Menu
Firmware flaws could allow a malicious reflash, US CERT warns

Firmware flaws could allow a malicious reflash, US CERT warns

U.S. CERT warned of three issues that could affect critical firmware

Three vendors have released fixes for vulnerabilities found in the critical firmware used during a computer's startup, according to an advisory from the U.S. Computer Emergency Readiness Team.

The vulnerabilities could allow an attacker to bypass a feature called Secure Boot, which verifies that firmware components carry a correct digital signature ensuring the software's authenticity. The attacker could then replace the device's firmware.

The flaws lie within some UEFI (unified extensible firmware interface) systems, the advisory said. UEFI is a firmware interface that was designed to improve upon BIOS.

A boot script within the UEFI S3 Resume path "resides in unprotected memory which can be tampered with by an attacker with access to physical memory," the advisory said.

An authenticated local attacker could bypass Secure Boot and reflash, or replace, the firmware even if signed firmware updates are supposed to be used. An attack could also cause a system to be inoperable.

Several vendors have taken action. American Megatrends Incorporated (AMI), which makes BIOS and UEFI firmware, has "addressed the issue on a generic basis and is working with OEMs to implement fixes for projects in the field and production."

Intel and Phoenix Technologies, which also makes UEFI software, have issued fixes, the advisory said.

The advisory was one of three issued by U.S. CERT on Monday. The agency also warned of a "race condition" vulnerability in some Intel chipsets that could allow the bypass of a BIOS locking mechanism, allowing malicious code to be inserted into firmware.

American Megatrends and Phoenix Technologies have issued updates to address the issue, but it's unknown if other major vendors may be affected, according to the advisory.

U.S. CERT also warned in a third advisory of a buffer overflow in the open-source EDK1 project's UEFI reference implementation. One affected vendor that uses the firmware, Insyde Software, has fixed the issue.

American Megatrends, Apple, IBM, Intel and Phoenix Technologies are not affected by that flaw. However, it's not known whether other large vendors may be vulnerable.

Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags AppleintelIBMPhoenix TechnologiesExploits / vulnerabilitiesU.S. Computer Emergency Readiness TeamAmerican MegatrendsInsyde Software

Featured

Slideshows

The making of an MSSP: a blueprint for growth in NZ

The making of an MSSP: a blueprint for growth in NZ

Partners are actively building out security practices and services to match, yet remain challenged by a lack of guidance in the market. This exclusive Reseller News Roundtable - in association with Sophos - assessed the making of an MSSP, outlining the blueprint for growth and how partners can differentiate in New Zealand.

The making of an MSSP: a blueprint for growth in NZ
Reseller News Platinum Club celebrates leading partners in 2018

Reseller News Platinum Club celebrates leading partners in 2018

The leading players of the New Zealand channel came together to celebrate a year of achievement at the inaugural Reseller News Platinum Club lunch in Auckland. Following the Reseller News Innovation Awards, Platinum Club provides a platform to showcase the top performing partners and start-ups of the past 12 months, with more than ​​50 organisations in the spotlight.​​​

Reseller News Platinum Club celebrates leading partners in 2018
Meet the top performing HP partners in NZ

Meet the top performing HP partners in NZ

HP has honoured its leading partners in New Zealand during 2018, following 12 months of growth through the local channel. Unveiled during the fourth running of the ceremony in Auckland, the awards recognise and celebrate excellence, growth, consistency and engagement of standout Kiwi partners.

Meet the top performing HP partners in NZ
Show Comments