Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hidviz is a GUI application for in-depth analysis of USB HID class devices. The 2 main usecases of this aplication are reverse-engineering existing devices and developing new USB HID devices. USB HID class consists of many possible devices, e.g. mice, keyboards, joysticks and gamepads. But that’s not all! There are more exotic HID devices, e.g. weather stations, medical equipment (thermometers, blood pressure monitors) or even simulation devices […]
https://twitter.com/osxreverser/status/860539774402260993
Very fast reader for SPI flashes for Teensy 2.x.
Original code by Trammell Hudson.
Modifications and addons by Pedro Vilaça.
I have added a few new commands and options. Also added led flashing when dumping/uploading contents. I’m definitely not an AVR coder so excuse me some ugly things 🙂
To be used with Teensy 2.x devices (and maybe Chinese clones).
Alert (TA17-117A)
Intrusions Affecting Multiple Victims Across Multiple Sectors
Original release date: April 27, 2017 | Last revised: May 02, 2017
The National Cybersecurity and Communications Integration Center (NCCIC) has become aware of an emerging sophisticated campaign, occurring since at least May 2016, that uses multiple malware implants. Initial victims have been identified in several sectors, including Information Technology, Energy, Healthcare and Public Health, Communications, and Critical Manufacturing. According to preliminary analysis, threat actors appear to be leveraging stolen administrative credentials (local and domain) and certificates, along with placing sophisticated malware implants on critical systems. Some of the campaign victims have been IT service providers, where credential compromises could potentially be leveraged to access customer environments. Depending on the defensive mitigations in place, the threat actor could possibly gain full access to networks and data in a way that appears legitimate to existing monitoring tools. Although this activity is still under investigation, NCCIC is sharing this information to provide organizations information for the detection of potential compromises within their organizations.[…]
https://www.us-cert.gov/ncas/alerts/TA17-117A
https://twitter.com/rcpyksl/status/860219589451366400
Secure Boot for ESXi 6.5 – Hypervisor Assurance
Mike Foley
I’ve talked about how vSphere has been moving towards a “secure by default” stance over the past few years. This can clearly be seen in the new vSphere 6.5 Security Configuration Guide where the number of “hardening” steps are growing smaller with every release. In this blog post we will go over another “secure by default” feature of vSphere 6.5 that provides hypervisor assurance, Secure Boot for ESXi. One of the coolest things in 6.5, in my opinion, is the adoption of Secure Boot for ESXi. Now, you might say “But my laptop has had Secure Boot since Windows 8, what’s the big deal?” Well, the “big deal” is that we’ve gone beyond the default behavior of Secure Boot and we now leverage the capabilities of the UEFI firmware to ensure that ESXi not only boots with a signed bootloader validated by the host firmware but that it also ensures that unsigned code won’t run on the hypervisor. Best of all, it’s simple to implement! Let’s dive in![…]
https://blogs.vmware.com/vsphere/2017/05/secure-boot-esxi-6-5-hypervisor-assurance.html
ARM Compliance Test Suite [BETA] for Server Base System Architecture and Boot Requirements now available
ARM is pleased to announce the BETA release of the ARM SBSA/SBBR test suite. The suite is split across two repos:
1) SBSA-ACS on Github (just SBSA tests)
2) ARM Enterprise ACS on Github (umbrella project that collects SBSA and SBBR tests and builds all the relevant images to allow for execution)
In 2014, ARM and its partners came together and created the key to the success of ARM servers: the Server Base System Architecture (SBSA) and Server Base Boot Requirements (SBBR). These specifications require a minimum set of hardware and firmware implementations that ensure OSes and platforms interoperate. The latest versions are SBSA v3.1 and SBBR v1.0, they are available at developer.arm.com.[…]
https://github.com/ARM-software/sbsa-acs
https://github.com/ARM-software/arm-enterprise-acs
Here’s a quick summary of some of the interesting security things in this week’s v4.11 release of the Linux kernel:[…]
Intel® Branded NUC’s Vulnerable to SMM exploit
Intel ID: INTEL-SA-00068
Product family: Intel® NUC Kits
Impact of vulnerability: Elevation of Privilege
Severity rating: Important
Original release: May 02, 2017
Last revised: May 02, 2017
Intel is releasing updated BIOS firmware for a privilege escalation issue. This issue affects Intel® NUC Kits listed in the Model Number section below. The issue identified is a method that enables malicious code to gain access to System Management Mode (SMM). A malicious attacker with local administrative access can leverage vulnerable BIOS to execute arbitrary code outside of SMRAM while system is running in System management mode (SMM), potentially compromising the platform. Intel products that are listed below should apply the update. Intel highly recommends updating the BIOS of all Intel® NUC’s to the recommended BIOS or later listed in the table of affected products. Intel would like to thank Security Researcher Dmytro Oleksiuk for discovering and reporting this issue.
