https://www.hackerone.com/blog/Intel-launches-its-first-bug-bounty-program
Month: March 2017
U-Boot drops OpenRISC support
“The OpenRISC architecture is currently unmaintained, remove.”
https://lists.denx.de/pipermail/u-boot/2017-March/thread.html
UEFI-Dumper
“UEFI-Dumper is a simple perl script to get access to your Insyde Bios hidden menus.”
The source code says: Copyright (c) 2013 Nurlan Mukhanov (aka Falseclock).
https://github.com/Falseclock/UEFI-dumper
The tool appears brand-new, from Github epoch. But given the 2013 date in the copyright, it is probably older. A quick search finds the same code from a 3-year-old post:
http://developers-club.com/posts/182676/
When I noticed this, I sent an FYI to the the UEFI Security team and to Insyde’s security team, in case they hadn’t seen it. Kevin Davis of Insyde responded with:
“Insyde Software takes the security of our customer’s platforms very seriously. InsydeH2O and SETUP page settings are based on public specifications. Insyde is aware that the UEFI-Dumper allows individuals to get the information about SETUP pages that customers have hidden. Insyde believes that current customer platforms are following our guidelines for protecting sensitive system variables from malicious changes. As the first BIOS vendor to ship production systems supporting the UEFI standards, Insyde has always worked to improve the UEFI standards and our InsydeH2O BIOS. Our customers are encouraged to work with their Insyde contacts to continue to build secure systems.”
Trapezoid: NIST Firmware Controls for Non-Federal Entities: What You Need to Know
Trapezoid has a webinar this Thursday on NIST and firmware security:
https://twitter.com/TrapezoidSec/status/841849041214443520
http://nistwebinar.digitaleragroup.com/
Raytheon seeks Embedded Vulnerability Researcher
[…] Our Embedded System Vulnerability Researchers analyze a variety of devices to understand how they work and how they behave when they break. If it runs code, somebody in our office has looked at it. Candidates must be proficient with binary analysis techniques and familiar with vulnerability types such as heap corruption, use after free, and buffer overflows. Projects will be undertaken in small teams with close coordination with customers. A typical day may involve extracting firmware from a board, studying disassembly, or writing code to audit a device. Required Skills: Experience with C or C++ Proficient with static and dynamic binary analysis techniques Familiar with software vulnerabilities Experience reading and writing PowerPC Experience using reverse engineering tools such as IDA Pro, Binary Ninja, or objdump Experience using debuggers such as gdb Comfortable working in a Linux environment 3 or more of the “desired skills” below. Desired Skills: 4+ years of professional experience in VR, RE or related fields Experience developing embedded systems Knowledge of RTOS or Linux kernel internals Understanding of network protocols (TCP/IP stacks, RF communications, routing protocols, or others). Understanding of exploit mitigations such as DEP and ASLR Experience reading and writing non-PowerPC assembly (ARM, Intel, MIPS, or other) Experience using JTAGs or other techniques for firmware extraction Security Clearance: Qualified applicants may be subject to a security investigation and must meet minimum qualifications for access to classified information[…]
Intel Xeno Phi memory modes
James Reinders has an article in InsideHPC describes Intel XeonPhi memory modes:
[…]In this article, I will discuss one of the “mode” options that Intel Xeon Phi processors have to offer unprecedented configurability: memory modes. For programmers, this is the key option to really study because it may inspire programming changes. In my next article, I’ll tackle the other mode option (cluster modes). The memory modes allow the MCDRAM to be used as either a high bandwidth cache or a high bandwidth memory, or a little of each.[…]
http://insidehpc.com/2017/03/intel-xeon-phi-memory-mode-programming-mcdram-nutshell/
LUV adds EFI_WARN_ON_ILLEGAL_ACCESSES
Sai Praneeth Prakhya of Intel has posted a patch to the LUV project list, with new clever new abilities to increase LUV’s ability to detect bad UEFI firmware.
