Gigabyte Firmware Flaws Allow the Installation of UEFI Ransomware

Posted by Zarathustra 1:30 PM (CDT)

Monday April 03, 2017

At the BlackhHat Asia 2017 security conference on Friday researchers from cyber-security firm Cylance demonstrated two Gigabyte vulnerabilities which allow malicious code to be written to the UEFI firmware. The demonstration involved installing proof-of-concept UEFI ransomware preventing a Gigabyte Brix computer from booting. Researchers suggest that the same vulnerabilities can allow for the installation of rootkits allowing attackers to install persistent malware that reinstalls itself once cleared off of the installed system.

I wonder how this would be cleared. I'd imagine pulling the BIOS EEPROM and reprogramming it external to the motherboard would be required, and that would require an EEPROM programmer, which very few of us have. One thing is certain. Clearing malware is potentially going to get a lot more tricky in the future if exploits like these wind up being used in the wild.

The attacker gains user-mode execution through an application vulnerability such as a browser exploit or a malicious Word document with an embedded script. From there, the attacker elevates his privileges by exploiting the kernel or a kernel module such as Capcom.sys to execute code in ring 0. A vulnerable SMI handler allows the attacker to execute code in SMM mode (ring -2) where he finally can bypass any write protection mechanisms and install a backdoor into the system's firmware. Write-protection mechanisms exist to prevent attackers from modifying the firmware; however, the affected systems do not enable them.