DaemonForums  

Go Back   DaemonForums > DaemonForums.org > News

News News regarding BSD and related.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 27th July 2022
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,128
Default Discovery of new UEFI rootkit exposes an ugly truth: The attacks are invisible to us

From https://arstechnica.com/information-...-os-reinstalls

Quote:
Researchers have unpacked a major cybersecurity find—a malicious UEFI-based rootkit used in the wild since 2016 to ensure computers remained infected even if an operating system is reinstalled or a hard drive is completely replaced.

The firmware compromises the UEFI, the low-level and highly opaque chain of firmware required to boot up nearly every modern computer. As the software that bridges a PC’s device firmware with its operating system, the UEFI—short for Unified Extensible Firmware Interface—is an OS in its own right. It’s located in an SPI-connected flash storage chip soldered onto the computer motherboard, making it difficult to inspect or patch the code. Because it’s the first thing to run when a computer is turned on, it influences the OS, security apps, and all other software that follows.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #2   (View Single Post)  
Old 28th July 2022
blackhole's Avatar
blackhole blackhole is offline
Spam Deminer
 
Join Date: Mar 2014
Posts: 316
Default

Who'd have thought that a hugely complex proprietary binary interface, that sits between the hardware and OS could be such a rats nest...?

Then consider the Intel Management Engine - and AMD's equivalent - and the horrible mess that x86 is now in becomes clear. Some people worry about a bit of firmware for their top favourite distro, for hardware they don't even own, sitting in their /lib/firmware doing precisely nothing. The elephant in the living room of x86, with proprietary firmwares in UEFI, most other devices, adapter cards, hard disk controllers, NICs, the CPU, etc, etc, all already loaded and running, seemingly goes unnoticed.

20 years ago it seemed like the BIOS wasn't really needed any more - it was seeming more and more redundant - I remember thinking, "it's going to get much smaller and simpler, the BIOS is a throwback to the days of IBM/MS-DOS", then they come up with even more complexity - a "mini" OS to replace the BIOS.

The biggest victory of UEFI/Secureboot was in convincing people it was actually needed - and that it was all about greater security and it was simply "better".

It's important to recognise that the architects of UEFI are mainly MS, Intel, AMD, the usual BIOS vendors and of course the x86 OEMs. The latter - large "big tech" corporations - who along with MS, have a very valid business interest, have a maintained a secret deal with MS for decades to esnure windows exclusivity on x86 and who have worked hard with MS to lock down the platform for MS Windows 8/10/11.
Reply With Quote
  #3   (View Single Post)  
Old 28th July 2022
victorvas victorvas is offline
Real Name: Victor
Linux
 
Join Date: May 2019
Posts: 148
Default

If I understood the article correctly, the firmware was present in the new motherboards coming from the factory. Or is it a virus from the Internet infecting Asus and Gigabyte motherboards?
Reply With Quote
  #4   (View Single Post)  
Old 28th July 2022
Head_on_a_Stick's Avatar
Head_on_a_Stick Head_on_a_Stick is offline
Real Name: Matthew
Bitchy Nerd Elitist
 
Join Date: Dec 2015
Location: London
Posts: 461
Default

https://securelist.com/cosmicstrand-...ootkit/106973/ says
Quote:
Although we were unable to discover how the victim machines were infected initially, an analysis of their hardware sheds light on the devices that CosmicStrand can infect. The rootkit is located in the firmware images of Gigabyte or ASUS motherboards, and we noticed that all these images are related to designs using the H81 chipset. This suggests that a common vulnerability may exist that allowed the attackers to inject their rootkit into the firmware’s image.

In these firmware images, modifications have been introduced into the CSMCORE DXE driver, whose entry point has been patched to redirect to code added in the .reloc section. This code, executed during system startup, triggers a long execution chain which results in the download and deployment of a malicious component inside Windows.

Looking at the various firmware images we were able to obtain, we assess that the modifications may have been performed with an automated patcher. If so, it would follow that the attackers had prior access to the victim’s computer in order to extract, modify and overwrite the motherboard’s firmware. This could be achieved through a precursor malware implant already deployed on the computer or physical access (i.e., an evil maid attack scenario). Qihoo’s initial report indicates that a buyer might have received a backdoored motherboard after placing an order at a second-hand reseller. We were unable to confirm this information.
This particular malware only infects Windows systems but I'm sure there are plenty more out there :-)

So glad I have SecureBoot enabled. How reassuring. [/sarcasm]
__________________
Are you infected with Wetiko?
Reply With Quote
  #5   (View Single Post)  
Old 29th July 2022
blackhole's Avatar
blackhole blackhole is offline
Spam Deminer
 
Join Date: Mar 2014
Posts: 316
Default

Quote:
Originally Posted by Head_on_a_Stick View Post
So glad I have SecureBoot enabled. How reassuring. [/sarcasm]
There have been "Linux people" singing it's praises and telling everyone who would listen that it was needed for well over a decade.