Presently, LUV detects illegal accesses by firmware to EFI_BOOT_SERVICES_* regions only during “SetVirtualAddressMap()”. According to UEFI spec, this function will be called only once; by kernel during boot. Hence, LUV cannot detect any other illegal accesses that firmware might do after boot. Moreover, LUV can detect illegal accesses *only* to EFI_BOOT_SERVICES_CODE/DATA regions. This patch set tries to address the above mentioned two issues:
1. Detect illegal accesses to other EFI regions (like EFI_LOADER_CODE/DATA, EFI_CONVENTIONAL_MEMORY)
2. Detect illegal accesses to these regions even after kernel has booted
Recently, we came across machines with buggy firmware that access EFI memory regions like EFI_CONVENTIONAL_MEMORY, EFI_BOOT_SERVICES_CODE/DATA and EFI_LOADER_CODE/DATA even after kernel has booted. Firmware accesses these regions when some efi_runtime_service() is invoked by test cases like FWTS. These illegal accesses can potentially cause kernel hang. Hence, it’s good to have a test case in LUV which can detect these illegal accesses and hence report them to user. This requires making changes to kernel and searching dmesg for relative warnings. As there are 9 patches to linux kernel to enable this feature and putting all these 9 kernel patches in a single LUV patch makes the LUV patch gigantic; hence I have split them into smaller ones (as suggested by Ricardo). The first patch in this series (“linux-yocto-efi-test: Do not support EFI_BOOT_SERVICES_WARN”) removes support to “EFI_BOOT_SERVICES_WARN” and the later patches add all the bits and pieces together and the 10th patch (“linux-yocto-efi-test: Introduce EFI_WARN_ON_ILLEGAL_ACCESSES”) enables the (new) feature.
Full patch:
https://lists.01.org/mailman/listinfo/luv
.
Dell iDRAC CVE-2016-5685, bash vulnerability (old news)
http://www.securiteam.com/securitynews/5XP3B0UKUU.html
SecuriTeam confused me by reposting a 2016 Dell iDDRAC vulnerability today, but I don’t see anything new. Just in case you weren’t aware of this issue, and you have a Dell system, here’s info on this older vulnerability, see the last link for a PDF-based response from the Dell iDRAC team.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5685
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5685
http://www.securityfocus.com/bid/94585
http://en.community.dell.com/techcenter/extras/m/white_papers/20443326
“Dell iDRAC team’s response to Common Vulnerabilities and Exposures (CVE) ID CVE-2016-5685 [16 November 2016]
Summary: an authenticated user could gain Bash shell access through a string injection.
Dell Response: update to the latest iDRAC firmware, which remediates this potential vulnerability.”
scan_thinkpwn: searches for ThinkPwn vulnerability
THINKPWN SCANNER: This program is used to scan UEFI drivers extracted from firmware image for ThinkPwn vulnerability in vendor/model agnostic way.
AUTHORS:
@d_olex (aka Cr4sh) — initial Vivisect based version of the program;
@trufae (aka pankake) — radare2 based version (this one);
Read the source code for more user docs, including a detailed source comment about how the code works.
https://github.com/Cr4sh/ThinkPwn/blob/master/scan_thinkpwn.py
More info:
https://github.com/Cr4sh/ThinkPwn
http://blog.cr4.sh/2016/06/exploring-and-exploiting-lenovo.html
AMI announces TCG Pyrite support
AMI has announced support for Pyrite Password Protected Drives.
[…]The Trusted Computing Group (TCG) releases a specification called the “Opal SED Specification” that governs hard drive protection and encryption standards. AMI previously announced support for Opal and Opalite and now AMI has added password support for Pyrite. With the support for Pyrite, AMI enables drives that have a hardware mechanism to protect access without the need to carry out encryption of user data. AMI has worked with several industry partners to develop and validate the support for Pyrite. By introducing this support, OEMs can create solutions at lower costs than Opal or Opalite while maintaining the security of the data.[…]
Full PR:
https://ami.com/news/press-releases/?PressReleaseID=381
See-also:
https://trustedcomputinggroup.org/tcg-storage-security-subsystem-class-pyrite/
https://trustedcomputinggroup.org/tcg-storage-opal-nvme/
https://trustedcomputinggroup.org/tag/pyrite/
uefi_multiboot: create UEFI-compatible images
uefi_multiboot: Create UEFI-compatible boot drive supporting multiple ISO images.