https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00068&languageid=en-fr
http://www.kb.cert.org/vuls/id/491375
https://mattermedia.com/blog/disabling-intel-amt/
“Recently there was a branch of news and comments on Intel Active Management Technology, Intel Small Business Technology, and Intel Standard Manageability Escalation of Privilege – INTEL-SA-00075 (CVE-2017-5689). Maksim Malyutin, a member of our Embedi research team, was first to discover this vulnerability. There has been a lot of disinformation presented as “fact” and a tremendous amount of baseless assumptions being floated around by some media outlets ever since the news was released Intel representatives have asked Embedi to hold off on disclosing any technical details regarding this issue until further notice. The vulnerability is a serious threat and the prevention measures from exploitation is a timely process for users – timely, but necessary.[…]”
https://www.embedi.com/news/mythbusters-cve-2017-5689
Time for IBVs and OEMs to start issuing Intel AMT reports, not just from Intel. Lenovo has one:
https://support.lenovo.com/us/en/product_security/len-14963
https://downloadcenter.intel.com/download/26754/INTEL-SA-00075-Mitigation-Guide
(I hope no FUD is coming from this blog. However, I can see why people would merge two background technologies they have no control over. For example:
Remote security exploit in all 2008+ Intel platforms
Nehalem through Kaby all remotely and locally hackable
May 1, 2017 by Charlie Demerjian
Every Intel platform from Nehalem to Kaby Lake has a remotely exploitable security hole. SemiAccurate has been begging Intel to fix this issue for literally years and it looks like they finally listened. The short version is that every Intel platform with AMT, ISM, and SBT from Nehalem in 2008 to Kaby Lake in 2017 has a remotely exploitable security hole in the ME (Management Engine) not CPU firmware. If this isn’t scary enough news, even if your machine doesn’t have SMT, ISM, or SBT provisioned, it is still vulnerable, just not over the network. For the moment. From what SemiAccurate gathers, there is literally no Intel box made in the last 9+ years that isn’t at risk. This is somewhere between nightmarish and apocalyptic.[…]
Micosoft has a training video for network administrators that includes some UEFI security topics:
I also just noticed on the CHIPSEC web site that they list some Google Groups for their project:
https://groups.google.com/forum/#!forum/chipsec-users
https://groups.google.com/forum/#!forum/chipsec-dev
The CHIPSEC team already has a CHIPSEC mailing list hosted on 01.org that they basically do not use (Twitter is the preferred communication of CHIPSEC team).
Thanks to a friend for pointing this out to me, something I had not noticed.
Intel ATR has a new github project which hosts the whitelist database that CHIPSEC uses:
https://github.com/advanced-threat-research/efi-whitelist
American Megatrends Inc. (AMI), a global leader in BIOS and UEFI firmware, server and remote management tools, data storage products and unique solutions based on the Linux® and Android™ operating systems is proud to announce Remote NDIS (RNDIS) network driver support for Aptio V UEFI Firmware. The Remote Network Driver Interface Specification (RNDIS) is a Microsoft® specification that allows for remote communication between a host server and RNDIS network device connected using a USB cable. RNDIS messages are sent via the host server to the RNDIS device and the host server can provide support for multiple networking devices connected to a USB bus. The support for RNDIS devices in Aptio V is convenient for hardware vendors because with the standardized interface of RNDIS, the need to develop drivers to support USB LAN adapters conforming to RNDIS specification is eliminated. OEMs including the RNDIS network driver in the BIOS allow end users to plug and play with RNDIS supported USB LAN adapters. Aptio V RNDIS network driver also allows the BIOS to communicate with the Baseboard Management Controller (BMC) that supports the RNDIS specification, commonly referred to as LAN over USB.[…]
https://ami.com/en/news/press-releases/?PressReleaseID=389
IBM Storwize for Lenovo initialization USB drives contain malware
Lenovo Security Advisory: LEN-14957
Potential Impact: Malware infection on system used to launch initialization tool
Severity: Medium
Some USB flash drives containing the initialization tool shipped with the IBM Storwize for Lenovo V3500, V3700 and V5000 Gen 1 storage systems manufactured by IBM contain a file that has been infected with malicious code. The malicious file does not in any way affect the integrity or performance of the storage systems. When the initialization tool is launched from the USB flash drive onto a computer used for initial configuration, the tool copies itself to a temporary folder on the hard drive of the desktop or laptop during normal operation. With that step, the malicious file is copied with the initialization tool to the following temporary folder:
On Windows systems: %TMP%\initTool
On Linux and Mac systems: /tmp/initTool
Important: While the malicious file is copied onto the computer, the file is not executed during initialization and is not run unless a user manually executes it. The infected file does not affect the IBM Storwize for Lenovo system. The initialization tool is only used to write a text file on the USB key, which is then read by Storwize, which will then write a separate text file onto the key. At no point during the time that the USB thumb drive is inserted in the Storwize system is any information copied from the thumb drive directly to the Storwize system, nor is any code executed on the Storwize system.
The affected Initialization USB flash drive looks like the images below, and contains a folder called InitTool.[…]
https://support.lenovo.com/us/en/product_security/len-14957
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Discover the Desktop
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
News from coreboot world
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Just another WordPress.com site
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Firmware Security 
You must be logged in to post a comment.