[UPDATED] Dell, Fujitsu, HP, Lenovo, Gigabyte, possibly other Intel/UEFI motherboards vulnerable to malicious BIOS exploits

[PCgamer324]

Source 1: http://www.theregister.co.uk/2016/07/06/nasty_bios_bug_slugs_gigabyte_hackers_say/

Source 2: http://www.theregister.co.uk/2016/07/04/lenovo_scrambling_to_get_a_fix_for_bios_vuln/

 

Inherent vulnerabilities in UEFI are finally catching up with consumer motherboard manufactures; notably Lenovo, HP and even Gigabyte...

Quote

Gigabyte has been swept into turmoil surrounding low-level security vulnerabilities that allows attackers to kill flash protection, secure boot, and tamper with firmware on PCs by Lenovo and other vendors.

Affected units have expanded to "enthusiast-grade" motherboards such as members of the "Ultra Durable" series 

Quote

Unconfirmed reports suggest the hardware vendor has used the "ThinkPwn" vulnerable code, thought to be born of Intel reference code, on four of its motherboards: Z68-UD3H, Z77X-UD5H, Z87MX-D3H, and Z97-D3H. (SEE BELOW FOR UPDATES)

It is suggested that if you use a Lenovo or HP system or one of the affected Gigabyte motherboards that you follow this story closely and patch as soon as a fix is made available.  Such low-level level exploits could damage components, create hardware-level backdoors and even spread to USB and PCIe devices. given ties to Intel Reference Code, I wouldn't say anyone using UEFI or particularly Gigabyte/Intel is out of the woods yet.  It's relatively impossible for a security research to test all of a companies product line alone.

 

 

We'll have to wait for this to pan out...

 

[UPDATE]

 

Further tweets from the researchers behind this exploit suggest all SandyBridge - Broadwell systems are affected:

Dell and Fujitsu also effected:

 

 

 

[PlayStation 2]

Oh boy.

Good thing I have a shit AM3+ Gigabyte motherboard.

[PCgamer324]

5 minutes ago, Dan Castellaneta said:

Oh boy.

Good thing I have a shit AM3+ Gigabyte motherboard.

I edited the post, but from what I'm seeing the exploit seems to be a derivative of Intel Reference Code.  This could insinuate that AMD is not affected, but we do not know at this time

[PlayStation 2]

1 minute ago, PCgamer324 said:

I edited the post, but from what I'm seeing the exploit seems to be a derivative of Intel Reference Code.  This could insinuate that AMD is not affected, but we do not know at this time

From the way I read it, it sounded like something along the lines of Intel only.

We'll see how this pans out.

[Trixanity]

This just in: AMD is so much better than Intel. Time to go buy FX processors y'all!

 

In all seriousness: I know it says Intel reference code but doesn't Intel contribute to the UEFI standard (it could be something Intel submitted to the UEFI standard and then used by AMD)? Are we sure that AMD couldn't be affected? Is it proprietary code/Intel board only code?

 

 

[PCgamer324]

1 minute ago, Trixanity said:

This just in: AMD is so much better than Intel. Time to go buy FX processors y'all!

 

In all seriousness: I know it says Intel reference code but doesn't Intel contribute to the UEFI standard? Are we sure that AMD couldn't be affected? Is it proprietary code/Intel board only code?

 

 

it's unclear at this time

[Bouzoo]

*Looks at his MB*, Gigabyte H97M-D3H. Dodged it. 

[PCgamer324]

3 minutes ago, Bouzoo said:

Looks at his MB, Gigabyte H97. Dodged it. 

given ties to Intel Reference Code, I wouldn't say anyone using UEFI or particularly Gigabyte/Intel is out of the woods yet.  It's relatively impossible for a security research to test all of a companies product line alone.

 

[thekeemo]

Suckerrsssssssss my motherboard doesnt support UEFI

[Bouzoo]

2 minutes ago, PCgamer324 said:

given ties to Intel Reference Code, I wouldn't say anyone using UEFI or particularly Gigabyte/Intel is out of the woods yet.  It's relatively impossible for a security research to test all of a companies product line alone.

 

Seeing how all MBs are Z series, it may something to do with Ocing chipset. May.

[PCgamer324]

 

(ignore comment; editor reposted the topic here when saving for some reason)

[PCgamer324]

 

5 minutes ago, Bouzoo said:

Seeing how all MBs are Z series, it may something to do with Ocing chipset. May.

 

Given that this affects Lenovo and HP units that use consumer-oriented chipsets, I don't think that non-Z boards are any different in that regard

[Bouzoo]

2 minutes ago, PCgamer324 said:

 

 

Given that this affects Lenovo and HP units that use consumer-oriented chipsets, I don't think that non-Z boards are any different in that regard

That is a rather good point.

[patrickjp93]

You do realize you have to have a virus in the first place that can mess around at the BIOS level for this to ever affect you, right?

 

It's a basic part of any OS course to learn how bios works in bootloading, normal runtime, and shutdown sequence. If you try to access UEFI code while in normal runtime, you'll instantly generate kernel panic. You have to have a very serious virus in your system before this will ever affect you, or direct hardware access with someone replacing your BIOS chips.

