Lenovo Scrambling To Get a Fix For BIOS Vulnerability

Richard Chirgwin, reporting for The Register: Lenovo, and possibly other PC vendors, are exposed to a UEFI bug that can be exploited to disable firmware write-protection. If the claims made by Dmytro Oleksiuk at Github are correct, an attacker can "disable flash write protection and infect platform firmware, disable Secure Boot, [and] bypass Virtual Secure Mode (Credential Guard, etc.) on Windows 10 Enterprise." The reason Oleksiuk believes other vendors are also vulnerable is that the buggy code is inherited from Intel. He writes that the SystemSmmRuntimeRt was copied from Intel reference code. Lenovo complains in its advisory that it tried to make contact with Oleksiuk before he published the vulnerability. The company says the vulnerable System Management Mode software came from an upstream BIOS vendor -- making it likely that other vendors getting BIOS software from the same outlet will also be vulnerable. There's also a hint that Lenovo agrees with a speculation by Oleksiuk, that the code may be an intentional backdoor: "Lenovo is engaging all of its IBVs as well as Intel to identify or rule out any additional instances of the vulnerability's presence in the BIOS provided to Lenovo by other IBVs, as well as the original purpose of the vulnerable code."

NSA Strikes Again!

:(

Re:NSA Strikes Again!

[AJWM]

"Once is an accident. Twice is coincidence. Three times is enemy action."

      -- Ian Fleming

We're way past three.

Re:NSA Strikes Again!

[Zontar+The+Mindless]

90% of all quotes on the Internet are discredited.

--Zhou Enlai

Re:NSA Strikes Again!

"Never assume malice when stupidity will suffice"

      -- Bill Gates

What I love about your choice of Bill Gates for this is he's exactly the person who would want people to belive something like that, even the 100th time round. In fact, when I think of Borland, NCSA, Netscape, Danger Ericsson, Sendo, the PlaysForSure partners and Nokia, Bill Gates should be allowed to claim the quote as his own through being the most dedicated user in history even if he didn't come up with it himself.

Re:NSA Strikes Again!

[Rick+Zeman]

"Once is an accident. Twice is coincidence. Three times is enemy action."

      -- Ian Fleming

We're way past three.

Close, and with correct attribution. "Once is happenstance..." not "an accident."

Re:NSA Strikes Again!

[fustakrakich]

Yeah, and he's wrong too.

Re:NSA Strikes Again!

[EEPROMS]

From experience with dealing with chinese OEM's and the spy v spy nature of china the code could have been added by a chinese spy working as an employee. We have had reports from our chinese based factories of government officials asking for code to be tampered with but usually not on the export items but on the local stuff. So yes if you are buying consumer electronics made for the chinese mainland market with a english language update you may find the device has 2-3 layers of back doors built in.

Re:NSA Strikes Again!

[HiThere]

I first saw that quote attributed to Napoleon Bonaparte.

Re:NSA Strikes Again!

[sasparillascott]

Intel...although I'd guess money strained AMD is no better. With regards to Intel & backdoors in its chips its good to remember what we know:

http://www.infowars.com/intel-...

And don't forget what that guy at Google mentioned WRT Intel:

https://plus.google.com/+Theod...

Of course this makes all our systems vulnerable to attack by foreigners as well, but the NSA seems comfortable with that world - the country they're supposed to protect is compromised by design as long as they can spy on everyone they're okay with foreign governments being able to do that too. I would expect Microsoft's Visual Studio to be compromised by design as well.

newer isn't always better.

i fully expect UEFI and secure boot to be littered with bugs, glitches, exploits, backdoors (different entities will call them different things but they're all the same.. vulnerabilities) given the nature of what it is, what it is 'supposed to do', what it actually does, how it came about, who pushed for the 'new way to do something' and the actual reasons why (hint: it isn't to protect your computers, data or interests). this "forced migration" to a new "standard" is a million times worse than the linux world's systemd thing... million times worse.

Re:newer isn't always better.

