2 new Tianocore/EDK2 security advisories

Tianocore Security Advisories has 2 new UEFI vulnerabilities:

https://edk2-docs.gitbooks.io/security-advisory/content/

30. EDK II Authenticated Variable Bypass
Logic error in MdeModulePkg in EDK II firmware may allow authenticated user to potentially bypass configuration access controls and escalate privileges via local access.
https://edk2-docs.gitbooks.io/security-advisory/content/edk-ii-authenticated-variable-bypass.html

31. EDK II TianoCompress Bounds Checking Issues: Multiple privilege escalation vulnerabilities in TianoCompress and UEFICompress decompression algorithm may allow authenticated user to potentially manipulate stack and heap buffers via local access.

https://edk2-docs.gitbooks.io/security-advisory/content/edk-ii-tianocompress-bounds-checking-issues.html

Microsoft Project Mu: adaptation of TianoCore’s EDK2

https://github.com/Microsoft/mu_plus

https://github.com/Microsoft/mu_basecore

6 repos: https://github.com/topics/projectmu

https://microsoft.github.io/mu/faq/

https://microsoft.github.io/mu/

Project Mu is a modular adaptation of TianoCore’s edk2 tuned for building modern devices using a scalable, maintainable, and reusable pattern. Mu is built around the idea that shipping and maintaining a UEFI product is an ongoing collaboration between numerous partners. For too long the industry has built products using a “forking” model combined with copy/paste/rename and with each new product the maintenance burden grows to such a level that updates are near impossible due to cost and risk.

Project Mu also tries to address the complex business relationships and legal challenges facing partners today. To build most products it often requires both closed-source, proprietary assets as well as open source and industry standard code. The distributed build system and multi-repository design allow product teams to keep code separate and connected to their original source while respecting legal and business boundaries.

Project Mu originated from building modern Windows PCs but its patterns and design allow it to be scaled down or up for whatever the final product’s intent. IoT, Server, PC, or any other form factor should be able to leverage the content.

UEFI workshops at BSidesPDX!

Exciting, there are two workshops at BSidesPDX in Portland Oregon next month:

Detecting Evil Maid Firmware Attacks
https://bsidespdx.org/events/2018/workshops.html#Evil%20Maid

UEFI and CHIPSEC development for Security Researchers
https://bsidespdx.org/events/2018/workshops.html#Chipsec

PS: If you’re in town, there’s also the Portland Retro Gaming Expo, starting a few days earlier:
https://www.oregoncc.org/events/2018/10/portland-retro-gaming-expo-2018
http://www.retrogamingexpo.com/

GNU/HardenedLinux translates ‘Platform Firmware Security Defense…’ ebook to Chinese

Re: https://firmwaresecurity.com/2018/07/28/new-ebook-platform-firmware-security-defense-for-enterprise-system-administrators-and-blue-teams/

The book “Platform Firmware Security Defense for Enterprise System Administrators and Blue Teams“, which Paul English of PreOS security wrote, introducing the concept of firmware security for the system administrator audience:

https://preossec.com/Newsletter-Q3-2018/
https://preossec.com/products/ebook-download

has been translated to Chinese, by the GNU Hardened Linux project!

https://github.com/hardenedlinux/hardenedlinux_translations/tree/master/platform_firmware_security_defense

more info:

https://hardenedlinux.github.io/

 

APT28 malware LoJax uses UEFI rootkit

 

https://thehackernews.com/2018/09/uefi-rootkit-malware.html?m=1

https://www.welivesecurity.com/2018/09/27/lojax-first-uefi-rootkit-found-wild-courtesy-sednit-group/

https://www.bleepingcomputer.com/news/security/apt28-uses-lojax-first-uefi-rootkit-seen-in-the-wild/

CVE-2018-12169: Tianocore UEFI: Unauthenticated Firmware Chain-of-Trust Bypass

“The issue was reported by Trammell Hudson”

https://edk2-docs.gitbooks.io/security-advisory/content/unauthenticated-firmware-chain-of-trust-bypass.html

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12169

https://nvd.nist.gov/vuln/detail/CVE-2018-12169

https://exchange.xforce.ibmcloud.com/vulnerabilities/150223

UEFI-Stub-Loader: Load the Linux EFI Stub (or any EFI application) with command line boot options on systems that don’t support UEFI firmware command lines

Features:
* UEFI 2.x support for PCs, and it also works on Macs with 64-bit EFI (e.g. MacBook Pro Late 2013)
* Loads and executes kernels compiled as native 64-bit UEFI applications (like the Linux kernel)
* Passes user-written commands (from a plain UTF16 text file) to loaded EFI applications
* Allows arbitrary placement of itself in addition to kernel images on the EFI system partition
* Fits on a floppy diskette, and some systems can actually boot it from a floppy
* Minimal UEFI development environment tuned for Windows, Mac, and Linux included in repository (1)

https://github.com/KNNSpeed/UEFI-Stub-Loader

 

UefiPayloadPkg: UEFI Payload Project: supports Coreboot and Slim Bootloader

A freshly-created Github project:

https://github.com/BenjaminYou/UEFIPayload

UEFI Payload (UefiPayloadPkg) aims to be an upgrade to CorebootModulePkg and CorebootPayloadPkg. Features:
– Supporting Slim Bootloader in addition to Coreboot
– Source level configuration using .ini format
– User Extension using simple “C” codes
– Platform support library for adding platform specific codes

Lenovo ThinkPad X1 6en: Enabling S3 Sleep for Linux after Firmware Update

https://brauner.github.io/2018/09/08/thinkpad-6en-s3.html