Firmware issues

Topic

New Reply

This might mean we need to sort a lot of old kit with new firmware, or watch the security a bit more closely:

https://www.bleepingcomputer.com/news/security/microsoft-wpbt-flaw-lets-hackers-install-rootkits-on-windows-devices/

If you check out what’s in the area concerned you find an attacker leveraging this could ransomware your Windows license by breaking the table, as the OEM variables there in part identify the machine identity and serial to Microsoft. (to be sure they’d have to hit a third item, but that would depend how the flash holding the network adapter MAC address is accessed… but that data might be in the main flash for some hardware.) You might know what the values were but it’s going to presumably get harder to put them back after you fix a problem.

https://download.microsoft.com/download/8/A/2/8A2FB72D-9B96-4E2D-A559-4A27CF905A80/windows-platform-binary-table.docx

That’s not to mention that electronically flash memory programs in blocks so so change a few bytes the chip itself reprograms the whole data cell those bytes are within, which means there is a bit of time during which Windows deciding to shut down while any flash write is in progress could cause corruption.- flash tech –  https://www.jedec.org/sites/default/files/KeunSoonJo.pdf

A note for the hardware hacker types – its getting more common for flash content to be encrypted with the serial number of the processor accessing the flash (in a PC, that would be the PCH not the CPU) so a direct attempt to do anything about any of the issues at hardware level is possibly now a non starter – you generally don’t even get a write protect jumper as the flash controllers are back ended on SPI/ SPD/ESPI and chips of that design tend to lack that pin.

Now it seems the situation getting closer to true malware persistence as there’s now a UEFI one for those who would to reverse engineer it..

https://www.bleepingcomputer.com/news/security/finfisher-malware-hijacks-windows-boot-manager-with-uefi-bootkit/

All of this could be a  bit worrying for Dell users who’ve held off updating BIOS and dell update issues (or haven’t noticed it’s not happening) as recent issues could potentially be combined with this problem to effect the ability to “own” the machine completely.

It does seem at present you can actually access the file from an administrative CMD prompt, anyway – see attached. (demo is not the most graceful way but have had issues getting mountvol to work.. the GUIDs vary..)

1 user thanked author for this post.

Susan Bradley

Reply | Quote

Replies

oldguy wrote:

All of this could be a bit worrying for Dell users who’ve held off updating BIOS and dell update issues (or haven’t noticed it’s not happening) as recent issues could potentially be combined with this problem to effect the ability to “own” the machine completely.

Hi oldguy:

Is there a CVE associated with this new Microsoft WPBT flaw described in the 25-Sep-2021 BleepingComputer article Microsoft WPBT Flaw Lets Hackers Install Rootkits on Windows Devices?

I also don’t understand how this new Microsoft WPBT flaw is related to the CVE-2021-21571 and CVE-2021-21572 you mentioned in your post # 2391847 (except that these older CVEs were also discovered by Eclypsium). Dell released BIOS updates to patch these CVEs back in June 2021, and affected Dell model numbers (and the minimum BIOS version required to fix the problem) are listed at the bottom of the Dell Security Advisory DSA-2021-106: Dell Client Platform Security Update for Multiple Vulnerabilities in the BIOSConnect and HTTPS Boot Features as Part of the Dell Client BIOS.  My Dell Inspiron 5584 is not in that list of affected products, and the release notes <here> for the latest Inspiron 5583/5584 System BIOS v1.15.0 (rel. 31-Aug-2021) I installed on my laptop doesn’t mention any specific CVE’s that were patched by this BIOS update.
————-
Dell Inspiron 15 5584 * 64-bit Win 10 Pro v21H1 build 19043.1237 * Microsoft Defender v4.18.2108.7 * Malwarebytes Premium v4.4.7.134 – 1.0.1464 * Inspiron 5583/5584 BIOS v1.15.0

Reply | Quote

Mainly if someone addressed subsections of CVE-2021-21551 by removing the problem package, or performed a flat Windows installation and updated it rather than using Dell software, there isn’t a method to be notified of the issue, so they may not have fixed CVE-2021-21571 and CVE-2021-21572, and if they were to fall victim to the UEFI bootkit, starting from the local hard disk restore would be unlikely to root out that problem so they would be driven to use a less secure solution (and the bootkit may have sent detail on the machine back to its creator for targeting it…), possibly digging a deeper hole. Once local elevation is achieved (by driver or bootkit) persistence by way of the platform binary table is an open target – I doubt those engaged in this sort of programming care at all if they break your machine trying to take it over. You might expect Microsoft to engage the policies as given, but of course if you’re not updating that might not happen, or worse might even open another misconfiguration to be exploited.

