

Using TPM Based Client Certificates on Firefox and Apache

One of the useful features of Apache (or indeed any competent web server) is the ability to use client side certificates. All this means is that a certificate from each end of the TLS transaction is verified: the browser verifies the website certificate, but the website requires the client also to present one and verifies it. Using client certificates, when linked to your own client certificate CA gives web transactions the strength of two factor authentication if you do it on the login page. I use this feature quite a lot for all the admin features my own website does.[…]

https://blog.hansenpartnership.com/using-tpm-based-client-certificates-on-firefox-and-apache/

LPC_sniffer_TPM: Extract BitLocker keys from a TPM

TLDR: You can sniff BitLocker keys in the default config, from either a TPM1.2 or TPM2.0 device, using a dirt cheap FPGA (~$40NZD) and now publicly available code, or with a sufficiently fancy logic analyzer. After sniffing, you can decrypt the drive. Don’t want to be vulnerable to this? Enable additional pre-boot authentication.

https://pulsesecurity.co.nz/articles/TPM-sniffing

https://github.com/denandz/lpc_sniffer_tpm

 

NSF Workshop Report on Side and Covert Channels in Computing Systems

The leakage of sensitive information is a fast-growing concern among computer users. Side- and covert channels have particularly gained attention recently due to their potential to reveal sensitive data to untrusted parties. Side channels are information leakage channels where an adversary can decipher victim’s data through silently monitoring the computing activity via physical effects such as timing, power or electromagnetic analysis. Covert channels, in contrast, work by having a malicious insider, or trojan, who intentionally colludes with the adversary to exfiltrate secrets. Side and covert channels have become major concerns for the computer industry. In early 2018, the Meltdown and Spectre attacks demonstrated that hardware implementation effects in commercial processor hardware enabled new, previously undiscovered side-channel and covert-channel leakage. These attacks highlight the notoriety of information leakage channels, and they stress the immediate need to address the security risks resulting from them.[…]

https://www.cccblog.org/2019/03/11/nsf-workshop-report-on-side-and-covert-channels-in-computing-systems/

7 security advisories from Intel

7 new security advisories from Intel on March 12th:

Intel® Accelerated Storage Manager in RSTe Advisory
INTEL-SA-00231
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00231.html

Intel® USB 3.0 Creator Utility Advisory
INTEL-SA-00229
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00229.html

Intel® Software Guard Extensions SDK Advisory
INTEL-SA-00217
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00217.html

Intel® Matrix Storage Manager Advisory
INTEL-SA-00216
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00216.html

Intel Firmware 2018.4 QSR Advisory
INTEL-SA-00191
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00191.html

Intel® Graphics Driver for Windows* 2018.4 QSR Advisory
INTEL-SA-00189
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00189.html

Intel® CSME, Server Platform Services, Trusted Execution Engine and Intel® Active Management Technology 2018.4 QSR Advisory
INTEL-SA-00185
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00185.html

[…]Multiple potential security vulnerabilities in Intel® CSME, Server Platform Services, Trusted Execution Engine and Intel® Active Management Technology may allow users to potentially escalate privileges, disclose information or cause a denial of service. Intel is releasing Intel® CSME, Server Platform Services, Trusted Execution Engine and Intel® Active Management Technology updates to mitigate these potential vulnerabilities.[…]

Journal of Cyber Policy: Firmware-Based Threats

Last year the Journal of Cyber Policy did a survey on firmware security:

Firmware is a cyberattack vector. While public attention focuses on cyberattacks and data breaches conducted over networks with software-borne malware, the risk of malicious code embedded in the firmware of millions of digital devices poses a potentially more serious threat to cybersecurity. This report reviews how security professionals view the firmware threat as well as their impression of the tech industry’s readiness to detect and prevent a firmware-based attack.

.

https://journalofcyberpolicy.com/2018/02/05/take-firmware-security-survey/
https://journalofcyberpolicy.com/2018/04/20/firmware-vulnerable-hacking-can-done/
https://journalofcyberpolicy.com/2018/10/12/the-firmware-risk/
https://journalofcyberpolicy.com/2018/01/29/understanding-the-firmware-threat/
https://journalofcyberpolicy.com/firmware-threat-report/
https://journalofcyberpolicy.com/?s=firmware

https://journalofcyberpolicy.com/wp-content/uploads/2018/02/FirmwareReportFinal.pdf

XTU: XPM image to UEFI GOP Blt Buffer Converter

wprintf(L”| xtu.exe(XPM-image To UEFI-GOP-Blt-Buffer) v1.0.1 |\n”);
wprintf(L”| –MSI-RD-Krishna,2019.03.11 |\n”);
wprintf(L”Usage:\n”);
wprintf(L” xtu.exe -i [file1] -o [file2]\n”);
wprintf(L”Options:\n”);
wprintf(L” -i [file1] //input a xpm image file.\n”);
wprintf(L” -o [file2] //output to another file.\n”);
wprintf(L” -h //show this help.\n”);
wprintf(L”Sample:\n”);
wprintf(L” xtu.exe -i image.xpm -o buffer.c //convert image.xpm to buffer.c\n”);

https://github.com/krishna116/xtu

see-also:

https://en.wikipedia.org/wiki/X_PixMap

Black Hat Europe 2018: videos online

Including talks such as:
Malware Buried Deep Down the SPI Flash: Sednit’s First UEFI Rootkit Found in the Wild
Straight Outta VMware: Modern Exploitation of the SVGA Device for Guest-to-Host Escapes
BLEEDINGBIT: Your APs Belong to Us
Secure Boot Under Attack: Simulation to Enhance Fault Attacks & Defenses