Uncategorized

CVE-2017-3753: AMI Lenovo UEFI SMM vulnerability

Lenovo says scope of AMI issue is “Industry-Wide”, which implies that other Intel/AMI-based OEMs may also have this issue, not just Lenovo.

BIOS SMI Handler Input Validation Failures
CVE Identifier: CVE-2017-3753

Lenovo Security Advisory: LEN-14695
Severity: High
Scope of Impact: Industry-Wide
Last Modified: 08/09/2017

Potential Impact: Execution of code in SMM by an attacker with local administrative access

A vulnerability has been identified in some Lenovo products that use UEFI code developed by AMI. With this vulnerability, conditions exist where an attacker with administrative privileges or physical access to a system may be able to run specially crafted code that can allow them to bypass system protections such as Device Guard and Hyper-V. AMI has supplied a fix for this vulnerability to Lenovo. Users should update the BIOS on affected systems to the latest available version to address this issue.

Security-conscious users should consider the following mitigation steps if an immediate BIOS update is not possible to protect themselves to the fullest extent with the understanding that they DO NOT fix or fully protect against an exploit of this vulnerability:

* Enable Secure Boot on your system
* Disable the boot to UEFI shell
* Disable boot from any source but the primary internal hard drive
* Set a BIOS setup password, so Secure Boot cannot be disabled and the boot to the UEFI shell cannot be re-enabled
* Operate as an unprivileged (non-administrator)

https://nvd.nist.gov/vuln/detail/CVE-2017-3753
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3753
https://support.lenovo.com/us/en/product_security/len-14695
AFAICT nothing on the AMI site on this.

Standard
Uncategorized

AMI announces NVMe UEFI Option ROM service for OEMs

American Megatrends Provides Service for Developing NVMe UEFI Option ROMs for UEFI BIOS Firmware

AMI is pleased to announce new service for developing NVMe® UEFI Option ROMs. Recently, AMI added support for technologies such as NVMe metadata/data encryption and NVMe namespace management. Continuing its support for NVMe-related technologies, AMI has also developed UEFI NVMe Option ROMs. This service for developing UEFI NVMe Option ROMs enables OEMs and NVMe device manufacturers to ship NVMe devices with Option ROMs embedded in them. OEMs and NVMe device manufacturers will have the ability to add features that are traditionally unavailable with generic UEFI drivers and can implement vendor-specific commands and features within their devices. Some of the additional features that are available for NVMe Option ROMs include disk management for namespace management in BIOS setup, metadata/end-to-end data protection, NVMe firmware updates in BIOS setup and SMART data information. Interested OEMs and NVMe drive manufacturers should contact their AMI sales representative for more information.

https://ami.com/en/news/press-releases/american-megatrends-provides-service-for-developing-nvme-uefi-option-roms-for-uefi-bios-firmware/
http://ami.com/products/bios-uefi-firmware/aptio-v/

Standard
Uncategorized

AMI supports AMD Threadripper

AMI has a few press releases about AMD Rhyzen support:

https://ami.com/en/tech-blog/amd-ryzen–aptiov/

https://ami.com/en/news/press-releases/american-megatrends-aptio-v-uefi-firmware-supports-amd-ryzen-threadripper-highperformance-gaming-processor-product-line/

Standard
Uncategorized

AMI: Be Proactive About Firmware Security!

Last month Priscilla Choi posted an article on the AMI on firmware for security managers, with a checklist including:

* Be proactive and emphasize security
* Pay attention to your firmware
* Stay up-to-date with the latest BIOS/UEFI firmware updates
* Have an authorization/authentication process
* Report and troubleshoot issues ASAP

https://ami.com/en/tech-blog/be-proactive-about-firmware-security/

 

Standard
Uncategorized

Pinczakko’s AMIBIOS Utils moves to Github

There’s a blog post about this, as well:

http://bioshacking.blogspot.sg/2017/07/migrating-amibios-1b-module-utilities.html

The utilities produced by the source code ONLY work with AMIBIOS8 (legacy BIOS) 1B module. You can obtain the 1B module from AMIBIOS8 BIOS binary by using AMI Module Management Tool (MMTool) utility (https://ami.com/en/products/bios-uefi-tools-and-utilities/bios-uefi-utilities/).

https://github.com/pinczakko/AMIBIOS8_1B_Utils

Standard
Uncategorized

AMI Tech Blog gets active

For the last few days, the AMI blog — and Twitter account — has been getting regular updates.

 

Standard