Extreme Privilege Escalation UEFI Security Vulnerability

From Thomas-Krenn-Wiki
Jump to: navigation, search

Researchers at the MITRE discovered several vulnerabilities in Intel's EDK2 UEFI reference implementation. Since this reference implementation is used by numerous manufacturers as the basis for their UEFI firmware, many systems (not only those by Intel) are affected. If an attacker gains Admin rights on a Windows system (because of other vulnerabilities), the attacker can inject rootkits into the UEFI firmware on the motherboard due to the vulnerability described here.

Prerequisites for exploiting this vulnerability

An attacker must gain admin rights (ring 3) to be able to inject code into the UEFI firmware. (Image source: MITRE)[1]
Intel has fixed the vulnerability in the UEFI source code and released the fix with the updated EDK2 UEFI Development Kit in March 2014. (Image source: MITRE)[1]
The exploitation of the vulnerability is based on the SetFirmwareEnvironmentVariable function of the Windows 8 API.

To execute the SetFirmwareEnvironmentVariable function, an attacker must obtain admin rights on the affected Windows system before. According to our current knowledge, this vulnerability can not be exploited without admin rights.

Affected Thomas-Krenn systems

The following overview shows which systems of Thomas-Krenn are affected by the vulnerability, and from which UEFI firmware version on the vulnerability is closed:

Thomas-Krenn-Server with Affected yes/no Notes
Supermicro X10-Motherboards

(Dual-CPU X10D...)

Not affected. These boards were announced by Supermicro in September 2014. For the UEFI firmware, Supermicro has used the latest version of the EDK2 development kit from Intel, which included the fixes for this vulnerablity (Intel has released the updated EDK2 development kit in March 2014, see the image from MITRE's presentation).
Supermicro X10-Motherboards

(Single-CPU X10S...)

Not affected. UEFI firmware is based on the first EDK reference implementation (not on EDK2).
Supermicro X9-Motherboards

(Single- und Dual-CPU)

Not affected. UEFI firmware is based on the first EDK reference implementation (not on EDK2).
Supermicro X8 and X7-Motherboards

(Single- and Dual-CPU)

Not affected. These motherboards are equipped with a conventional BIOS (not with an UEFI firmware).
Intel S2600GZ4 Motherboard Affected.

Vulnerability fixed with UEFI Firmware 02.03.0003.[2]

UEFI Firmware 02.03.0003 tested and verified by the Thomas-Krenn Quality-Assurance-Team on Sep, 29th 2014.
Intel S5520UR Motherboard Affected.

Vulnerability fixed with UEFI Firmware R0064.[2]

Please contact the Thomas-Krenn Support-Team to obtain the updated firmware image.

References

  1. 1.0 1.1 Presentation: Extreme Privilege Escalation On Windows 8/UEFI Systems (mitre.org, August 2014)
  2. 2.0 2.1 Enhanced Protection of UEFI Variables (security-center.intel.com, 27.05.2014)

Additional Information


Foto Werner Fischer.jpg

Author: Werner Fischer

Werner Fischer, working in the Web Operations & Knowledge Transfer team at Thomas-Krenn, completed his studies of Computer and Media Security at FH Hagenberg in Austria. He is a regular speaker at many conferences like LinuxTag, OSMC, OSDC, LinuxCon, and author for various IT magazines. In his spare time he enjoys playing the piano and training for a good result at the annual Linz marathon relay.


Related articles

Creating Windows UEFI Boot-Stick in Windows
GUID Partition Table
Installing Windows in UEFI-mode