Supermicro, Pulse Secure release fixes for ‘TrickBoot’ attacks

If you deploy your own hardware (how very 20th Century of you) then one item for your hardening list is to check the BIOS…:

[…] This could allow the malware to perform various malicious activities, such as bricking a device, bypassing operating system security controls, or reinfecting a system even after a full reinstall.

To check if a UEFI BIOS has ‘write protection’ enabled, the module uses the RwDrv.sys driver from the RWEverything utility.

“All requests to the UEFI firmware stored in the SPI flash chip go through the SPI controller, which is part of the Platform Controller Hub (PCH) on Intel platforms. This SPI controller includes access control mechanisms, which can be locked during the boot process in order to prevent unauthorized modification of the UEFI firmware stored in the SPI flash memory chip.

Modern systems are intended to enable these BIOS write protections to prevent the firmware from being modified; however, these protections are often not enabled or misconfigured. If the BIOS is not write-protected, attackers can easily modify the firmware or even delete it completely,” Eclypsium and Advanced Intel.

The malware’s ability to analyze a device’s firmware is currently restricted to specific Intel platforms, including Skylake, Kaby Lake, Coffee Lake, Comet Lake.


Original Article