 

Reply | Quote

oldguy wrote:

Mainly if someone addressed subsections of CVE-2021-21551 by removing the problem package, or performed a flat Windows installation and updated it rather than using Dell software, there isn’t a method to be notified of the issue, so they may not have fixed CVE-2021-21571 and CVE-2021-21572…possibly digging a deeper hole.

Hi oldguy:

If users are not using Dell utilities like SupportAssist v3.x and/or Dell Update v4.x to check for available updates and are not checking the Dell support page for their computer model to look for the latest urgent Dell BIOS update, then yes, I agree with you that their system might be more susceptible to a bootkit or some other BIOS-related malware. However, I don’t think that’s unique to CVE-2021-21571 and CVE-2021-21572 vulnerabilities in Dell BIOSConnect described in DSA-2021-061.

I’m not sure what you mean by a “flat Windows installation“, but even if it rolled back my BIOS version (which I’m not sure it would, since Dell BIOS updates are firmware packages) and removed SupportAssist v3.x and/or Dell Update v4.x I suspect that Windows Update would try to update the Dell BIOS on my Inspiron 5584. Windows Update pushed out a few unwanted Dell BIOS updates to my system that were named something like “Dell, Inc. – Firmware – x.xx.x” (this was before Win 10 v20H1 began classifying driver updates as optional Windows updates – see the attached image I captured today from the Microsoft Update Catalog). After a few of these unwanted updates I had to configure the Local Group Policy Editor of my Win 10 Pro OS (Computer Configuration | Administrative Templates | Windows Components| Windows Update | Do Not Include Drivers With Windows Updates | ENABLED) to prevent Windows Update from installing hardware drivers and BIOS/firmware updates before they were certified for my Inspiron 5584 and posted <here> on the support page for my laptop model.
——–
Dell Inspiron 15 5584 * 64-bit Win 10 Pro v21H1 build 19043.1237 * Microsoft Defender v4.18.2108.7 * Malwarebytes Premium v4.4.7.134 – 1.0.1464 * Inspiron 5583/5584 BIOS v1.15.0

Reply | Quote

You seem to think I’m specifically getting to you about your PC, when in fact I’m just highlighting the pending issues seems to be building to a situation where a subset of models could be quite exposed – your home PC, you can sort that. A business with a few dozen of another Dell model could have significantly greater issues and might not even have an IT technician to flag up the problem for them so might find events outpace their ability to react.

This is an open post for all to read so they can be better informed – me included.

Yes the chances are small, but would you like to be the guy who missed the opportunity to stop his business being wiped out because he stopped the windows updates because one of them stopped the critical office printer from working and just doing that was his technical limit? The printing issues are still rumbling on.. not everyone has time to check the news.

flat windows installation = “I installed it from the ISO and just let it update.”  – seems the Windows update target has moved, in this case for the better hopefully. It also dates the time I’ve been out of the front line.

I don’t suppose you could post the URL for the Windows catalogue used as when I looked a while back for firmware it seemed to be absent so I think I had the wrong site there..

Thanks.

 

Reply | Quote

oldguy wrote:

I don’t suppose you could post the URL for the Windows catalogue used as when I looked a while back for firmware it seemed to be absent so I think I had the wrong site there…

Hi oldguy:

If you’re looking for Dell BIOS updates start at https://www.catalog.update.microsoft.com/Search.aspx?q=dell+firmware. You’ll see a warning stating that “Your search resulted in over 1000 matching updates. Only the first 1000 are returned” so you’d have to add additional keywords (e.g., ” 2021″ , “1.15.0”, etc.) to the search term to narrow down the search results.

Windows Update has offered driver and firmware updates that were not certified for my Inspiron 5584 so I personally wouldn’t trust any BIOS update that wasn’t listed on the Drivers and Downloads page <here> for my Inspiron 5584. Installers for earlier versions can be found by clicking the “Older Versions” links for any driver or firmware update listed on the support page for your Dell model but the “Important Information” section of the attached image notes that BIOS downgrades are not permitted if a newer version addresses an important security update.
————-
Dell Inspiron 15 5584 * 64-bit Win 10 Pro v21H1 build 19043.1237 * Microsoft Defender v4.18.2108.7 * Malwarebytes Premium v4.4.7.134 – 1.0.1464 * Inspiron 5583/5584 BIOS v1.15.0

1 user thanked author for this post.

oldguy

Reply | Quote

https://www.bleepingcomputer.com/news/security/new-uefi-bootkit-used-to-backdoor-windows-devices-since-2012/

 

2 users thanked author for this post.

oldfry, Alex5723

Reply | Quote

The fix is basically to bring Windows and the firmware even closer together it seems..

