News Firmware flaw affects numerous generations of Intel CPUs — UEFI code execution vulnerability found for Intel CPUs from 14th Gen Raptor Lake to 6th...

[Admin]

Phoenix Technologies is the latest to report buffer overflow into arbitrary code execution, which was made possible through a widespread exploit on several generations of Intel CPUs, with or without TPM support.

Firmware flaw affects numerous generations of Intel CPUs — UEFI code execution vulnerability found for Intel CPUs from 14th Gen Raptor Lake to 6th... : Read more

 

[Pierce2623]

So is this any different from all these other modern “vulnerabilities” that require physical access to the PC to make it vulnerable?

 

[-Fran-]

So is this any different from all these other modern “vulnerabilities” that require physical access to the PC to make it vulnerable?

While I get why you may be dismissive, you have to consider most big Corpos are now fully using notebooks and people carry them everywhere, so chances of stealing one and tampering with it are just growing year over year.

Server and, to a degree, desktop PC is low-ish risk. Laptop, this (like any other with physical access) matters quite a bit.

Regards.

 

[rluker5]

While I get why you may be dismissive, you have to consider most big Corpos are now fully using notebooks and people carry them everywhere, so chances of stealing one and tampering with it are just growing year over year.

Server and, to a degree, desktop PC is low-ish risk. Laptop, this (like any other with physical access) matters quite a bit.

Regards.

But if you have your drive bitlocked with an fTPM, isn't that secure to UEFI tampering with the worst possible outcome of the drive becoming unreadable, which is a moot point if someone already stole your work laptop and has it in pieces in a lab somewhere? I don't think companies care that much about the laptop hardware if it is stolen, just the information on it.

 

[-Fran-]

But if you have your drive bitlocked with an fTPM, isn't that secure to UEFI tampering with the worst possible outcome of the drive becoming unreadable, which is a moot point if someone already stole your work laptop and has it in pieces in a lab somewhere? I don't think companies care that much about the laptop hardware if it is stolen, just the information on it.

You're not necessarily wrong, but the mere fact you can't physically destroy it is still a risk in and off itself. Remember it's not about it being impossible to decrypt, but a matter of time.

Depending on the Industry you are, it may be more or less important and, on average, I do believe you're correct. Still, there's plenty Industries nowadays where they're implementing remote-destruction for such cases.

Regards.

 

[mac_angel]

You're not necessarily wrong, but the mere fact you can't physically destroy it is still a risk in and off itself. Remember it's not about it being impossible to decrypt, but a matter of time.

Depending on the Industry you are, it may be more or less important and, on average, I do believe you're correct. Still, there's plenty Industries nowadays where they're implementing remote-destruction for such cases.

Regards.

these are very rare cases when compared to the masses; and I'd hazard a guess that it's probably less than 0.001% of all the computers out there. And they should all have a lot of various security options on these laptops.
So, how does this affect everyone else? Is this another "exploit" that needs physical access to the hardware to do anything? If so, then pretty much every single home PC is not at risk. Every kid in high school, and probably college would be at very low risk, too.

 

[bit_user]

But if you have your drive bitlocked with an fTPM, isn't that secure to UEFI tampering with the worst possible outcome of the drive becoming unreadable,

Not sure about that. Whenever I upgrade the BIOS of my Alder Lake corporate Dell PCs, it disables bitlocker and reboots, to do the install, then re-enables bitlocker. Seems like an exploit could take advantage of that.

Also, does any part of UEFI firmware stay resident, while the OS is running? Or is UEFI exclusively just a pre-boot environment?

 

[bit_user]

The specific Phoenix SecureCore UEFI firmware vulnerability that prompted this posting is referred to as "UEFIcanhazbufferoverflow" by Eclypsium, which is just a funny way of pointing out that this is a buffer overflow exploit.

I approve of this reference.

​

 

[Metal Messiah.]

But cannot be exploited.

Exploitation is less likely because this is something an attacker would use after gaining access to the system to maintain persistence. That's why Eclypsium is not releasing a proof-of-concept exploit.

This one also seems less ‘developed’ vulnerability than LogoFail. Because it does not have stages of payload deployment after being executed, and is specific to the Phoenix BIOS.

 

[-Fran-]

these are very rare cases when compared to the masses; and I'd hazard a guess that it's probably less than 0.001% of all the computers out there. And they should all have a lot of various security options on these laptops.
So, how does this affect everyone else? Is this another "exploit" that needs physical access to the hardware to do anything? If so, then pretty much every single home PC is not at risk. Every kid in high school, and probably college would be at very low risk, too.