[laminutederire]

7 minutes ago, patrickjp93 said:

You do realize you have to have a virus in the first place that can mess around at the BIOS level for this to ever affect you, right?

 

It's a basic part of any OS course to learn how bios works in bootloading, normal runtime, and shutdown sequences work. If you try to access UEFI code while in normal runtime, you'll instantly generate kernel panic. You have to have a very serious virus in your system before this will ever affect you, or direct hardware access with someone replacing your BIOS chips.

Given the damage possible with a bios vulnerability, it's not that far fetched to be concern.

When you look at some ms did viruses that affected bios, some of them basically rendered the computer to be unusable if you didn't flashed a new bios, which isn't that fun to have to do

[PCgamer324]

4 minutes ago, patrickjp93 said:

You do realize you have to have a virus in the first place that can mess around at the BIOS level for this to ever affect you, right?

 

It's a basic part of any OS course to learn how bios works in bootloading, normal runtime, and shutdown sequences work. If you try to access UEFI code while in normal runtime, you'll instantly generate kernel panic. You have to have a very serious virus in your system before this will ever affect you, or direct hardware access with someone replacing your BIOS chips.

true, but if my sources are correct we could see a physical attack vector as well, such as a malicious USB drive gaining access to the UEFI RX bus.  I am not particularly familiar with the intricacies of BIOS connectivity and operation; any further details you could share on the subject would certainly contribute to the topic at hand, particularly on how and when devices can write to such chips

[ThinkWithPortals]

Are ASUS boards affected?

If so, PARANOIA ENGAGE!

[patrickjp93]

7 minutes ago, laminutederire said:

Given the damage possible with a bios vulnerability, it's not that far fetched to be concern.

When you look at some ms did viruses that affected bios, some of them basically rendered the computer to be unusable if you didn't flashed a new bios, which isn't that fun to have to do

Yes, but that was because XP was a security nightmare and elevating privilege in Windows 7 was easy. You still have to get the OS into shutdown mode to execute code that can affect the BIOS, or you have to inject code into the boot loader section of the OS. In Windows 8 and 10 that is no simple task.

[Misanthrope]

Quote

Unconfirmed reports suggest the hardware vendor has used the "ThinkPwn"

You know what cracks me up? The thought of a contingency Company meeting where a bunch of middle age executives are talking about it and have to struggle with calling their issue ThinkPwn

[patrickjp93]

9 minutes ago, PCgamer324 said:

true, but if my sources are correct we could see a physical attack vector as well, such as a malicious USB drive gaining access to the UEFI RX bus.  I am not particularly familiar with the intricacies of BIOS connectivity and operation; any further details you could share on the subject would certainly contribute to the topic at hand, particularly on how and when devices can write to such chips

If you touch the UEFI while the OS is running normally, you generate a CPU interrupt which causes kernel panic in that mode which freezes EVERYTHING in the system. Worst case scenario is an unworkable BIOS, but there's not enough time to write a full malicious code stream.

[Doughnutnator]

24 minutes ago, patrickjp93 said:

If you touch the UEFI while the OS is running normally, you generate a CPU interrupt which causes kernel panic in that mode which freezes EVERYTHING in the system. Worst case scenario is an unworkable BIOS, but there's not enough time to write a full malicious code stream.

Thanks for the info. What about those "tools" vendors give to change UEFI splashscreen or even update BIOS inside the OS. I used the splashcreen one to tinker around. But AFAIK that basically modifies the BIOS while you're running an OS. Isn't that a point of risk?

[patrickjp93]

30 minutes ago, Doughnutnator said:

Thanks for the info. What about those "tools" vendors give to change UEFI splashscreen or even update BIOS inside the OS. I used the splashcreen one to tinker around. But AFAIK that basically modifies the BIOS while you're running an OS. Isn't that a point of risk?

They are specifically signed app's Microsoft allows to modify the shutdown sequence to modify the skin before completely shutting down.

[Master Disaster]

25 minutes ago, patrickjp93 said:

They are specifically signed app's Microsoft allows to modify the shutdown sequence to modify the skin before completely shutting down.

Not sure you can even change full screen boot logo on uefi at all? I've personally owned a Gigabyte Z97X, an Asus Z170 and an MSI Z170 and none of them have had that option. 

[patrickjp93]

6 minutes ago, Master Disaster said:

Not sure you can even change full screen boot logo on uefi at all? I've personally owned a Gigabyte Z97X, an Asus Z170 and an MSI Z170 and none of them have had that option. 

There are a couple select apps that can change it, but I'm not into that. Still, the restrictions I mentioned remain. By the time this is an issue, you already have a virus with permissions to modify the OS-reserved memory and drive sectors. It's already over by that point.

[jagdtigger]

1 hour ago, patrickjp93 said:

They are specifically signed app's Microsoft allows to modify the shutdown sequence to modify the skin before completely shutting down.

And what about the ones used to flash the actual BIOS from inside the OS? I dont think those are modifying the shutdown process because that would be quick, but those things are actually "very slow"...