It requires UEFI-based target systems, and Ubuntu-system to build, and a disposable USB drive (everything on drive will be deleted).
https://github.com/sundarnagarajan/uefi_multiboot
(Someone looking to create a script that generates a UEFI boot drive could also benefit from using parts of this script.)
UEFI_ListPci: UEFI tool to list PCI/PCIe devices
UEFI_ListPci is a new UEFI Application that uses UEFI protocol to enumerate PCI/PCIe devices.
https://github.com/Justgocode/UEFI_ListPci
(There is also the UEFI Shell’s PCI command, included in Tianocore.org.)
UEFI-Rebooter
“UEFI-Rebooter is a bash script for implementing dual boot through uefi.” It is labelled “Windows Boot Manager”, and calls Linux’s efibootmgr as it’s main tool.
https://github.com/Dertosh/UEFI-Rebooter
https://github.com/Dertosh/UEFI-Rebooter/blob/master/UEFI-rebooter.sh
Finbarr’s TPM 2.0 PCR Tool
Finnbarr P. Murphy has a new blog post about a new UEFI-based TPM tool he’s written.
[…]By the way, if you have access to the Intel TXT (Trusted Execution Technology) EFI compliance testing toolkit, the included utility, pcrdump.efi, provides similar functionality to the utility described in this post.[…]
http://blog.fpmurphy.com/2017/01/uefi-utility-to-read-tpm-1-2-pcrs.html
See more of his UEFI Utilities:
Apple seeks Core EFI Manager and Mac EFI Bring Up Engineer
The Mac Platform Software team is looking for a talented engineering manager to lead a team of firmware and systems software engineers responsible for developing Apple’s UEFI implementation and related technologies for the Mac product line. Mac Platform Software is responsible for bringing up macOS and Windows on all new Mac products, including the development and integration of firmware and systems software for macOS and Windows, the development of platform-level features for the Mac, and the leadership of cross-functional debug and optimization efforts across hardware and software teams.[…]
https://jobs.apple.com/search?job=56058298&openJobId=56058298#&openJobId=56058298
The Mac Platform team in Core OS is looking for a talented UEFI engineer to work on the bring-up of new Mac products. Breathe life into new Mac products by developing firmware across all phases of development, from pre-silicon to product ramp.[…]
https://jobs.apple.com/search?job=56058163&openJobId=56058163#&openJobId=56058163
CHIPSEC gets new UEFI Whitelist command
CHIPSEC already has a Blacklist command. Now there is a UEFI whitelist command.
USG: firewall for USB ports
The USG is Good, not Bad
The USG is a firewall for your USB ports, protecting your computer from BadUSB. It connects between your computer and your untrusted USB device, isolating the badness and keeping your computer safe. This is the firmware branch for the pre-assembled USG v1.0. If you want to build your own USG out of development boards, clone the v0.9 branch instead. USG v1.0 hardware now available. You can now order your own USG hardware by contacting the developer. Pricing is NZ$80 each (approx US$60) plus shipping to your country of choice. It will ship fully tested and pre-loaded with the latest firmware.[…]
https://github.com/robertfisk/USG
Intel Boot Guard research
McAfee on CHIPSEC, post Vault7
“EFI firmware malware is a new frontier for stealth and persistent attacks which may be used by sophisticated adversaries to penetrate and persist within the organization’s and national infrastructure for very long time. Use open source CHIPSEC to defend from this threat and stay safe.”
https://securingtomorrow.mcafee.com/business/chipsec-support-vault-7-disclosure-scanning/
Firmware Security 
You must be logged in to post a comment.