Kaspersky Security Bulletin: Threat Predictions for 2018
Juan Andrés Guerrero-Saade, Costin Raiu, Kurt Baumgartner
Sophisticated UEFI and BIOS attacks.
The Unified Extensible Firmware Interface (UEFI) is a software interface which serves as the intermediary between the firmware and the operating system on modern PCs. Established in 2005 by an alliance of leading software and hardware developers, Intel most notable amongst them, it’s now quickly superseding the legacy BIOS standard. This was achieved thanks to a number of advanced features that BIOS lacks: for example, the ability to install and run executables, networking and Internet capabilities, cryptography, CPU-independent architecture and drivers, etc. The very advanced capabilities that make UEFI such an attractive platform also open the way to new vulnerabilities that didn’t exist in the age of the more rigid BIOS. For example, the ability to run custom executable modules makes it possible to create malware that would be launched by UEFI directly before any anti-malware solution – or, indeed, the OS itself – had a chance to start. The fact that commercial-grade UEFI malware exists has been known since 2015, when the Hacking team UEFI modules were discovered. With that in mind, it is perhaps surprising that no significant UEFI malware has been found, a fact that we attribute to the difficulty in detecting these in a reliable way. We estimate that in 2018 we will see the discovery of more UEFI-based malware.[…]
Current Purism Librem15 systems — based on Intel x64/coreboot/SeaBIOS tech — results in 3 FAILs and 1 WARNING from CHIPSEC:
The UEFI Forum recommends that OEMs pass CHIPSEC’s tests before shipping units to customers. I wish modern BIOS-based OEMs would also heed that advice… The default install is to use an MBR-based partition, so also be wary of all of the existing BIOS-centric, MBR-based rootkits. Adhere all ‘evil maid’ warning signs with this laptop. If you have corporate policies that require NIST 800-147/155/193 requirements, you might have to work hard to justify this device. I wish it were not true: configurable or secure, choose one.
In other computer review news: the trackpad did not work during initial install, had to be rebooted. I’m guessing trackpad drivers aren’t integrated? You’ll have to use external mouse if you need to click on something during install of Linux. Same with backlit key and display intensity features: only worked after OS setup. Firmware security pedantry aside, nice hardware. Fan rarely kicks in, unlike some OEMs. It is nice to see a Mac-style trackpad instead of a PC-style touchpad with 2 explicit button areas, I’ve grown to dislike those. Startup and poweroff are both very fast. Reminds me of what a modern non-UEFI system should be like. Great, except we’re no longer in a world where security can be ignored. If you want an insecure BIOS box, you’ll probably enjoy this system. If you care about security, this is a BIOS box….
Michał Kowalczyk has an interesting presentation on Intel BIOS reversing, focusing on a Toshiba system. Presentation is in Polish. If you have a Toshiba, see the excerpt below with advisory info.
Oficjalne stanowisko Toshiby
Toshiba is working on a temporary BIOS update that can be used to prevent the security issue that has been raised and expects to release this update on its website within the next 2 weeks.
Toshiba plans to start the release of a permanent fix for some models from January, 2018 and will complete the releases of permanent fix for all applicable models by the end of March 2018.
New in this release:
* Initial support for NVME drives
* Support for vga emulation over a serial port in SeaBIOS (sercon)
* Support for serial debugging using MMIO based serial ports
* Support for scsi devices with multiple LUNs
* Support for boot-to-boot persistent coreboot cbmem logs
* Improved coreboot vga (cbvga) mode setting compatibility
* Several bug fixes and code cleanups
For full announcement, see Kevin O’Connor’s posting to the SeaBIOS list.
