BIOS Extreme Privilege EscalationAugust 6, 2014
Over the past year, MITRE's firmware security research team, consisting of Xeno Kovah, John Butterworth, Sam Cornwell, and myself, has reported on low-level PC firmware security issues, such as access control mechanisms protecting the BIOS and sophisticated attacks against it. We've also provided solutions, such as BIOS Chronomancy, Copernicus, and Copernicus 2.
A New Attack Vector
We recently discovered two vulnerabilities in the open source Unified Extensible Firmware Interface (UEFI) source code. (We are presenting these findings at Black Hat USA and DEF CON this month.) UEFI is designed to be a more modular and flexible replacement for the legacy Basic Input/Output System (BIOS), which has existed on x86-based PCs for over 30 years. About eight years ago, Intel Corporation put together an industry forum that now maintains UEFI as an industry standard.
Like all software, firmware can also have bugs--some of which are potentially exploitable security vulnerabilities. UEFI marks a departure from BIOS proprietary binary blobs, which were not easily inspected by attackers. Because the UEFI source code is available as open source, it's possible for malicious actors to find and create exploits for vulnerabilities. Unfortunately, it is extremely hard to detect when such vulnerabilities are being exploited, because BIOS-integrity checking software is not widely available in commercial products.
Therefore we set out to analyze the UEFI source code ourselves to find and squash any security-critical bugs. And find them we did! After analyzing the source for only about a week, we found two highly critical vulnerabilities that occur early in the boot cycle, which could allow an attacker to take control of the system, infect the firmware, and defeat all existing security mechanisms. The nitty-gritty details of the vulnerabilities are described in our whitepaper.
Disclosure of Vulnerabilities
Once we found the vulnerabilities, we responsibly disclosed them to the U.S. Computer Emergency Readiness Team. We also told Intel. However, unlike Microsoft, which, as a single vendor, can patch disclosed vulnerabilities fairly easily, this story didn't end so quickly. Because the UEFI reference source code is used by a variety of vendors, Intel had to coordinate a large effort to track down all who were affected and get them to release patches. Because of our disclosure, and those of other researchers, a new and more efficient process is being created to handle future vulnerabilities. The UEFI Forum has created a new UEFI Security Response Team to ensure that in the future, when vulnerabilities are found, all UEFI members are informed in an expedient manner.
We have updated our BIOS integrity and vulnerability checking technology Copernicus to find the most recent vulnerabilities. If you are with the U.S. government or a large corporation with tens of thousands of systems and would like to scan your BIOS for known vulnerabilities and infections, we would like to work with you. Please contact us via Copernicus at mitre.org.
Similarly if you are with a security company that would like to offer a BIOS-checking capability to your customers, we would like to work with you to incorporate Copernicus technology into your products. Please contact us via Copernicus at mitre.org.