What are you refering to with "these very rare cases"?

And as I said, the number is growing anyway. Why would a business, any business, would risk losing information if they could easily avoid it?

I don't diagree with the rest of what you said, as I said so myself in the original reply. If this would be important, it would be for corporate users with confidential/restricted/critical information in their laptops.

As for the likelihood of exploitation... I'm not clear TBH, so I can't comment in that particular, but very relevant, tidbit.

Regards.

 

[Alvar "Miles" Udell]

While there are certainly issues with things like AI-written code and AI "generated" art, it's always nice to see cutting-edge AI and machine learning tech put toward something useful for humanity.

Just wait until the bug bounty hunters complain about losing tens of thousands of dollars per year because AI took their jobs...

 

[bit_user]

Just wait until the bug bounty hunters complain about losing tens of thousands of dollars per year because AI took their jobs...

Some of the smarter ones are probably already busy trying to harness AI...

 

[CmdrShepard]

If you execute pamela.exe with admin rights it can easily exploit this GetVariable UEFI thing and tamper with your BIOS, perhaps even hide itself there.

No matter how much you protect everything, someone somewhere is always going to click that $NudeGirl.exe file.

 

[rluker5]

Not sure about that. Whenever I upgrade the BIOS of my Alder Lake corporate Dell PCs, it disables bitlocker and reboots, to do the install, then re-enables bitlocker. Seems like an exploit could take advantage of that.

I think yours is a case of suspending bitlocker, with stuff still being encrypted but unlocked to programs in the OS.
Maybe if some digitally signed, authorized by someone with administrator privileges, firmware flashing program that also had the ability to execute this exploit were run you might get some funny stuff going on. Just what could be done? Make a RAID 1?

Also, does any part of UEFI firmware stay resident, while the OS is running? Or is UEFI exclusively just a pre-boot environment?

If you yanked the bios chip out of a running system and nothing happened then probably not. I don't feel like taking that chance on my old Z97 Fatal1ty though. Even though it has an extra one I would not be happy losing the full use of my HT Omega Claro pci soundcard.

Edit: Come to think of it wouldn't it be easier to just rewrite the bios chip with one of those programmer setups you get from Aliexpress? I'm not sure this is the right kit, but somebody is probably selling the one specific to the hardware in question: https://www.aliexpress.us/item/3256806579239775.html?spm=a2g0o.productlist.main.13.2118de9fEXAvBt&algo_pvid=3d9a162a-7d6e-4fce-ab12-8f201f8ab0f4&algo_exp_id=3d9a162a-7d6e-4fce-ab12-8f201f8ab0f4-6&pdp_npi=4@dis!USD!5.44!0.99!!!5.44!0.99!@2101d69a17191153458282189e73f7!12000038226538278!sea!US!0!AB&curPageLogUid=3r3P2o3DgDVN&utparam-url=scene:search|query_from:

One more edit: UEFI bioses can make the OS call out to a website and download an exe. An example is Asus Armoury Crate.

 

[tristanx]

I only see AMI BIOS on every board these days. AMD not affected?

 

[jp7189]

Just wait until the bug bounty hunters complain about losing tens of thousands of dollars per year because AI took their jobs...

Eh? Why is everyone's knee perk about AI backwards? Your statement should read: "just wait until the bug bounty hunters earn tens of thousands more per year by using AI"

 

[Conor Stewart]

Eh? Why is everyone's knee perk about AI backwards? Your statement should read: "just wait until the bug bounty hunters earn tens of thousands more per year by using AI"

It's not backwards though, either it will balance out with everyone using AI or there won't be enough bugs to sustain bounty hunting or a few people will get very rich whilst everyone else has to find something else to do. Another alternative is that companies just start offering less because they have many more bugs being found.

Your statement is not too different from the one you criticise, the one you criticise is looking at it negatively, you are looking at it positively, only time will tell which is right.

 

[mac_angel]

What are you refering to with "these very rare cases"?

And as I said, the number is growing anyway. Why would a business, any business, would risk losing information if they could easily avoid it?

I don't diagree with the rest of what you said, as I said so myself in the original reply. If this would be important, it would be for corporate users with confidential/restricted/critical information in their laptops.

As for the likelihood of exploitation... I'm not clear TBH, so I can't comment in that particular, but very relevant, tidbit.