The Debian project go so far as to host this little opinion piece on their wiki site (I thought wikis were supposed to be facts, not a platform for Microsoft apologists...):

https://wiki.debian.org/SecureBoot

Quote:
UEFI Secure Boot is not an attempt by Microsoft to lock Linux out of the PC market here
[...]
SB is also not meant to lock users out of controlling their own systems.
Reply With Quote
  #6   (View Single Post)  
Old 29th July 2022
jmccue jmccue is offline
Real Name: John McCue
Package Pilot
 
Join Date: Aug 2012
Location: here
Posts: 167
Default

Also from the Debain Wiki:

Quote:
SB is a security measure to protect against malware during early system boot
My guess is there are only 1 maybe 2 Operating Systems that need to worry about this malware. The majority of OSs used by people here have no worries about needing UEFI/Secure-boot.

I hope newer hardware still allows "Legacy Boot", but I am starting to think that option will be no more soon enough.
__________________
[t]csh(1) - "An elegant shell, for a more... civilized age."
- Paraphrasing Star Wars (tvtropes.org)

Last edited by jmccue; 29th July 2022 at 03:26 PM. Reason: grammer
Reply With Quote
  #7   (View Single Post)  
Old 29th July 2022
victorvas victorvas is offline
Real Name: Victor
Linux
 
Join Date: May 2019
Posts: 148
Exclamation

Quote:
Originally Posted by cynwulf View Post
There have been "Linux people" singing it's praises and telling everyone who would listen that it was needed for well over a decade.

The Debian project go so far as to host this little opinion piece on their wiki site (I thought wikis were supposed to be facts, not a platform for Microsoft apologists...):

https://wiki.debian.org/SecureBoot
Debian fully supports Secure Boot, having their bootloader shimx64.efi signed by Microsoft to allow it to work with Secure Boot. Microsoft digitally signs Debian's bootloader... I wish it was a joke, but it isn't. The shimx64.efi is located in /boot/efi/EFI/debian and it launches grubx64.efi from same directory. Grub then launches the Debian Linux.
I guess switching to Debian will make my PC really secure and safe, right?
Reply With Quote
  #8   (View Single Post)  
Old 29th July 2022
Head_on_a_Stick's Avatar
Head_on_a_Stick Head_on_a_Stick is offline
Real Name: Matthew
Bitchy Nerd Elitist
 
Join Date: Dec 2015
Location: London
Posts: 461
Default

Quote:
Originally Posted by cynwulf View Post
Just to continue the second line in your quote from that page:
Quote:
Users can enrol extra keys into the system, allowing them to sign programs for their own systems. Many SB-enabled systems also allow users to remove the platform-provided keys altogether, forcing the firmware to only trust user-signed binaries.
^ This is what I have done with my laptop and it will now only boot Windows if SecureBoot is disabled
__________________
Are you infected with Wetiko?
Reply With Quote
  #9   (View Single Post)  
Old 30th July 2022
Head_on_a_Stick's Avatar
Head_on_a_Stick Head_on_a_Stick is offline
Real Name: Matthew
Bitchy Nerd Elitist
 
Join Date: Dec 2015
Location: London
Posts: 461
Default

POWER9 is alright. Raptor Computing Systems offer (expensive) machines with fully open firmware.

There were high hopes for POWER10 but IBM decided to use blobs for the memory chips:

https://www.phoronix.com/news/IBM-PO...ot-All-Open-FW

Grrr...
__________________
Are you infected with Wetiko?

Last edited by Head_on_a_Stick; 30th July 2022 at 02:10 PM. Reason: corrected manufacturer name; "Talos" is the product range.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Do you think there's any truth to this? toprank OpenBSD General 12 13th March 2018 04:30 PM
Bug exposes OpenSSH servers to brute-force password guessing attacks J65nko News 5 25th July 2015 06:28 PM
OpenSSH Will Feature Key Discovery and Rotation For Easier Switching To Ed25519 J65nko News 0 1st February 2015 06:22 PM
FreeBSD the truth latorion FreeBSD General 27 19th May 2008 02:26 AM
Want to get rid of ugly color of rox rex FreeBSD General 6 12th May 2008 12:02 AM


All times are GMT. The time now is 07:29 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick