Firmware flaws could allow a malicious reflash, US CERT warns

U.S. CERT warned of three issues that could affect critical firmware

Three vendors have released fixes for vulnerabilities found in the critical firmware used during a computer's startup, according to an advisory from the U.S. Computer Emergency Readiness Team.

The vulnerabilities could allow an attacker to bypass a feature called Secure Boot, which verifies that firmware components carry a correct digital signature ensuring the software's authenticity. The attacker could then replace the device's firmware.

The flaws lie within some UEFI (unified extensible firmware interface) systems, the advisory said. UEFI is a firmware interface that was designed to improve upon BIOS.

A boot script within the UEFI S3 Resume path "resides in unprotected memory which can be tampered with by an attacker with access to physical memory," the advisory said.

An authenticated local attacker could bypass Secure Boot and reflash, or replace, the firmware even if signed firmware updates are supposed to be used. An attack could also cause a system to be inoperable.

Several vendors have taken action. American Megatrends Incorporated (AMI), which makes BIOS and UEFI firmware, has "addressed the issue on a generic basis and is working with OEMs to implement fixes for projects in the field and production."

Intel and Phoenix Technologies, which also makes UEFI software, have issued fixes, the advisory said.

The advisory was one of three issued by U.S. CERT on Monday. The agency also warned of a "race condition" vulnerability in some Intel chipsets that could allow the bypass of a BIOS locking mechanism, allowing malicious code to be inserted into firmware.

American Megatrends and Phoenix Technologies have issued updates to address the issue, but it's unknown if other major vendors may be affected, according to the advisory.

U.S. CERT also warned in a third advisory of a buffer overflow in the open-source EDK1 project's UEFI reference implementation. One affected vendor that uses the firmware, Insyde Software, has fixed the issue.

American Megatrends, Apple, IBM, Intel and Phoenix Technologies are not affected by that flaw. However, it's not known whether other large vendors may be vulnerable.

Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags AppleintelIBMPhoenix TechnologiesExploits / vulnerabilitiesU.S. Computer Emergency Readiness TeamAmerican MegatrendsInsyde Software

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jeremy Kirk

IDG News Service
Show Comments

Cool Tech

Bang and Olufsen Beosound Stage - Dolby Atmos Soundbar

Learn more >

Toys for Boys

Nakamichi Delta 100 3-Way Hi Fi Speaker System

Learn more >

ASUS ROG, ACRONYM partner for Special Edition Zephyrus G14

Learn more >

Sony WF-1000XM3 Wireless Noise Cancelling Headphones

Learn more >

Family Friendly

Philips Sonicare Diamond Clean 9000 Toothbrush

Learn more >

Mario Kart Live: Home Circuit for Nintendo Switch

Learn more >

Stocking Stuffer

SunnyBunny Snowflakes 20 LED Solar Powered Fairy String

Learn more >

Teac 7 inch Swivel Screen Portable DVD Player

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Tom Pope

Dynabook Portégé X30L-G

Ultimately this laptop has achieved everything I would hope for in a laptop for work, while fitting that into a form factor and weight that is remarkable.

Tom Sellers

MSI P65

This smart laptop was enjoyable to use and great to work on – creating content was super simple.

Lolita Wang

MSI GT76

It really doesn’t get more “gaming laptop” than this.

Jack Jeffries

MSI GS75

As the Maserati or BMW of laptops, it would fit perfectly in the hands of a professional needing firepower under the hood, sophistication and class on the surface, and gaming prowess (sports mode if you will) in between.

Taylor Carr

MSI PS63

The MSI PS63 is an amazing laptop and I would definitely consider buying one in the future.

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Featured Content

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?