Gabriel Majeri has created “biors”, a BIOS implementation written in Rust! It is only a few days old, does not appear to be ready for use yet.
biors – The Basic Input / Output Rust System
This repository contains an x86 platform firmware implementation – more commonly known as a BIOS. It is written in Rust, and is designed for modern x86_64 processors. Similarly to CoreBoot, it is designed to deliver a “payload” – this could be a PC-AT compatible BIOS, or a UEFI implementation. BIOS is pronounced “BY-oss”, this project is pronounced “BY-orss”.[…]
PS: Gabriel has also written C++ bindings for UEFI! 😉
“This Windows PowerShell script can be used in an SCCM task sequence to see if WinPE was booted in UEFI or BIOS mode.”
Cool, Insyde Software is releasing some of their tools. It appears they’re older tools, see the readme about restrictions and newer versions of the tools.
BIOS tools for Insyde Insiders! (release approved by the management of Insyde Software Japan)
We believe that the commercial value of our outdated BIOS developer tools is quite low. As a gesture of good will towards the BIOS modding community and IT community in general, we have decided to release some of our outdated BIOS developer tools – which are a part of this GitHub repository.[…]
* H20EZE: Easy BIOS Editor that helps edit binaries in the BIOS, including Option ROMs, driver binaries, logos, and Setup values.
* H20FFT: Firmware Flash Tool assists in quickly and easily updates flash devices with new BIOS firmware.
* H20SDE: SMBIOS Data Editor that facilitates easy modification of any SMBIOS (DMI) field by GUI and Command Line, with support for a wide variety of OS environments.
* H20UVE: UEFI Variable Editor
Black Hat Vegas: Where the Guardians of the BIOS Are Failing
By Alex Matrosov
In our upcoming Black Hat Vegas talk, we will summarize our research about the UEFI firmware protections and our newly-discovered security problems. This talk raises awareness of these security challenges for hardware vendors, BIOS-level security researchers and defenders, and sophisticated stakeholders who want to know the current state of UEFI exposure and threats. The situation is serious but, with the right tools and knowledge, we can prevail.[…]
I just noticed there’s a new Amazon Kindle eBook on UEFI/BIOS, apparently first published in September 2016:
What You Need to Know About Using UEFI Instead of the BIOS and what is Different ?!
by Mohandes kahraba
Length: 30 pages
New registration-required freeware from Adaptiva:
Adaptiva’s free Secure 10 is a complete automation solution for ConfigMgr admins to make the BIOS to UEFI conversion process simple and unattended. With Secure 10, migrations take much less time and no IT staff need to be on-site during the process. Now including support for new MBR2GPT.exe tool for retaining data while making the switch, as well as ConfigMgr 1610+ WinPE boot image pre-staging. Also new: two complete task sequences to save time integrating into your deployments! […] The open solution includes detailed documentation to help SCCM system administrators overcome the complexities of automating the conversion from:
* BIOS to UEFI – Secure 10 automates the conversion process from the legacy BIOS firmware typically used in Windows 7/8 systems to the more powerful Unified Extensible Firmware Interface (UEFI) technology. UEFI is required to enable key enterprise security features available in Windows 10.
* MBR to GPT – Secure 10 now includes support for the MBR2GPT.exe tool, which helps convert the disk layout on a PC from the legacy Master Boot Record (MBR) to GUID Partition Table (GPT). The new tool is the only Microsoft-supported tool to convert a production disk from MBR to GPT without data loss, greatly speeding in-place upgrades to Windows 10.
* WinPE Pre-staging – Microsoft recently introduced the capability to pre-stage a WinPE boot image to a partition from within an SCCM Task Sequence and have that image persist during the conversion from MBR to GPT. Secure 10 supports this capability for refresh/replace scenarios.