Regards.

Because even the vast majority of people that have a work laptop do not have any access to sensitive information. While they may have VPN access, or customer account access by logging in, for a great many of those people that do, it is still very limited, and so low level that they would not be prime targets to go through the trouble of trying to hack the laptop, and then trying to hack the access. Not to mention, the great majority of people that were given work laptops to work from home do just that - leave it at home.
When the lockdowns from Covid happened, a great many businesses gave work laptops to people so they could continue working from home. After the lockdowns, all these companies realized how much money they were saving by doing this by not having to provide work spaces and all the costs that come with it. All these people that were able to start working from home, and everyone since then since it's caught on, because hey, these big companies have to make bigger and bigger profits somehow; well, they take their laptops, set up some sort of home office or workspace, and there it stays. The laptops rarely leave the house, and these people have very limited access to anything when they log in anyway. Anyone that is mobile with their laptop, and has access to sensitive information, has a TONNE (I'm Canadian, lol) of security already on their laptop, including GPS, kill switches, high end encryption. Not to mention, stuff is rarely ever saved on these laptops - they'd be on Cloud storage, or encryption keys. If they lose their laptop, even for a moment, they have to report it instantly.

 

[-Fran-]

Because even the vast majority of people that have a work laptop do not have any access to sensitive information. While they may have VPN access, or customer account access by logging in, for a great many of those people that do, it is still very limited, and so low level that they would not be prime targets to go through the trouble of trying to hack the laptop, and then trying to hack the access. Not to mention, the great majority of people that were given work laptops to work from home do just that - leave it at home.
When the lockdowns from Covid happened, a great many businesses gave work laptops to people so they could continue working from home. After the lockdowns, all these companies realized how much money they were saving by doing this by not having to provide work spaces and all the costs that come with it. All these people that were able to start working from home, and everyone since then since it's caught on, because hey, these big companies have to make bigger and bigger profits somehow; well, they take their laptops, set up some sort of home office or workspace, and there it stays. The laptops rarely leave the house, and these people have very limited access to anything when they log in anyway. Anyone that is mobile with their laptop, and has access to sensitive information, has a TONNE (I'm Canadian, lol) of security already on their laptop, including GPS, kill switches, high end encryption. Not to mention, stuff is rarely ever saved on these laptops - they'd be on Cloud storage, or encryption keys. If they lose their laptop, even for a moment, they have to report it instantly.

So you agree with me using a lot of words different to "yes, I agree".

Got it.

Regards.

 

[bit_user]

Because even the vast majority of people that have a work laptop do not have any access to sensitive information. While they may have VPN access, or customer account access by logging in, for a great many of those people that do, it is still very limited, and so low level that they would not be prime targets to go through the trouble of trying to hack the laptop, and then trying to hack the access. Not to mention, the great majority of people that were given work laptops to work from home do just that - leave it at home.
When the lockdowns from Covid happened, a great many businesses gave work laptops to people so they could continue working from home. After the lockdowns, all these companies realized how much money they were saving by doing this by not having to provide work spaces and all the costs that come with it. All these people that were able to start working from home, and everyone since then since it's caught on, because hey, these big companies have to make bigger and bigger profits somehow; well, they take their laptops, set up some sort of home office or workspace, and there it stays. The laptops rarely leave the house, and these people have very limited access to anything when they log in anyway. Anyone that is mobile with their laptop, and has access to sensitive information, has a TONNE (I'm Canadian, lol) of security already on their laptop, including GPS, kill switches, high end encryption. Not to mention, stuff is rarely ever saved on these laptops - they'd be on Cloud storage, or encryption keys. If they lose their laptop, even for a moment, they have to report it instantly.

If corporate network admins are even 1/10th this naive, it's no wonder they keep getting hacked.

Most of this is not true of my company. You get one laptop. You may work from home 2 days per week, but most people have to carry their laptop back and forth. Sure, the laptops are loaded with security software of various sorts and the drives are encrypted, but the network was fairly open - you could see most parts of it from most other parts, including the VPN, because people need access to the same stuff when they're remote as they would when they're in the office.

They got hacked, big time. Rumor has it that multiple data sets were stolen (i.e. from servers - I don't think it was the sort of stuff someone just had on their laptop) and probably not a single admin had access rights to everything that was taken. So, that means the hackers probably just got into the network and went from there. We lost probably almost a month of work, because the company panicked, shut everything down, took everything offline, and then only gradually started to bring things back.

