Uncategorized

DumpPartInfo

Hao Wu of Intel posted a patch to EDK2 which provides support for UEFI’s “EFI Partition Infomation Protocol”, and includes a DumpPartInfo tool:

Add the EFI Partition Information Protocol per the latest UEFI spec.

Test for the series:
A simple application called ‘DumpPartInfo’ is used to dump the contents of the Partition Information protocols when the following devices are attached:
a. MBR Hard disk
b. GPT Hard disk
c. CDROM

The source of the application and the series is available at:
https://github.com/hwu25/edk2 branch:partition_info_test

8 files changed, 216 insertions(+), 88 deletions(-)

Uncategorized

Dmytro on PCI-E/SMM vulnerability

Dmytro has an interesting 6-part twitter post on PCI-e security:

Rogue PCI-E/FireWire/Thunderbolt/etc. device can exploit platform firmware vulns to execute arbitrary System Management Mode code [1/x] pic.twitter.com/CueD3ke0yb

— Dmytro Oleksiuk (@d_olex) June 22, 2017

Normally SMM memory is protected against rogue DMA using TSEGMB register, discovered vulnerability allows to break this mechanism [2/x]

— Dmytro Oleksiuk (@d_olex) June 22, 2017

For most of computers with Intel chips SMM code execution means that attacker can infect platform firmware with persistent rootkit [3/x]

— Dmytro Oleksiuk (@d_olex) June 22, 2017

Vulnerability exists because of design flaws in Intel reference code, it presents in EFI 2.x firmware of almost all new computers [4/x]

— Dmytro Oleksiuk (@d_olex) June 22, 2017

Apple is only one vendor so far who not vulnerable for sure (they're know how to cook PCI-E and IOMMU properly :)) [5/x]

— Dmytro Oleksiuk (@d_olex) June 22, 2017

FPGA powered toolkit which implements the attack was tested on Intel NUC 6i3SYH. Test setup pic: https://t.co/59eEwsy2qa [6/6]

— Dmytro Oleksiuk (@d_olex) June 22, 2017

I discovered this vuln a while ago but had no FPGA knowledge to craft the hardware which can exploit it. Now I can report it to Intel 🙂

— Dmytro Oleksiuk (@d_olex) June 22, 2017

Uncategorized

Black Hat Briefings: Firmware is the New Black

Map BIOS/UEFI firmware vulnerabilities for enhanced threat intelligence @bsdaemon & @vincentzimmer #BHUSA Briefing https://t.co/adwSFbsiym

— Black Hat (@BlackHatEvents) June 13, 2017

Firmware is the New Black – Analyzing Past Three Years of BIOS/UEFI Security Vulnerabilities
Bruce Monroe, Rodrigo Branco, Vincent Zimmer

In recent years, we witnessed the rise of firmware-related vulnerabilities, likely a direct result of increasing adoption of exploit mitigations in major/widespread operating systems – including for mobile phones. Pairing that with the recent (and not so recent) leaks of government offensive capabilities abusing supply chains and using physical possession to persist on compromised systems, it is clear that firmware is the new black in security. This research looks into BIOS/UEFI platform firmware, trying to help making sense of the threat. We present a threat model, discuss new mitigations that could have prevented the issues and offer a categorization of bug classes that hopefully will help focusing investments in protecting systems (and finding new vulnerabilities). Our data set comprises of 90+ security vulnerabilities handled by Intel Product Security Incident Response Team (PSIRT) in the past 3 years and the analysis was manually performed, using white-box and counting with feedback from various BIOS developers within the company (and security researchers externally that reported some of the issues – most of the issues were found by internal teams, but PSIRT is involved since they were found to also affect released products).

https://www.blackhat.com/us-17/briefings/schedule/index.html#firmware-is-the-new-black—analyzing-past-three-years-of-biosuefi-security-vulnerabilities-6924