That's what I have concluded due to my experience too.
UEFI is not to protect everybody from Boot viruses or rootkits, but to protect the interest of commercial OS and backdoored Linux releases.
With UEFI you cannot use your laptop peripherals if you boot with the classic BIOS (by disabling UEFI), and you cannot install old versions of Windows due to signature requirement. Also, what's irritating is, you cannot compile your own Kernel anymore because you will be forced to boot on classic BIOS without your signature loaded into UEFI. Really bizarre when everybody was forced to swallow UEFI which restricts the flexibility of PC's.

Re:newer isn't always better.

[sjames]

I must say, I have yet to see a genuine improvement offered by UEFI. It looks like it's all downside from the consumer standpoint.

Software based firmware write protection is a joke

Software based firmware write protection is a joke. It is just as stupid as a door lock on a door and then hiding the key under the flowerpot on the porch.
It is no real protection at all. It should be a hardware switch like in the old days, but no, that increases the costs per device by $0.02 and it makes using the system by dumb people more difficult. Lets not do it and make an extra buck.

And because everyone reasons like this, we are now stuck with huge hardware and software stacks, which inherently cannot be secured, and an entire industry that tries just that, securing crappy systems, and failing at it.

Nobody Seems To Notice and Nobody Seems To Care

Nobody Seems To Notice and Nobody Seems To Care - Government & Stealth Malware

In Response To Slashdot Article: Former Pentagon Analyst: China Has Backdoors To 80% of Telecoms 87

How many rootkits does the US[2] use officially or unofficially?

How much of the free but proprietary software in the US spies on you?

Which software would that be?

Visit any of the top freeware sites in the US, count the number of thousands or millions of downloads of free but proprietary software, much of it works, again on a proprietary Operating System, with files stored or in transit.

How many free but proprietary programs have you downloaded and scanned entire hard drives, flash drives, and other media? Do you realize you are giving these types of proprietary programs complete access to all of your computer's files on the basis of faith alone?

If you are an atheist, the comparison is that you believe in code you cannot see to detect and contain malware on the basis of faith! So you do believe in something invisible to you, don't you?

I'm now going to touch on a subject most anti-malware, commercial or free, developers will DELETE on most of their forums or mailing lists:

APT malware infecting and remaining in BIOS, on PCI and AGP devices, in firmware, your router (many routers are forced to place backdoors in their firmware for their government) your NIC, and many other devices.

Where are the commercial or free anti-malware organizations and individual's products which hash and compare in the cloud and scan for malware for these vectors? If you post on mailing lists or forums of most anti-malware organizations about this threat, one of the following actions will apply: your post will be deleted and/or moved to a hard to find or 'deleted/junk posts' forum section, someone or a team of individuals will mock you in various forms 'tin foil hat', 'conspiracy nut', and my favorite, 'where is the proof of these infections?' One only needs to search Google for these threats and they will open your malware world view to a much larger arena of malware on devices not scanned/supported by the scanners from these freeware sites. This point assumed you're using the proprietary Microsoft Windows OS. Now, let's move on to Linux.

The rootkit scanners for Linux are few and poor. If you're lucky, you'll know how to use chkrootkit (but you can use strings and other tools for analysis) and show the strings of binaries on your installation, but the results are dependent on your capability of deciphering the output and performing further analysis with various tools or in an environment such as Remnux Linux. None of these free scanners scan the earlier mentioned areas of your PC, either! Nor do they detect many of the hundreds of trojans and rootkits easily available on popular websites and the dark/deep web.

Compromised defenders of Linux will look down their nose at you (unless they are into reverse engineering malware/bad binaries, Google for this and Linux and begin a valuable education!) and respond with a similar tone, if they don't call you a noob or point to verifying/downloading packages in a signed repo/original/secure source or checking hashes, they will jump to conspiracy type labels, ignore you, lock and/or shuffle the thread, or otherwise lead you astray from learning how to examine bad binaries. The world of Linux is funny in this way, and I've been a part of it for many years. The majority of Linux users, like the Windows users, will go out of their way to lead you and say anything other than pointing you to information readily available on detailed binary file analysis.

