Researcher Reveals BIOS Firmware Implementation Flaws at Black Hat

A researcher from security firm Cylance reveals flaws in the way that some motherboard vendors implement Intel BIOS firmware protections.

Cylance UEFI

LAS VEGAS—Intel has done a lot of work in recent years developing technologies that improve the security of firmware that underpins modern computing systems. At the Black Hat USA security conference here, Alex Matrosov, principal research scientist at Cylance, will detail multiple issues he found in UEFI firmware protections used by major motherboard vendors, in a session titled "Betraying the BIOS: Where the Guardians of the BIOS Are Failing."

The Unified Extensible Firmware Interface, or UEFI, is typically the lowest level of software that runs on a modern motherboard, helping to boot the system into a ready state for use. Intel has multiple technologies to help secure firmware against attacks, including Boot Guard and BIOS Guard. Boot Guard helps to protect a system against a firmware-based attack by first verifying that trusted UEFI firmware is booting on the platform. BIOS Guard provides hardware-assisted authentication and protection against BIOS recovery attacks.

In an interview with eWEEK prior to his session, Matrosov said he found at least six vulnerabilities in how the firmware protections were implemented by motherboard vendors. The risk of the firmware vulnerabilities is that an attacker could potentially compromise a system and gain unauthorized access and control.

Among the vulnerabilities he discovered are privilege escalation flaws on the ASUS Vivo Mini (CVE-2017-11315), Lenovo ThinkCentre systems (CVE-2017-3753) and the MSI Cubi2 (CVE-2017-11312 and CVE-2017-11316). Matrosov also discovered an Intel Boot Guard bypass on the Gigabyte BRIX platform triggered by a pair of vulnerabilities identified as CVE-2017-11313 and CVE-2017-11314. 

The flaws are not in Intel's firmware security technologies but rather in how vendors implemented the technology, according to a statement that Intel sent to Matrosov.

"Intel provides a 6th and 7th generation Core Platforms Secure Configuration Specification, which covers how to securely configure the platform," Intel stated. "Additionally, Intel makes available a utility that our ecosystem partners can use to test and identify potential configuration issues."

Matrosov is not a newcomer to the world of firmware security. Prior to joining Cylance in October 2016, he worked at Intel as a security technical lead for firmware. In his view, not all of the motherboard vendors care about UEFI firmware in the same way, which leads to the implementation issues. 

Matrosov has responsibly disclosed the firmware security issues to the impacted vendors so they can resolve the issues. That said, Matrosov said he'd like to see vendors update BIOS firmware more regularly since there are a lot of different issues that are discovered over the lifetime of a given piece of hardware.

"BIOS updates are very important," he said. "Microsoft is now trying to figure out a way to configure unified BIOS updates for hardware, and they want to be able to let users update the BIOS as easily the operating system."

When an attacker can get into Simple Management Mode (SMM) on the firmware, he or she will also get access to physical memory running on a system, according to Matrosov. With that access, virtual machines can be discovered and potentially enable a bypass of virtualization security mechanisms.

"If the firmware is not protected, it can lead to huge problems," he said.

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.