https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows#secure-launchthe-dynamic-root-of-trust-for-measurement-drtm

 

Reply | Quote

Dell have fixed it. Not the driver issue as such, but now you need to have admin privileges to use the exploit at least..

https://www.bleepingcomputer.com/news/security/dell-driver-fix-still-allows-windows-kernel-level-attacks/

 

 

1 user thanked author for this post.

oldfry

Reply | Quote

lmacri wrote:

If you’re looking for Dell BIOS updates start at https://www.catalog.update.microsoft.com/Search.aspx?q=dell+firmware. You’ll see a warning stating that “Your search resulted in over 1000 matching updates. Only the first 1000 are returned” so you’d have to add additional keywords (e.g., ” 2021″ , “1.15.0”, etc.) to the search term to narrow down the search results.

I would never look at Microsoft for a BIOS update for a Dell machine.  That sounds like a recipe for potential disaster, if you were to take the wrong BIOS, i.e. for the wrong machine.

Go to Dell > Support, input the Dell Service Tag for your machine, and you will find the correct version of the BIOS for your machine.  I would not advocate doing this any other way.  It helps to create an account with Dell, but I don’t think it is mandatory (though you might have done this to safeguard your warranty)

 

Dell E5570 Latitude, Intel Core i5 6440@2.60 GHz, 8.00 GB - Win 10 Pro

1 user thanked author for this post.

Microfix

Reply | Quote

It’s been a while since I’ve been on the Dell Support website, but the way it used to work is, input your service tag, wait a few minutes to get a list of Dell drivers and BIOS updates your computer “needs”. No account is required. IMPORTANT: make sure you read all of the instructions for updating the BIOS. IIRC there are situations where to get the latest BIOS, you may first need to install a previous BIOS that is not the latest, but which is newer than the BIOS in your machine. If you do not heed the instructions you may well be looking at a new brick. (BTDT on a machine that was pretty much a lost cause anyway.)

Reply | Quote

ScotchJohn wrote:

I would never look at Microsoft for a BIOS update for a Dell machine. That sounds like a recipe for potential disaster, if you were to take the wrong BIOS, i.e. for the wrong machine…

Hi ScotchJohn:

You’ve taken my quote out of context.  If you read the next paragraph of my reply #2393390  I stated:

“Windows Update has offered driver and firmware updates that were not certified for my Inspiron 5584 so I personally wouldn’t trust any BIOS update that wasn’t listed on the Drivers and Downloads page <here> for my Inspiron 5584…“

I wasn’t advocating that Dell users obtain their BIOS updates via Windows Update or the Microsoft Update Catalog.  I was simply responding to oldguy’s request in post # 2393369 asking me to “post the URL for the Windows catalogue used as when I looked a while back for firmware it seemed to be absent…”.
———–
Dell Inspiron 15 5584 * 64-bit Win 10 Pro v21H1 build 19043.1348 * Microsoft Defender v.4.18.2110.6-1.1.18800.4 * Malwarebytes Premium v4.4.11.149-1.0.1513 * Inspiron 5583/5584 BIOS v1.16.0

Reply | Quote

And so it comes to pass. Perhaps someone needs to write a BIOS backup program.

This malware is “in silicon” and limited in scope just now (which means they’re targeting a network of very similar hardware machines I would expect) but finding another high value target with a large number of identical machines would be relatively easy. Where I worked we used to install a customer’s LSE software on Dell PCs a site (at least 20..) at a time and we probably had over a hundred of sites, and the other providers use the same hardware platforms as that was also specified by the customer. Not going to say who that was of course.

https://www.bleepingcomputer.com/news/security/new-moonbounce-uefi-malware-used-by-apt41-in-targeted-attacks/

What is interesting is the statement “In the case of MoonBounce, the implanting location is on the SPI flash memory of the motherboard, so not even a hard disk replacement can uproot it.” – as that isn’t always a BIOS area though modern systems unpack the BIOS code from SPI to memory via the chipset, SPI also runs around the board handling the plug and play information as well, leaving the possibility that on the wrong platform an attempted infection could damage other plugged components by damaging that information, or that removing a drive from a compromised system to a different model of machine could actually break the recipient hardware as the malware tries to infect the SPI bus but the code on that system is not as expected (as the PBT is unlikely to be found at a fixed location in the BIOS code across vendors).

Reply | Quote

oldguy wrote:

And so it comes to pass. Perhaps someone needs to write a BIOS backup program.

Yup…there used to be such programs a long time ago before BIOS’s became so hideously complicated. You just hit “save BIOS Config” and it was done. Restoration as easy too.

(Personally, and this is ONLY me, I still can’t shake the old wisdom that flashing your BIOS was very risky, and should only be done as a last resort. Saw too many bricked MOBO’s. Maybe I’m just a fuddy-duddy, but…there it is.)