Don't let them get you down, the information is plenty and out there, some from some well known publishers of Linux/Unix books. Search, learn, and share the information on detecting and picking through bad binaries. But this still will not touch the void of the APT malware described above which will survive any wipe of r/w media. I'm convinced, on both *nix and Windows, these pieces of APT malware

Why I am not surprised by this

[onepoint]

Not surprised about this at all. A few simple reasons
A) Analog (Sci-fi/fact in the 80's) corporate warfare by making chips have vulnerabilities published more than once
B) in the last 11 years ( don't recall exactly ) , a published report ( also posted here in /.) about the company that was doing all sorts of pop-up ad's for a camera (ax-90 or something like that), had an interview with the chief programmer. He stated very specifically that his line was drawn when they figured they could hack the bio's and use that as the cookie storage to know if it was ok to advertise to that person or not
C) recent discovery about something hidden in the intel chips, while I don't recall exactly when published ( less than 1 year ) it's code was some sort of control mode, not usable generally, but possible research tool to learn more about the chips weakness.

please feel free to add to what I've stated and or clarify a better timeline or cite sources.

So this "better replacement for BIOS"...

... turns out to not really be better at all. More complexity, more bugs, more features nobody really needs, more enhancements that don't actually do what they're billed to do, more "security" that isn't, more dependency pressure on downstream users and dependent OSes, and more security vulnerabilities courtesy itself, yes. Actually better, no.

Pretty impressive.

Executing code in a input buffer? yeah, suck it up

[freax]

You asked for it Lenovo and/or Intel. This turns an incoming buffer into a funciton pointer and executes arbitrary incoming code:

v3 = *(VOID **)(CommunicationBuffer + 0x20);
v4 = CommunicationBuffer;
*(v3 + 0x8)(*(VOID **)v3, &dword_AD002290, CommunicationBuffer + 0x18);

That's moron. You asked for it. Now suck it up. Apologize to the world for creating a obvious backdoor.

I'm quite sure it won't be the only one coming from Intel's headquarters. And yes, security-researchers will keep digging them up and expose them. Forever.

You know what flashing a BIOS secure?

[mhkohne]

I liked it better when I had to move a jumper before I could flash the BIOS in a machine. That was really quite secure against post-shipment BIOS modification.

Of course, I also can't think of the last time I flashed the BIOS in any of my systems, which makes me wonder why the hell we ever got away from ROMs in the first place...

Re:You know what flashing a BIOS secure?

They can flash all they want... but that jumper is both less work and much more secure. You can point to it and check that it's put right. Software can much more easily lie, much more easily than poorly visible traces on a multi-layer pcb. Crypto is cute and all that, but all it does in UEFI/"SecureBoot" is take away control, without actually bringing any security to the end user. That puts the whole thing firmly in the "make-work for the end-user" (and another nice little consulteering racket for the security consulteering rackets industry) category.

You can't even complain you didn't know: It's implied in the terminology already. What is an "Advanced Persistent Threat" other than some vague danger you have no choice but to continue paying your favourite "computer security provider" over to keep at bay? "Vague But Nagging Danger That Keeps On Costing You Whatever You Do" is a much more accurate description. Thus more apt than APT, though not as snappily short. It's what you get for taking "convenient" shortcuts.

Re:You know what flashing a BIOS secure?

[PsychoSlashDot]

I liked it better when I had to move a jumper before I could flash the BIOS in a machine. That was really quite secure against post-shipment BIOS modification.

A good thought but it doesn't work so well when you've got hundreds or thousands of remotely supported systems scattered over the city/country/continent/planet.

Of course, I also can't think of the last time I flashed the BIOS in any of my systems, which makes me wonder why the hell we ever got away from ROMs in the first place...

You know this article is about shitty code, right? Well, I can tell you that the BIOS being shipped these days is shitty in more ways than this. If you have enough machines out there, you will sooner or later encounter something strange that involves a bug in firmware. From a mouse/printer/USB-vibrator to the latest DVI/HDMI/DisplayPort monitor, sooner or later you'll plug something in and it won't work as advertised. Or something that used to work stops working because... reasons. Basically, if you accept that there are firmware updates for motherboards, you should accept that there are reasons for them existing, even if you haven't needed them.

