Extreme Privilege Escalation UEFI Security Vulnerability
Researchers at the MITRE discovered several vulnerabilities in Intel's EDK2 UEFI reference implementation. Since this reference implementation is used by numerous manufacturers as the basis for their UEFI firmware, many systems (not only those by Intel) are affected. If an attacker gains Admin rights on a Windows system (because of other vulnerabilities), the attacker can inject rootkits into the UEFI firmware on the motherboard due to the vulnerability described here.
Prerequisites for exploiting this vulnerability
The exploitation of the vulnerability is based on the SetFirmwareEnvironmentVariable function of the Windows 8 API.
To execute the SetFirmwareEnvironmentVariable function, an attacker must obtain admin rights on the affected Windows system before. According to our current knowledge, this vulnerability can not be exploited without admin rights.
Affected Thomas-Krenn systems
The following overview shows which systems of Thomas-Krenn are affected by the vulnerability, and from which UEFI firmware version on the vulnerability is closed:
Thomas-Krenn-Server with | Affected yes/no | Notes |
---|---|---|
Supermicro X10-Motherboards
(Dual-CPU X10D...) |
Not affected. | These boards were announced by Supermicro in September 2014. For the UEFI firmware, Supermicro has used the latest version of the EDK2 development kit from Intel, which included the fixes for this vulnerablity (Intel has released the updated EDK2 development kit in March 2014, see the image from MITRE's presentation). |
Supermicro X10-Motherboards
(Single-CPU X10S...) |
Not affected. | UEFI firmware is based on the first EDK reference implementation (not on EDK2). |
Supermicro X9-Motherboards
(Single- und Dual-CPU) |
Not affected. | UEFI firmware is based on the first EDK reference implementation (not on EDK2). |
Supermicro X8 and X7-Motherboards
(Single- and Dual-CPU) |
Not affected. | These motherboards are equipped with a conventional BIOS (not with an UEFI firmware). |
Intel S2600GZ4 Motherboard | Affected.
Vulnerability fixed with UEFI Firmware 02.03.0003.[2] |
UEFI Firmware 02.03.0003 tested and verified by the Thomas-Krenn Quality-Assurance-Team on Sep, 29th 2014. |
Intel S5520UR Motherboard | Affected.
Vulnerability fixed with UEFI Firmware R0064.[2] |
Please contact the Thomas-Krenn Support-Team to obtain the updated firmware image. |
References
- ↑ 1.0 1.1 Presentation: Extreme Privilege Escalation On Windows 8/UEFI Systems (mitre.org, August 2014)
- ↑ 2.0 2.1 Enhanced Protection of UEFI Variables (security-center.intel.com, 27.05.2014)
Additional Information
- Extreme Privilege Escalation: Gefährliche Sicherheitslücken in UEFI-Firmware (heise.de, 21.10.2014)
- Mehr Updates gegen die UEFI-Sicherheitslücke (3. Update) (heise.de, 05.11.02014)
- Vulnerability Note VU#552286: UEFI EDK2 Capsule Update vulnerabilities (kb.cert.org)
- BIOS Extreme Privilege Escalation (mitre.org, 06.08.2014)
Author: Werner Fischer Werner Fischer, working in the Knowledge Transfer team at Thomas-Krenn, completed his studies of Computer and Media Security at FH Hagenberg in Austria. He is a regular speaker at many conferences like LinuxTag, OSMC, OSDC, LinuxCon, and author for various IT magazines. In his spare time he enjoys playing the piano and training for a good result at the annual Linz marathon relay.
|