[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[FD] CVE-2017-9457 CompuLab Intense PC lacks firmware signature validation
- To: "fulldisclosure" <fulldisclosure@xxxxxxxxxxxx>
- Subject: [FD] CVE-2017-9457 CompuLab Intense PC lacks firmware signature validation
- From: "Hal Martin" <hal.martin@xxxxxxxxxxxxxx>
- Date: Sat, 22 Jul 2017 10:58:57 +0200 (CEST)
Credits: Hal Martin
Website: watchmysys.com
Source:
https://watchmysys.com/blog/2017/07/cve-2017-9457-compulab-intense-pc-lacks-firmware-validation/
Vendor:
====================
CompuLab (compulab.com)
Product:
====================
Intense PC / MintBox 2
Vulnerability type:
====================
Platform lacks signature verification and does not validate firmware update
before flashing
CVE Reference:
====================
CVE-2017-9457
Summary:
====================
Since 2013 CompuLab manufactures and sells the Intense PC (also sold under the
name "MintBox 2"), which is a small Intel-based fanless PC sold to end-users
and industrial customers. It was discovered that there is no signature
validation of the UEFI firmware update file before flashing, allowing an
attacker to silently flash a modified UEFI firmware to flash using the standard
Phoenix update utility.
CompuLab have indicated via email that capsule signature validation is disabled
by default by the IBV (Phoenix) for this platform. No timeline was provided to
implement capsule signature verification.
Affected versions:
====================
All firmware versions since product release (latest public firmware is 21 May
2017)
Attack Vector:
====================
An attacker tricks the user into running a malicious executable with local
administrator privileges, which updates the system firmware to include the
attacker's code. The attacker may instead use a known OS exploit to perform the
upgrade remotely (without user interaction or notification).
Proof of concept:
====================
I have created a modified firmware update which replaces the stock UEFI shell
with the UEFI shell from EDK2. The update can be flashed from within Windows
without any user interaction or notification. Firmware updates are not signed
by CompuLab or verified by the existing firmware before upgrade.
The modified update, based on the 21 May 2017 firmware, can be downloaded here:
https://watchmysys.com/blog/wp-content/uploads/2017/07/update-IPC-20170521-edk2.zip
Details of the full proof of concept can be found at the Source link above.
Mitigation:
====================
At this time there is no means for the end user to enable Capsule Signature
verification or to prevent the Phoenix update utility from updating the system
firmware.
Therefore Intense PC owners should consider the following options:
- Ensure your operating system is up to date with the latest security patches.
Do not run software from untrusted sources.
- Do not connect your Intense PC to any networks with internet access (i.e.
air-gap the computer).
- Discontinue your use of the Intense PC and consider replacing the computer
with one from a different manufacturer who implements signature validation for
firmware updates.
Disclosure timeline:
====================
6 June 2017: Issue reported to CompuLab
6 June 2017: CompuLab confirms that “Default settings of this source tree
[Phoenix SecureCore Tiano Enhanced Intel Ivy Bridge CPU Panther Point M] has
disabled Capsule Signature option.”
6 June 2017: Issue is reported to MITRE
6 June 2017: Vulnerability is assigned CVE-2017-9457
7 June 2017: CompuLab are informed that the vulnerability has been assigned
CVE-2017-9457 and details of the vulnerability will be published after 45 days
22 July 2017: Details of the vulnerability are published
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/