Gigabyte BRIX needs UEFI update to avoid Brixing

[WMGroomAK]

Cylance Researchers disclosed 2 firmware vulnerabilities in the Gigabyte BRIX at the BlackHat Asia 2017 conference that would allow attackers to write malicious content into the UEFI.  To date, the researchers have been working with Gigabyte and a new firmware update is expected to be released soon to fix this.  

 

From the article:

https://www.bleepingcomputer.com/news/security/gigabyte-firmware-flaws-allow-the-installation-of-uefi-ransomware/)

Quote

Cylance researchers said they've identified these flaws at the start of the year, and have worked with Gigabyte, American Megatrends Inc. (AMI), and CERT/CC to fix the flaws in time.

 

Affected Gigabyte devices include GB-BSi7H-6500 (firmware version vF6), and GB-BXi7-5775 (firmware version vF2).

 

Gigabyte is expected to release firmware vF7 for GB-BSi7H-6500 devices in the upcoming days. The GB-BXi7-5775 line is not being produced anymore and has reached EOL (End Of Life), so Gigabyte won't be releasing a new firmware for this series.

Per the Bleeping Computers Article the details on these vulnerabilities are:

 

Quote

The two vulnerabilities discovered by Cylance researchers are CVE-2017-3197 and CVE-2017-3198. The first is a failure on Gigabyte's part to implement write protection for its UEFI firmware.

 

The second vulnerability is another lapse on Gigabyte's side, who forgot to implement a system that cryptographically signs UEFI firmware files. The second flaw also covers Gigabyte's insecure firmware update process, which doesn't check the validity of downloaded files using a checksum and uses HTTP instead of HTTPS. CERT/CC has issued an official Vulnerability Bote (VU#507496) for both flaws.

 

An attacker can exploit both flaws to execute code in the System Management Mode (SMM) and plant malicious code in the firmware itself. Cylance experts detail a possible attack as follows:

 

The attacker gains user-mode execution through an application vulnerability such as a browser exploit or a malicious Word document with an embedded script. From there, the attacker elevates his privileges by exploiting the kernel or a kernel module such as Capcom.sys to execute code in ring 0. A vulnerable SMI handler allows the attacker to execute code in SMM mode (ring -2) where he finally can bypass any write protection mechanisms and install a backdoor into the system's firmware. Write-protection mechanisms exist to prevent attackers from modifying the firmware; however, the affected systems do not enable them.

 

Gigabyte BRIX are small computers, similar to Intel NUCs, that can be used to replace bulky desktop towers. They are powerful devices and are very popular with businesses, due to their price, small size, and portability.

 

To demonstrate these flaws, the researchers installed a proof of concept UEFI ransomer that prevented the BRIX from booting, essentially bricking it, however, these same kits could be used to plant rootkits to allow for persistent malware.  I guess the best recommendation would be to keep an eye out for a new UEFI to keep your device up to date.

 

Originally saw this article at PCPer (https://www.pcper.com/news/General-Tech/UEFI-ransomware-may-brick-your-BRIX) and followed back to Bleeping Computers (https://www.bleepingcomputer.com/news/security/gigabyte-firmware-flaws-allow-the-installation-of-uefi-ransomware/).  

 

 

[Bouzoo]

You can only say one thing here.

 

[tlink]

Jesus those are horrible mistakes they made. not using https, not comparing checksums, it basically was just a windscreen used to keep bank robbers out. and then they even forgot to implement a system to check if the uefi is even signed by them in the first place? this is horrible, what a mess. this is why i want to have access to tools for reflashing bios chips and manufacturers giving proper guides on how to do it. if someone infects your bios then you're fucked. what DID they actually do to protect the uefi?

[79wjd]

Please fix title:

 

"Gigabyte BRIX needs UEFI update to avoid Brixing"

[WMGroomAK]

22 minutes ago, djdwosk97 said:

Please fix title:

 

"Gigabyte BRIX needs UEFI update to avoid Brixing"

Got ya covered 

[Just Monika]

I have an i5-5200U-based (Broadwell) BRIX, so I guessing Gigabyte doesn't support it anymore with updates. I hope that I'm not affected by this vulnerability because my BRIX is a 24/7-on machine.

[WMGroomAK]

6 minutes ago, Weird Face said:

I have an i5-5200U-based (Broadwell) BRIX, so I guessing Gigabyte doesn't support it anymore with updates. I hope that I'm not affected by this vulnerability because my BRIX is a 24/7-on machine.

It might be worth your time to contact Gigabyte and see if they will provide a BIOS update for you or if the one they are releasing will work on your device...  Unfortunately now that the information on this is in the wild, I would expect someone to actually try and exploit it on the affected devices that are not getting updates.

[tlink]

1 hour ago, Weird Face said:

I have an i5-5200U-based (Broadwell) BRIX, so I guessing Gigabyte doesn't support it anymore with updates. I hope that I'm not affected by this vulnerability because my BRIX is a 24/7-on machine.

you probably are vulnerable, they only confirmed it on two devices though. contact gigabyte reps to be sure and ask them for best course of action. im not sure they're going to give you any meaningful advice but at the end its all you can do i guess.

 

1 hour ago, WMGroomAK said:

It might be worth your time to contact Gigabyte and see if they will provide a BIOS update for you or if the one they are releasing will work on your device...  Unfortunately now that the information on this is in the wild, I would expect someone to actually try and exploit it on the affected devices that are not getting updates.

they might but the day's of script kiddies are mainly over and the product doesn't have a big enough market share for someone to make money of it with ransomware or something. the bigger problem would be targeted attacks by governments or something, depending on how important of an asset the user is to them. i wouldn't expect to see this exploited in the wild randomly targeting whoever it touches. 

[rattacko123]

4 hours ago, djdwosk97 said:

"Gigabyte BRIX needs UEFI update to avoid Brixing"

*to avoid Brexit

[Zodiark1593]

If this system is used by businesses as the article suggests, I would expect Gigabyte to issue a fix for even their earlier models. Should they refuse to do so, I do wonder if a case could be made based on negligence on Gigabyte's part. 

 

The above security measures sound fairly basic and reasonably assumed to provide a minimum level of security for the UEFI, so if a data breach occurs in the future as a result of the above security flaws that it refuses to remedy, could Gigabyte be held liable? 

[Guest]

5 hours ago, Zodiark1593 said:

If this system is used by businesses as the article suggests, I would expect Gigabyte to issue a fix for even their earlier models. Should they refuse to do so, I do wonder if a case could be made based on negligence on Gigabyte's part. 

 

Without a doubt, at least here in Australia you could

[Zodiark1593]

12 minutes ago, Windspeed36 said:

Without a doubt, at least here in Australia you could

Australia is a given. I've reason to believe that in a hypothetical case involving a data breach due to the above flaws (fundamental flaws that should be considered reasonable to have fixed), a case for negligence could be made in the USA as well. 

 

Though, it may just as well be that Gigabyte considers the probability of litigation to be cheaper than to issue a fix. 

[WereCat]

9 hours ago, Weird Face said:

I have an i5-5200U-based (Broadwell) BRIX, so I guessing Gigabyte doesn't support it anymore with updates. I hope that I'm not affected by this vulnerability because my BRIX is a 24/7-on machine.

I have this one too and it its still within its warranty. I wonder if such issue can be considered for RMA reasons in EU.