Win7 Pro SP1 64-bit, Dell Latitude E6330, Intel CORE i5 "Ivy Bridge", 12GB RAM, Group "0Patch", Multiple Air-Gapped backup drives in different locations. Linux Mint Greenhorn
--
"...all the people, all the time..."Peter Ustinov ad-lib in "Logan's Run"

1 user thanked author for this post.

Microfix

Reply | Quote

Pheonix, Award, AMI were relatively straight forward
back in the days of floppy drives..nevertheless,
there was that horrible fear that magnetic media could throw a wobbly during the process and bork the entire system!!
Upon research at the time, I always made a point of using brand new surface scanned floppy disks back then, for backing up existing firmware prior to updating the bios firmware as a rule with no failures.

Never understood why the backup firmware prior to flashing facility was dropped..it made sense at the time even though I never needed to use it.

Since USB sticks appeared and bios firmware contained ‘boot from usb’, mid-late 90’s IIRC, the process became less fearful here due to reliability of USB flash drive media.
This also made devices other than PC’s easier to update. Dunno whether I’d trust OTA/OTIP method, I still prefer the USB flash method..YMMV

Keeping IT Lean, Clean and Mean!

Reply | Quote

Nibbled To Death By Ducks wrote:

(Personally, and this is ONLY me, I still can’t shake the old wisdom that flashing your BIOS was very risky, and should only be done as a last resort. Saw too many bricked MOBO’s. Maybe I’m just a fuddy-duddy, but…there it is.)

Never had a problem updating BIOS on any of my PCs for tens of years.
You won’t have a problem when doing it right.
Never let some OEM assistant software recommend, download and install firmware for you.
Download firmware manually to your desktop. Close running software including A/V and install.

Reply | Quote

Sorry, perhaps you’ve missed the point of my last posting in this forum.

It’s more a technical discussion rather than “a problem”. It’s about the progress malware authors are making towards maintaining persistence by altering code in the existing BIOS, not BIOS updates.  I could maybe code red it but it’s not something “wormable” and there is no solution to fix this so what would be the point?

Then again not every reader here is a home user so the heads up could be useful for those running companies which might be in the line of fire as they have large numbers of hardware platform.

To restate, an exploit on UEFI has been foisted which persists in the flash memory. Loading BIOS defaults will not change that, and if the creators of this needed to prevent BIOS updates to retain persistence perhaps they could set the version bytes in the flash well in advance of the current version so the manufacturer updates wouldn’t work as a way of removing the problem as they would be rejected as a downgrade.

In this case, instead of adding something into the PBT (which is “cross platform”, but it would seem relatively hard to locate) it seems they have added information to the UEFI driver table to add the malware as an extra “hardware” driver via that route instead. The detail is here:

https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/

Basically to protect against this right now you would have to extract the BIOS chip, read its content byte by byte, and fit  socket to put it back so you could extract it again to reprogram it to its previous content if you got attacked (bear in mind this attack goes with large networks of similar machines so that is going to be some undertaking –  for OEM each chip content includes its own signed and machine specific windows license, so you would have to undertake very fiddly hardware soldering work on every machine!) .. Unfortunately as a rule the BIOS chip is now physically tiny and soldered down… the last board I saw with a socket was in the Asus P8H81 series back in about 2012/13. Intel have soldered their BIOS chips in since at least 2010 (DH55 series) and their servers BIOS chips were soldered down long before that.

I guess the next target will be common server infrastructure. Might be time to set a business group policy to block wmic to stop workstations being used to characterise the server hardware architecture where that’s old enough the miscreants might find the same motherboard on a junk pile to get a BIOS code image they can use to work out how to own it.. I wouldn’t be surprised if the MAC address on the NICs on servers didn’t reveal more  information about the hardware then you’d like on older systems. It exposes the OUI so if you get the serial number you need for the support page that indicates, it’s not going to hit a wide range of product..

As said, code red will be for when it starts happening.. Until then maybe we have to hope the Chipsec authors have seen this and can maybe provide some tools for managing the driver tables as well as inspecting the PBT in the longer term. Maybe they’ve started work already, I haven’t checked in some time.

 

Reply | Quote

Just because this hit the back burner at askwoody doesn’t mean that’s the way elsewhere..

https://www.bleepingcomputer.com/news/security/conti-ransomware-targeted-intel-firmware-for-stealthy-attacks/

 

2 users thanked author for this post.

Alex5723, oldfry

Reply | Quote

Microfix wrote:

I still prefer the USB flash method..

I just download the .exe file to the desktop and run it.

Reply | Quote