Critical Firmware Vulnerability in Gigabyte Systems Exposes ~7 Million Devices
Cybersecurity researchers have found “backdoor-like behavior” within Gigabyte systems, which they say enables the UEFI firmware of the devices to drop a Windows executable and retrieve updates in an unsecure format.
Firmware security firm Eclypsium said it first detected the anomaly in April 2023. Gigabyte has since acknowledged and addressed the issue.
“Most Gigabyte firmware includes a Windows
Cybersecurity researchers have found “backdoor-like behavior” within Gigabyte systems, which they say enables the UEFI firmware of the devices to drop a Windows executable and retrieve updates in an unsecure format.
Firmware security firm Eclypsium said it first detected the anomaly in April 2023. Gigabyte has since acknowledged and addressed the issue.
“Most Gigabyte firmware includes a Windows
AMD Sinkclose Vulnerability Lets Attackers Most Privileged Portions Of a Computer
A Sinkclose vulnerability, which has been detected in AMD processors for decades, lets hackers obtain access to some of the most privileged areas of a computer.
It allows malware to infiltrate a computer’s memory so deeply that, in many situations, it could be quicker to destroy the device than disinfect it.
The vulnerability allows hackers to execute their code in one of an AMD processor’s most privileged modes, known as System Management Mode (SMM), which is intended to be reserved only for a certain, protected portion of its firmware.
Researchers at IOActive warn that the issue impacts almost all AMD processors manufactured since 2006, and probably even before.
Overview of the AMD Sinkclose Vulnerability
With a CVSS base score of 7.5, the high-severity vulnerability has been identified as CVE-2023-31315.
According to AMD’s security advisory, Improper validation in a model-specific register (MSR) could allow a malicious program with ring0 access to change the SMM configuration while the SMI lock is active, potentially leading to arbitrary code execution.
The memory controller stops allowing access to SMRAM, the unique area of physical memory allocated to the SMM when a CPU hasn’t entered SMM.
IOActive researchers, however, discovered a method around this lock by utilizing specific MSR registers offered by AMD CPUs, which are reachable from ring 0 and aren’t read-only even when the SmmLock flag is set. This issue was reported by Krzysztof Okupski and Enrique Nissim of IOActive.
How to Build a Security Framework With Limited Resources IT Security Team (PDF) – Free Guide
Researchers point out that to take advantage of the defect, hackers would need to have reasonably deep access to an AMD-based PC or server, but the Sinkclose vulnerability would still enable them to insert their malicious code much deeper.
“An attacker could infect the computer with malware known as a “bootkit” that evades antivirus tools and is potentially invisible to the operating system, while offering a hacker full access to tamper with the machine and surveil its activity”, IOActive researchers warn.
The researchers warn that a malware infection installed via Sinkclose maybe even more difficult to detect or remove from a system if the computer maker implemented AMD’s Platform Secure Boot security feature incorrectly.
These systems comprise the vast majority of the systems they tested. The malware may even survive an operating system reinstallation.
“Imagine nation-state hackers or whoever wants to persist on your system. Even if you wipe your drive clean, it’s still going to be there,” says Okupski.
“It’s going to be nearly undetectable and nearly unpatchable.”
According to Okupski, the only ways to remove malware from a computer are to open the case, physically connect to a specific area of the memory chips using a hardware programming tool called SPI Flash programmer, and thoroughly search the memory.
After admitting to the issue, AMD claims to have released mitigation options for Ryzen PC and data center products, and mitigations for AMD embedded products will be available soon. The firm has also released the full list of affected chips.
AMD has released mitigation options for the majority of its recent processors, encompassing all iterations of EPYC data center processors, the newest Threadripper models, and Ryzen processors. However, the company has chosen not to extend these updates to its Ryzen 1000, 2000, and 3000 series processors or its Threadripper 1000 and 2000 models.
Are you from SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Free Access
Linux Kernel Flaw Let Attackers Gain Full Root Access: PoC Published
[[{“value”:”
Security researchers have uncovered a critical vulnerability in the Linux kernel’s io_uring subsystem, which could allow attackers to gain full root access to affected systems.
The flaw, tracked as CVE-2024-0582, was found to be particularly exploitable in Ubuntu distributions due to a delay in patching despite the vulnerability being addressed in the stable kernel release in December 2023.
Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Try Trustifi Free Threat Scan with Sophisticated AI-Powered Email Protection .
The vulnerability stems from a use-after-free (UAF) condition in the io_uring interface, a feature introduced in Linux kernel version 5.1 to improve the performance of applications with high I/O operations.
Despite its benefits, io_uring has been a hotbed for security vulnerabilities, leading to its restriction or outright disablement in environments like ChromeOS, Google’s production servers, and Android.
CVE-2024-0582 allows an attacker to gain read and write access to previously freed pages, offering a potent exploit primitive far beyond the typical UAF exploit.
This vulnerability was present in Linux kernel versions from 6.4 up to, but not including, 6.7, affecting major Ubuntu releases such as Ubuntu 23.10 and Ubuntu 22.04 LTS.
Exodus Intelligence has recently released a report on a flaw found in the Linux Kernel. The flaw allows an attacker to obtain elevated privileges on a system by exploiting a vulnerability in the Futex subsystem.
Patch Timeline
December 8, 2023: The vulnerability was patched in the stable kernel release 6.6.5.
January 8, 2024: The Project Zero issue detailing CVE-2024-0582 was made public.
February 22, 2024: Ubuntu finally patched the issue in kernel version 6.5.0-21 for Ubuntu 22.04 LTS and Ubuntu 23.10.
CVE-2024-0582’s exploitability lies in its ability to allow data-only exploits, bypassing common exploit mitigations like Control-Flow Integrity (CFI).
Attackers can manipulate data to escalate privileges without altering the code execution flow. This vulnerability was exploited using a data-only strategy, enabling a non-privileged user to achieve root privileges on affected systems.
According to a recent tweet by Cyber Advising, a memory leak vulnerability has been identified as CVE-2024-0582 in the Linux kernel’s io_uring functionality.
CVE-2024-0582: memory leak flaw was found in the Linux kernel’s io_uring functionality .. IORING_REGISTER_PBUF_RING, mmap() it, and then frees it. This flaw allows a local user to crash or potentially escalate their privileges on the system.
io_uring offers a high-performance, asynchronous I/O API, reducing the overhead caused by blocking system calls and data transfers between user and kernel space. However, its complexity has made it a target for vulnerability research.
The io_uring API consists of three system calls:
io_uring_setup()
io_uring_register()
io_uring_enter()
Exploitation Strategy
The exploitation strategy triggered the UAF condition by manipulating io_uring’s provided buffer rings, explicitly using the IOU_PBUF_RING_MMAP flag.
MMap the buffer ring
This allowed attackers to retain access to memory pages even after they were freed and reallocated by the kernel for other purposes, such as file structures (struct file).
Allocating file structures within a controlled page
By forcing the allocation of file structures on these controlled pages, attackers could modify critical fields, such as f_mode, to gain writable access to read-only files, including /etc/passwd.
This effectively allowed the addition of a backdoor account with root privileges.
The discovery and exploitation of CVE-2024-0582 highlight significant concerns regarding the security of the io_uring subsystem and the timely patching vulnerabilities in widely used distributions like Ubuntu.
The two-month patch gap for Ubuntu kernels allowed attackers to exploit this vulnerability, underscoring the importance of rapid vulnerability response processes.
Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.