Jump to content

Critical Firmware Vulnerability in Gigabyte Systems Exposes ~7 Million Devices


itman

Recommended Posts

Quote

Cybersecurity researchers have found "backdoor-like behavior" within Gigabyte systems, which they say enables the UEFI firmware of the devices to drop a Windows executable and retrieve updates in an unsecure format.

Firmware security firm Eclypsium said it first detected the anomaly in April 2023. Gigabyte has since acknowledged and addressed the issue.

"Most Gigabyte firmware includes a Windows Native Binary executable embedded inside of the UEFI firmware," John Loucaides, senior vice president of strategy at Eclypsium, told The Hacker News.

"The detected Windows executable is dropped to disk and executed as part of the Windows startup process, similar to the LoJack double agent attack. This executable then downloads and runs additional binaries via insecure methods."

"Only the intention of the author can distinguish this sort of vulnerability from a malicious backdoor," Loucaides added.

The executable, per Eclypsium, is embedded into UEFI firmware and written to disk by firmware as part of the system boot process and subsequently launched as an update service.

The .NET-based application, for its part, is configured to download and execute a payload from Gigabyte update servers over plain HTTP, thereby exposing the process to adversary-in-the-middle (AitM) attacks via a compromised router.

Loucaides said the software “seems to have been intended as a legitimate update application,” noting the issue potentially impacts “around 364 Gigabyte systems with a rough estimate of 7 million devices.”

With threat actors constantly on the lookout for ways to remain undetected and leave a minimal intrusion footprint, vulnerabilities in the privileged firmware update mechanism could pave the way for stealthy firmware implants that can subvert all security controls running in the operating system plane.

 

https://thehackernews.com/2023/05/critical-firmware-vulnerability-in.html

Mitigations

Quote

We recommend exercising caution when using Gigabyte systems or systems with affected motherboards. Organizations can also take the following actions to minimize the risk:

  • Scan and monitor systems and firmware updates in order to detect affected Gigabyte systems and the backdoor-like tools embedded in firmware. Update systems to the latest validated firmware and software in order to address security issues like this one.
  • Inspect and disable the “APP Center Download & Install” feature in UEFI/BIOS Setup on Gigabyte systems and set a BIOS password to deter malicious changes.
  • Administrators can also block the following URLs:
    • http://mb.download.gigabyte.com/FileList/Swhttp/LiveUpdate4
    • https://mb.download.gigabyte.com/FileList/Swhttp/LiveUpdate4
    • https://software-nas/Swhttp/LiveUpdate4

 

https://eclypsium.com/blog/supply-chain-risk-from-gigabyte-app-center-backdoor/

Affected Gigabyte motherboard firmware

https://eclypsium.com/wp-content/uploads/Gigabyte-Affected-Models.pdf

Edited by itman
Link to comment
Share on other sites

Based on a posting on wilderssecuritycom: https://www.wilderssecurity.com/threads/gigabyte-mobos-supply-chain-risk-from-gigabyte-app-center-backdoor.451620/#post-3149242 , it appears Gigabyte has pushed a firmware update to address this issue. There is also the question if a firmware update will be pushed for motherboards no longer supported.

It is uncharacteristic for Gigabyte to react this quickly to a vulnerability, so this must be a serious one.

-EDIT- Gigabyte statement here: https://www.gigabyte.com/Press/News/2091

Edited by itman
Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...