Uncategorized

Dell iDRAC CVE-2016-5685, bash vulnerability (old news)

http://www.securiteam.com/securitynews/5XP3B0UKUU.html

SecuriTeam confused me by reposting a 2016 Dell iDDRAC vulnerability today, but I don’t see anything new. Just in case you weren’t aware of this issue, and you have a Dell system, here’s info on this older vulnerability, see the last link for a PDF-based response from the Dell iDRAC team.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5685
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5685
http://www.securityfocus.com/bid/94585
http://en.community.dell.com/techcenter/extras/m/white_papers/20443326

Dell iDRAC team’s response to Common Vulnerabilities and Exposures (CVE) ID CVE-2016-5685 [16 November 2016]
Summary: an authenticated user could gain Bash shell access through a string injection.
Dell Response: update to the latest iDRAC firmware, which remediates this potential vulnerability.

 

Standard
Uncategorized

MonitorDarkly: Dell monitor on-screen-display exploit

“This repo contains the exploit for the Dell 2410U monitor. It contains utilities for communicating with and executing code on the device. The research presented here was done in order to highlight the lack of security in “modern” on-screen-display controllers. Please check out our Recon 0xA presentation (included) for a detailed description of our research findings and process.[…]”

https://github.com/redballoonshenanigans/monitordarkly

Standard
Uncategorized

List of UEFI vendors who care about security

Which UEFI vendors care — or at least may care — about security? The list (alphabetically) is shorter than you might expect:

AMD
AMI
Apple
Dell
Hewlett Packard Enterprises
HP Inc.
Insyde Software
Intel Corp.
Lenovo
Microsoft
Phoenix Technologies

Nobody else. If your vendor is not listed above, ask them why you should purchase a UEFI-based system from them.

The above list is from the list of vendors who have feedback mechanisms listed on the UEFI Forum’s security contact page.

http://uefi.org/security

Standard
Uncategorized

William Leara reviews UEFI Tool

William Leara, a firmware engineer at Dell, has a new blog post on Nikolaj Schlej’s UEFI Tool. He shows how to use it, starting with using Intel’s Flash Programing Tool (FPT) to acquire a BIOS image. Lots of screenshots of the various menu UI components of this GUI tool.

“It is extremely useful for interrogating and manipulating the components of a UEFI BIOS image.  Download it and give it a test drive today!”

Full post:
http://www.basicinputoutput.com/2016/02/uefitool.html

Standard
Uncategorized

Dell info on Linux firmware updates

Regarding the new firmware update service available for Linux OEMs:

https://firmwaresecurity.com/tag/fwupd/

There is a new article from Dell on this topic:

(Published on behalf of Mario Limonciello, OS Architect of Dell Client Solutions Group’s Linux Engineering team.)

I’m happy to announce that starting with the Dell Edge Gateway 5000 we will be introducing support to natively flash UEFI firmware under Linux.  To achieve this we’re supporting the standards based UEFI capsule functionality from UEFI version 2.5.  Furthermore, the entire tool chain used to do this is open source. Red Hat has developed the tools that enable this functionality: fwupd, fwupdate, & ESRT support in the Linux kernel.  For the past year we have been working closely with Red Hat, Intel, & Canonical to jointly fix hundreds of issues related to the architecture, tools, process, and metadata on real hardware.  Dell will be publishing BIOS updates to the Red Hat created Linux Vendor Firmware Service (LVFS).  Red Hat provides LVFS as a central OS agnostic repository for OEMs to distribute firmware to all Linux customers. […]

http://en.community.dell.com/techcenter/b/techcenter/archive/2016/02/02/dell-firmware-updating-under-linux

Dell — along with Red Hat, apparently — are setting a great example, I hope other OEMs do as well with Linux. 🙂 It makes me think Dell is working to deal with this recent comment of William (of Dell):

Standard
Uncategorized

VMware

Business changes at EMC, impacting VMWare, multiple news sites with stories on it.

 

VMware Takes Restructuring Charge, Changes CFOs

http://www.wsj.com/articles/vmware-names-new-cfo-will-cut-800-jobs-1453847929

http://www.theregister.co.uk/2016/01/27/vmware_fusion_and_workstation_development_team_fired/

http://www.computerworld.com/article/3026842/virtualization/vmware-cuts-800-jobs-as-it-transitions-from-older-blockbuster-compute-products.html

 

Standard