And don't get me started on the shitty code in server firmwares.

Most commercial systems (Dell, Lenovo, HP) they're bugfixes. Most consumer systems (Asus, Gigabyte, etc) they're updating support for processor microcode or memory module compatibility or whatever.

Re:You know what flashing a BIOS secure?

[williamyf]

I liked it better when I had to move a jumper before I could flash the BIOS in a machine. That was really quite secure against post-shipment BIOS modification.

Of course, I also can't think of the last time I flashed the BIOS in any of my systems, which makes me wonder why the hell we ever got away from ROMs in the first place...

Dear guys:

You seem to not realize how servers and cloud influence general computing. Intel, RedHat and many other companies do make the bulk of their income and profits from servers, therefore, servers are first, second and third.

That's why you got UEFI in the first place, and that's why UEFI has provisions for:
- Remote connections.
- Ethernet boot.
- etc.

Jumper to change the FIRMWARE?
Yeah, like that's going to work when your server count is in the couple of thousands... (also, not for a desktop/laptop fleet, but that's a different story).

sytemd is another example. Does anyone really believes that "RedHat is shoving the desktop down our throats"?

- You need to boot faster your cloud servers for elasticty's sake.
- Also, you need to boot faster if your preferred remedy for failures is to freze the VM for latter analisys, and spin up another instance.
- You need to shotdown machines fast when the work peak is over, in order to release resources fast, and not to overcharge the customer (if on public cloud).
- If your servers/virtual machines are controlled by another machine and not by a human, what do you preffer, configure a centralized repository of values via an API (like on VMS and 'gulp' Windows' registry*)? Or having to parse a rag-tag fleee of config files, each with "a slightly different syntax"**?

I guess you can see the drift from here...

* I am not saying that the IMPLEMENTATION of the Windows Registry is right. What I am saying is that the IDEA of a Centralized Repository Of System Configuration Info Accessible Trough An API is good. Again, see VMS.

** Even though for us humans the syntax of most config files seems the same, for other machines one config file is ussaly completely different from the other...

Re:You know what flashing a BIOS secure?

[jonwil]

I upgraded my PC around xmas with a Gigabyte Skylake motherboard and I had to upgrade to the latest BIOS revision before Fallout 4 (the reason I bought the upgrades in the first place) would run without crashing.

I do agree that a physical switch for the BIOS write protection would be a good idea.

Re:You know what flashing a BIOS secure?

I liked it better when I had to move a jumper before I could flash the BIOS in a machine. That was really quite secure against post-shipment BIOS modification.

A good thought but it doesn't work so well when you've got hundreds or thousands of remotely supported systems scattered over the city/country/continent/planet.

The part where you're remotely flashing is really but a very small part in all that. Take, say, ATMs. They run windows, have holes up the ying-yang, get "pwned" merely by plugging in an USB device*, and so on, and so forth. Flashing isn't going to help there.

I've argued elsewhere that such a thing is one of the few places where I'd condone TPM and "secure" boot, in fact it'd be fully justified there**, and even then the better way to do maintenance is to send a replacement board rather than trying to do remote updates. The update might fail and then you have to go there anyway, so even with small risk of that you'd have to be on-site anyway so as to avoid hours- or days-long outages because of a failed update.

That means that as soon as you consider the bigger picture, flashing just isn't that great, nor important.

It's pretty good for "consumer" support because you can have your customers do all the scutwork and if they're out the hardware for a couple weeks, or forever since out of warranty, hey, no skin off your nose. That's also why they're trying to do everything in software: Opening the case and setting a jumper is deemed too hard, and having a program magically do everything and present nice tick marks and "success!" screens is easy.

But if you have to do all of the support, it's a completely different thing.

And don't get me started on the shitty code in server firmwares.

Modern-day "servers" really are but more expensive desktops with all sorts of crap bolted on to provide some semblance of server-ish-ness. Real Servers have been AWOL for quite a while. It's what you get for having tech-illiterates do the hardware and software purchasing... and hiring of more tech-illiterates as "technical specialists". So all the desktop considerations apply.