Uncategorized

Hardware is the new software

https://twitter.com/binitamshah/status/875375226690863105

Hardware is the new software
Andrew Baumann, Microsoft Research

Moore’s Law may be slowing, but, perhaps as a result, other measures of processor complexity are only accelerating. In recent years, Intel’s architects have turned to an alphabet soup of instruction set extensions such as MPX, SGX, MPK, and CET as a way to sell CPUs through new security features. Unlike prior extensions, which mostly focused on accelerating user-mode data processing, these new features exhibit complex interactions and give system designers plenty to think about. This calls for a rethink of how we approach the instruction set. In this paper we highlight some of the challenges arising from recent security-focused extensions, and speculate about the longer-term implications.

https://www.microsoft.com/en-us/research/wp-content/uploads/2017/05/baumann-hotos17.pdf

Uncategorized

Intel AMT Clickjacking Vulnerability (INTEL-SA-00081)

Today Intel announced a NEW AMT security advisory:

Intel® AMT Clickjacking Vulnerability
Intel ID: INTEL-SA-00081
Product family: Intel® Active Management Technology
Impact of vulnerability: Information Disclosure
Severity rating: Moderate
Original release: Jun 05, 2017

Insufficient clickjacking protection in the Web User Interface of Intel® AMT firmware versions before 9.1.40.100, 9.5.60.1952, 10.0.0.50.1004 and 11.0.0.1205 potentially allowing a remote attacker to hijack users’s web clicks via attacker’s crafted web page. Affected products: Intel AMT firmware versions before 9.1.40.100, 9.5.60.1952, 10.0.0.50.1004 and 11.0.0.1205. Intel highly recommends that users update to the latest version of firmware available from their equipment manufacturer. Intel would like to thank Lenovo for reporting this issue and working with us on coordinated disclosure.[…]

https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00081&languageid=en-fr

Uncategorized

More on malware use of Intel AMT

After the recent Microsoft mention of AMT being used by malware, there is a bit more on the press on AMT:

Just another covert channel (cooperation on both ends required), only with the help of AMT.. But also: unexpected attack surface on the OS! https://t.co/Jz74C6SZFS

— Joanna Rutkowska (@rootkovska) June 9, 2017

Remember that time we showed using AMT SOL for C2 from SMM…? https://t.co/cP8tYtT5hE section 6.2 https://t.co/Fdtrwq59fP

— Xeno Kovah (@XenoKovah) June 9, 2017

https://www.bleepingcomputer.com/news/security/malware-uses-obscure-intel-cpu-feature-to-steal-data-and-avoid-firewalls/

Uncategorized

Intel: IoT Security in the Developer’s Mind

Ricardo Echevarria of Intel has a new blog post about IoT security:

Internet-enabled smart devices open up a new universe of possibilities for how consumers interact with the world. But those same smart lightbulbs or TVs may pose a serious threat if their designers fail to strengthen the devices’ security protocols. Last year’s Mirai distributed denial-of-service (DDOS) botnet attack was a wake-up call for the computing world. By targeting vulnerable Internet-connected cameras and other Internet of Things (IoT) devices, the massive botnet was able to redirect enough Internet traffic to a DNS provider to crash multiple high-profile websites. It is no surprise then that IoT developers worry more about security than anything else – including interoperability, connectivity, and hardware integration. The Eclipse IoT Working Group’s 2017 IoT Developer Survey shows that security has remained the number one concern among developers for the third straight year.[…]

https://software.intel.com/en-us/blogs/2017/06/07/iot-security-in-the-developers-mind

Firmware Security

Hastily-written news/info on the firmware security/development communities, sorry for the typos.

Tag Archives: Intel

DumpPartInfo

Dmytro on PCI-E/SMM vulnerability

Black Hat Briefings: Firmware is the New Black

Hardware is the new software

Intel AMT Clickjacking Vulnerability (INTEL-SA-00081)

More on malware use of Intel AMT

Intel: IoT Security in the Developer’s Mind