BTW, they send us phishing test emails to train us not to click anything in email. This has gone on for several years. I don't know how the hackers gained access, but I think it's not a foregone conclusion it was via phishing. We do have some lab systems & VMs running old operating systems that we still need to support, for some reason.

 

[mac_angel]

So you agree with me using a lot of words different to "yes, I agree".

Got it.

Regards.

I was trying to give a bigger explanation to my reasoning, which it seems, some people still disagree with.

Most of this is not true of my company. You get one laptop. You may work from home 2 days per week, but most people have to carry their laptop back and forth. Sure, the laptops are loaded with security software of various sorts and the drives are encrypted, but the network was fairly open - you could see most parts of it from most other parts, including the VPN, because people need access to the same stuff when they're remote as they would when they're in the office.

You haven't said what company you work for, or hinted at how much of the workforce that might make up.
While I do live in Canada and maybe some might say that makes my knowledge on the worldwide subject limited, in dealing with companies such as Intel, MSI, Asus, Microsoft, NVidia, Amazon, Rogers Communications, and Bell Canada, I can say that there are a huge amount of employees that have laptops, work purely at home, and have very limited access to anything of value. Mostly because all those bigger companies outsource a lot of their tech and customer support. But for Rogers and Bell, when Covid hit and the lockdowns seemed like they were going to be going on for a long time, they gave their employees laptops and set them up to work from home. Same with Amazon. Rogers and Bell continues still to have a huge amount of their workforce working from home because it is vastly cheaper. It is a lot cheaper to set up an employee with a laptop, headset and a cell/mobile phone, and even basic Internet if they say they need it, than it is to rent/own office space and all the costs of running it. Especially with the cost of hydro in many of the places in North America.

 

[bit_user]

You haven't said what company you work for,

Obviously.

or hinted at how much of the workforce that might make up.

Multinational with more than 10k employees.

for Rogers and Bell, when Covid hit and the lockdowns seemed like they were going to be going on for a long time, they gave their employees laptops and set them up to work from home.

Some of our sales and support staff that used to have desks in the office are now 100% remote. I don't know how much say they had in the matter.

Especially with the cost of hydro in many of the places in North America.

Hydro?

 

[mac_angel]

Obviously.


Multinational with more than 10k employees.


Some of our sales and support staff that used to have desks in the office are now 100% remote. I don't know how much say they had in the matter.


Hydro?

lol, electricity. Maybe consider that I did say I am Canadian. I don't think it's a far fetch to make the jump from "hydro" to "electricity" when I was talking about the costs of running an office building.
And, no, I don't think many employees got a choice about working from home. I'm willing to bet that they have limited access to things through the VPN. And also willing to bet that the majority of them leave their laptop at home, at a desk or workspace, not travel around with it to a lot of places.
The elitists want to make as much money as possible, so discovering how much money they save by making them work remotely just makes sense.
Little FYI. Canada has the worst prices for mobile phones as well as Internet. It is actually cheaper for a Canadian to get a mobile phone and plan from France and pay for roaming than it is to use the plans here.

 

[FW_Security_Guru]

This sentence is a bit misleading but I can understand why the author of the article wrote it: "This vulnerability also extends to several other UEFI BIOS vendors, including Lenovo, Intel, Insyde, and AMI. Phoenix is the latest to join the list."
It is misleading because the Eclypsium vulnerabiltiy "UEFIcanhazbufferoverflow" does not affect any other vendor code besides Phoenix and vendors downstream from Phoenix that have incorporated Phoenix code into their product. The author links to a Lenovo advisory where Lenovo grouped many unrelated vulnerabilities together. Only one of those vulns mentioned is "UEFIcanhazbufferoverflow". Just because Lenovo grouped "UEFIcanhazbufferoverflow" with Intel, Insyde and AMI vulns does not mean that AMI, Insyde or Intel had any association with "UEFIcanhazbufferoverflow".

 

[bit_user]

the Eclypsium vulnerabiltiy "UEFIcanhazbufferoverflow" does not affect any other vendor code besides Phoenix and vendors downstream from Phoenix that have incorporated Phoenix code into their product.
...
Just because Lenovo grouped "UEFIcanhazbufferoverflow" with Intel, Insyde and AMI vulns does not mean that AMI, Insyde or Intel had any association with "UEFIcanhazbufferoverflow".

Thanks for taking the time & trouble to clarify this!