For better service, you get to pay for support contracts that swap hardware first and cart off the broken kit to see what went wrong later.

* Crooks managing to get physical access is one thing... the thing actually having always-on functional usb ports, quite another.
** Along with not using windows. That they still do anyway means many things, all bad.

Re:You know what flashing a BIOS secure?

[sjames]

That's why you got UEFI in the first place, and that's why UEFI has provisions for: - Remote connections. - Ethernet boot. - etc.

We already had those with the old BIOS.

As for systemd, startpar already booted faster, as did a number of other modifications to SysV. Same for fast shutdown. We already have tools like puppet and company for deploying config files.

For fleets of servers, I wouild rather do the re-flash and then disable flash writes during the commissioning process (assembly line style if you have a lot of new servers to put online) rather than wonder what happens if someone wipes a bunch of servers in a single stroke one night.

The ability to update a BIOS is a good thing, but nobody in their right mind does it routinely.

So tell me again, what has actually been gained?

Re:Executing code in a input buffer? yeah, suck it

[fahrbot-bot]

That's moron.

"Moronic," moron. :-)

Just like Intel's IME root-kit...

[canada_dry]

Trust us... it's perfectly safe.

Not sure I care or should care

[Carewolf]

I have never enabled the write protection on the flash. It is just an annoying feature that wouldn't do any good in protecting the machines against anything.

Also, by using this they can disable secure boot? I already disabled that to run Linux!

It's not a bug

it's a back-door, and back-doors do not build and insert themselves into structures. When NSA delivers the court orders to Intel, they abide, deny, and otherwise don't speak a word of it. This is how it works with U.S. technology these days.

Re:It's not a bug

[Rick+Zeman]

it's a back-door, and back-doors do not build and insert themselves into structures. When NSA delivers the court orders to Intel, they abide, deny, and otherwise don't speak a word of it. This is how it works with U.S. technology these days.

On the other hand, the less people that know about "it" the better. That way no one talks about locked doors in San Francisco phone intererchanges and the such....

Re: Nobody Seems To Notice and Nobody Seems To Car

I have ONE word for you... BREVITY!!

I'm not reading any post that long, and I doubt many others will as well

Just win10? Or Linux as well?

[Danathar]

Has any demonstration been done using Linux instead of Windows 10? I don't run Windows on my T420

Re:Just win10? Or Linux as well?

It even works from raw UEFI - https://github.com/Cr4sh/ThinkPwn

Re:Software based firmware write protection is a j

[future+assassin]

It is just as stupid as a door lock on a door and then hiding the key under the flowerpot on the porch.

Actually as stupid as a store with gates on its windows and door glass but the front door lock has a twist handle on the inside. Break the glass and open the door...

HA! Firmware! Just went limp.

[fustakrakich]

Put the BIOS on ROM, on a sim card so it can be replaced dammit! And while we're on the subject, why isn't the OS on a read only chip also? Mine is. It's "live"

Re:N$A

[HiThere]

You've got too narrow a focus. I'd give around a 20% chance that it was an unintended error, and no more than around a 40% chance that it was the NSA. But there are lots of other "official" actors, and even gangs of criminals and discontented employees as possibilities, also.

OTOH, I, at least, realize that my estimates in this case say more about me than about the external world. I'm too ignorant to place any certainty on those probabilities, loose as they are.

Re:Software based firmware write protection is a j

not really, since part of having your apartment broken into is KNOWING its been broken into.

key + flowerpot nicely obscures the hack.

whereas broken glass everywhere is a pretty good sign that something has been taken.

Remember; you can't actually prevent someone sufficiently motivated from getting in your house (Axe/sledgehammer/Car will bust pretty much any security measure). But the more destructive they have to be; the more likely the forced entry will be detected.

In the absence of complete security; you may as well opt for security canaries (broken glass is a good one)

Re:Executing code in a input buffer? yeah, suck it

IDA pro is not exactly AI. It just "reverses" every machine code instruction to C. In the original machine code, it is probably just a CPU register.