Security researchers find new vulnerability in uefi

Security researchers have found a serious vulnerability in UEFI, the successor to the BIOS. Unlike known security vulnerabilities with uefi, the new bug is easier to exploit and not limited to certain chip manufacturers.

The bug allows attackers to rewrite the firmware of the uefi chip, giving them deep access to a victim’s system. This was discovered by security researchers Rafal Wojtczuk and Corey Kallenberg, who presented their findings at the CCC security conference in Hamburg.

By exploiting the bug, the researchers were able to circumvent security mechanisms that prevent software from being flashed to the uefi chip that does not come from the manufacturer. Unlike previous security vulnerabilities in uefi, the new problem is easier to exploit; no special equipment is required. It is also a problem that is present with all UEFI chips and even old bios chips, the researchers claim.

One of the ways the researchers tricked the chip into the security mechanisms is by repeatedly performing a write operation to the flash memory. “You can try it millions of times, and at some point it works,” said researcher Kallenberg. This requires an attacker to open two threads on a system with at least two cores.

“Thanks to this vulnerability, we can flash firmware to the UEFI chip, but also enter system management mode,” said researcher Wojtczuk. In system management mode, far-reaching changes can be made to a system, because processes run with high privileges. Because the firmware can also be flashed, this vulnerability can introduce malware on a system that remains present even after an operating system has been reinstalled.

In November, researchers at Miter already found vulnerabilities in uefi. This concerned two vulnerabilities in the reference implementation of UEFI chips prepared by Intel and adopted by many companies. This left UEFI chips from Phoenix, AMI, HP and Intel itself vulnerable; even then persistent malware could be installed.