[German]Owners of a computer with a motherboard from the manufacturer Gigabyte can now update the board's firmware. The update provided by the manufacturer is supposed to eliminate a serious vulnerability. The vulnerability, which is present in about 260 motherboard models, could allow attackers to inject malware into the system.
Advertising
Gigabyte Motherboards with Backdoor
I had mentioned the issue in the German blog post Sicherheits-, Ransomware- und Datenschutzvorfälle Mai 2023. Security researchers from firmware specialist cybersecurity firm Eclypsium have discovered a hidden mechanism in the firmware of motherboards from Taiwanese manufacturer Gigabyte that attempts to update the firmware every time the board is rebooted. Around 260 motherboard models are affected.
Firmware updates are actually not bad – but secretly and without user control is problematic. It is even more problematic that this Gigabyte update process is insecure. The researchers discovered that the update process is implemented insecurely. Gigabyte uses WPBT to invoke an update program from BIOS/UEFI.
This program, according to Eclysium, then downloads and executes another piece of software. This could potentially allow the mechanism to be hijacked and used to install malware instead of Gigabyte's intended program. The whole firmware update approach by Gigabyte "smells", users have virtually no way to detect or remove it.
Security risk WPBT
I hadn't addressed it in the German blog post mentioned above – these vulnerability was possible because manufacturers use WPBT as a mechanimus. I've covered the topic several times within my German blog. In 2015, I had already addressed the WPBT issue in the German blog post Backdoor 'Windows Platform Binary Table' (WPBT).
With Windows 8, Microsoft has laid the basics to do quite a bit of hogwash on systems. The technique is called 'Windows Platform Binary Table' (WPBT) and is described in detail in this Word .docx document.
Advertising
WPBT creates the possibility of executing code to manipulate Windows operating systems during the BIOS boot phase (UEFI also falls under this).
Thus, drivers, updaters, etc. can be injected in the boot phase (from the ACPI tables of the BIOS). The original idea was that OEMs should be able to perform updates – regardless of whether the user has performed a Clean Install of Windows.
Many manufacturers (Lenovo, HP, Dell, Gigabyte) use WPBT to make their own messes on systems. However, the approach regularly falls on people's feet and a security hole is torn open. This also happened in the Gigabyte case above.
Gigabyte update for vulnerability
Bleeping Computer mentioned, that Gigabyte has reacted to the above-mentioned vulnerability with a firmware update on June 1, 2023. This press release states that stricter security checks during the boot process of the operating system have now been implemented.
To this end, GIGABYTE has improved a verification process for files downloaded from remote servers to ensure the integrity and legitimacy of the content. By doing so, the manufacturer hopes to thwart any attempts by attackers to insert malicious code. Furthermore, cryptographic verification of remote server certificates is now performed by default. This is to guarantee that files are only downloaded from servers with valid and trusted certificates. The updates should be available on the official GIGABYTE website for BIOS updates.
