Uncategorized

Eclypsium: Remotely Attacking System Firmware

At BlackHat, Eclypsium gave a great talk with an overview of platform firmware security threats, focusing on network-based attacks, including poorly-tested OEM firmware update implementations.

https://threatpost.com/update-mechanism-flaws-allow-remote-attacks-on-uefi-firmware/134785/

https://www.blackhat.com/us-18/briefings/schedule/index.html#remotely-attacking-system-firmware-11588

 

Standard
Uncategorized

Eclypsium: new Supermicro firmware research

Firmware Vulnerabilities in Supermicro Systems

https://www.bleepingcomputer.com/news/security/firmware-vulnerabilities-disclosed-in-supermicro-server-products/

[…]We have confirmed missing firmware storage access controls and insecure firmware updates on specific Supermicro systems. Many other systems are likely to have similar vulnerabilities, leaving them exposed to attacks targeting firmware and hardware. Since most organizations do not monitor at this deep level, these attacks may go unnoticed for an extended period. By providing this summary of the vulnerabilities, impacts, and mitigation strategies, we hope to assist organizations in understanding and defending against threats at this level.

I did not see any CVE yet, I hope SuperMicro has seen this.

Standard
Uncategorized

Eclypsium on BloombergTV

Re: https://firmwaresecurity.com/2018/05/17/eclypsium-in-bloomberg/

Eclypsium was on BloombergTV today! Hmm, I can’t find the URL of the video, if you can, please add it as a Comment to this blog.

Standard
Uncategorized

BlackHat cancels Intel/Eclypsium CHIPEC training

I notice that the Intel/Eclypsium training at Black Hat USA 2018 is no longer listed. Sounds like not enough people signed up?!

AFAIK, the next opportunity to get Eclypsium CHIPSEC training is at REcon (and REcon appears to have cheaper training rates than Blackhat):

https://recon.cx/2018/montreal/training/trainingfirmware.html

There’s also the training materials from older training from Intel ATR/CHIPSEC team, available here:

https://firmwaresecurity.com/2017/05/25/intel-atr-releases-uefi-firmware-training-materials/

 

Standard
Uncategorized

Eclypsium in Bloomberg

System Management Mode Speculative Execution Attacks

 

Standard