Toshiba has added firmware-level security to their Mobile Zero Client:
[…]How Toshiba Mobile Zero Client works
* Power on: User powers on the device, which connects to pre-configured LAN or Wi-Fi
* Boot permission: Device requests boot permission from Toshiba Boot Control Service*
* Big Core download: When boot permission is granted, your unique, secure, Big Core package is encrypted, downloaded and unpacked in the RAM
* Ready to go: Your Big Core, with Linux and the VDI client, is executed – establishing its connection to your VDI server
[…]Beyond supporting the storage of data securely away from the device, TMZC can provide added protection through Toshiba’s uniquely developed BIOS, which is designed and built in–house to help remove the risk of third-party interference.[…] We’re one of the only manufacturers that creates our own BIOS and UEFI’s.[…]
SpdDump is a new UEFI tool from Xinjin Tang:
L”Get SPD Dump Info Utility V0.%d(now only support DDR3/DDR4 module).(c)2017 Copyright Samsung BIOS Tang\n\r”
L”(c)2017 Copyright Samsung BIOS Tang\n\r\n\r”
TGBL: Text & Graphics BIOS library
A set of functions & macros helping you write less and write fast.
Good news: the Intel Advanced Threat Research (ATR) team has release some of their UEFI security training materials!
This repository contains materials for a hands-on training ‘Security of BIOS/UEFI System Firmware from Attacker and Defender Perspectives’. A variety of attacks targeting system firmware have been discussed publicly, drawing attention to the pre-boot and firmware components of the platform such as BIOS and SMM, OS loaders and secure booting. This training will detail and organize objectives, attack vectors, vulnerabilities and exploits against various types of system firmware such as legacy BIOS, SMI handlers and UEFI based firmware, mitigations as well as tools and methods available to analyze security of such firmware components. It will also detail protections available in hardware and in firmware such as Secure Boot implemented by modern operating systems against bootkits. The training includes theoretical material describing a structured approach to system firmware security analysis and mitigations as well as many hands-on exercises to test system firmware for vulnerabilities. After the training you should have basic understanding of platform hardware components and various types of system firmware, security objectives and attacks against system firmware, mitigations available in hardware and firmware. You should be able to apply this knowledge in practice to identify vulnerabilities in BIOS and perform forensic analysis of the firmware.
0 Introduction to Firmware Security
1 BIOS and UEFI Firmware Fundamentals
2 Bootkits and UEFI Secure Boot
3 Hands-On Platform Hardware and Firmware
4 System Firmware Attack Vectors
5 Hands-On EFI Environment
7 System Firmware Forensics
N Miscellaneous Materials
An article from the ATM industry on BIOS:
ATM malware attacks: Head them off at the BIOS
May 19, 2017 | by Suzanne Cluckey
[…][Our concern] as a control company is making sure that the network vulnerabilities are sealed up … we continue to see attacks on the BIOS. Finding a toolset that allows you to change the password, change the settings and secure the BIOS of those machines is important to a lot of those customers.[…]
bootutils: Utilities to create bootable disks, remaster ISO images, make multiboot disk images
Goals – who needs this?
Use case 1: Multiboot disk image
Use case 2: Remastering ISO
Use case 3: Create boot disk on separate disk
Use case 4: Fix grub-install errors
Linux-only. No effort spent on supporting other OS
Intel® Branded NUC’s Vulnerable to SMM exploit
Intel ID: INTEL-SA-00068
Product family: Intel® NUC Kits
Impact of vulnerability: Elevation of Privilege
Severity rating: Important
Original release: May 02, 2017
Last revised: May 02, 2017
Intel is releasing updated BIOS firmware for a privilege escalation issue. This issue affects Intel® NUC Kits listed in the Model Number section below. The issue identified is a method that enables malicious code to gain access to System Management Mode (SMM). A malicious attacker with local administrative access can leverage vulnerable BIOS to execute arbitrary code outside of SMRAM while system is running in System management mode (SMM), potentially compromising the platform. Intel products that are listed below should apply the update. Intel highly recommends updating the BIOS of all Intel® NUC’s to the recommended BIOS or later listed in the table of affected products. Intel would like to thank Security Researcher Dmytro Oleksiuk for discovering and reporting this issue.
If you have a Windows box and are trying to convert MBR/BIOS installs to GPT/UEFI installs on ‘class 2’ systems, you might want to read this: