UEFI Vulnerabilities Discovered

Thursday, January 8, 2015 @ 05:01 PM gHale

Vulnerabilities exist in the Unified Extensible Firmware Interface (UEFI), the BIOS replacement designed for improved software interoperability, researchers said.

Three separate advisories published for security holes identified by researchers Rafal Wojtczuk of Bromium and Corey Kallenberg of The MITRE Corporation. The researchers disclosed the UEFI vulnerabilities in a presentation at the Chaos Communication Congress (CCC) in Germany in late December.

PHP Installations Vulnerable
Router Flaw Found
Re-engaged: Multi GAE Sandbox Bypasses
Vulnerabilities with Google App Engine

The first flaw identified by the experts, CVE-2014-8274, can end up exploited by a local, authenticated attacker to bypass firmware write protections. According to the researchers, the issue exists because access to the boot script used by the EFI S3 Resume Boot Path does not have proper restrictions.

“An authenticated local attacker may be able to bypass Secure Boot and/or perform an arbitrary reflash of the platform firmware despite the presence of signed firmware update enforcement. Additionally, the attacker could arbitrarily read or write to the SMRAM region. Lastly, the attacker could corrupt the platform firmware and cause the system to become inoperable,” Carnegie Mellon University CERT Coordination Center (CERT/CC) said in its advisory.

The second vulnerability, CVE-2014-8273, is a race condition affecting certain Intel chipsets and it can end up exploited by a local, authenticated attacker to bypass the BIOS write protection mechanism and write malicious code to the platform firmware.

Another security hole disclosed by Wojtczuk and Kallenberg is a buffer overflow vulnerability (CVE-2014-8274) in the EDK1 UEFI reference implementation.

“The impact of the vulnerability depends on the earliness at which the vulnerable code can be instantiated. Generally, as the boot up of the platform progresses, the platform becomes more and more locked down. Specifically, things like the SPI Flash containing the platform firmware, [System Management Mode (SMM)], and other chipset configurations become locked,” said Wojtczuk and Kallenberg. “In an ideal (for attacker) scenario, the vulnerable code can be instantiated before the SPI flash is locked down, thus resulting in an arbitrary reflash of the platform firmware.”

The advisories published by CERT/CC show that potentially affected vendors ended up notified in September and October. Some of these organizations have determined if their products ended up affected, but the status for many of them is currently “unknown.”

CVE-2014-8271 has had an impact on Insyde Software products. UEFI firmware from American Megatrends Incorporated (AMI) and Phoenix Technologies ended up affected by CVE-2014-8273. CVE-2014-8274 affected AMI, Phoenix and Intel solutions, but Dell is also on the list of possibly impacted vendors.

Leave a Reply

You must be logged in to post a comment.