June 2020 Firmware Threat Report
Establishing security at the device level is an integral part of any cybersecurity strategy. In this issue of Below The Surface, we look at the most common vulnerabilities attackers are exploiting now, review the latest security advisory from Intel, assess the impact of Thunderspy and Ripple20, and present a new white paper that helps build device security into your overall cybersecurity plan. We’ve also included a roundup of this month’s news, research, advisories and other reading related to firmware, hardware and device security.
Top10 Most Exploited Vulnerabilities – No Excuses – ‘Absolutely Critical to Patch As Soon As Possible’.
The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the broader U.S. Government published an alert on the Top 10 Routinely Exploited Vulnerabilities with data from 2016-2019 and 2020. The most commonly exploited vulnerabilities this year involve device security – including a remote code execution vulnerability in Citrix VPN appliances – CVE-2019-19781 and an arbitrary file reading vulnerability in Pulse Secure VPN servers – CVE-2019-11510. CISA and the FBI warned that sophisticated foreign cyber attackers are routinely exploiting these vulnerabilities. Patches are available from vendors and essential for mitigation.
Intel Security Advisories – 20 New Vulnerabilities
On June 9th, Intel released a new security advisory SA-00295, which described 20 new vulnerabilities affecting the Management Engine (ME or CSME) component. Outside of mainstream end user devices, the released vulnerabilities also affect platforms with a Server Platform Module (SPS) component found in servers, and a Trusted Execution Engine (TXE) component found in low power or embedded devices. Two of the vulnerabilities are rated as Critical and another 8 are rated as High severity. Some vulnerabilities of particular interest are detailed below:
- The two critical vulnerabilities (CVE-2020-0594 and CVE-2020-0595) rated at CVSS score 9.8 only affect an AMT provisioned ME that is configured to have IPv6 functionality. Using an out-of-bounds read and a use after free vulnerability, an unauthenticated user could mount a remote code escalation attack with just network access.
- CVE-2020-0566, which is rated as high severity with a CVSS score of 7.3, is similar in nature to CVE-2019-0090, which was released in May of 2019 under advisory SA-00213. The similarity lies in the usage of a well-timed RS1 DMA transaction after the ME resumes from Power Gating. Unlike CVE-2019-0090, the new vulnerability utilizes the USB DbC interface (DCI) to issue the DMA transaction. Since DCI is intended for debug capability during manufacturing, the mitigation for this vulnerability involves disabling the interface once manufacturing is complete.
We’ve added support for these new vulnerabilities to the Eclypsium device protection platform, enabling customers to easily identify which devices are at risk and assess the overall health of their device fleet. The screenshot below shows a vulnerability warning on a device with improper buffer restrictions in Intel ME firmware.
Breaking Thunderbolt Protocol Security
The “Thunderspy” attack exploits flaws in the security of Thunderbolt controllers, one of which is the concept of trust in the currently flashed firmware. Thunderbolt implements a concept called “security levels” which allows the user to determine which Thunderbolt device is to be trusted and which is not. With physical presence an attacker can simply modify the contents of the Thunderbolt controller flash chip, which holds the current firmware and configurations, and disable all the security measures completely. The vulnerabilities discovered indicate that if an attacker has physical access to a device with an Intel Thunderbolt controller, they can potentially bypass existing software protections and gain access to the targeted computer. In order to detect such tampering and exploitation users would need to check the Thunderbolt firmware and configuration at every boot, or use a tool such as the Eclypsium platform.
Ripple20 Security Advisories
The JSOF research lab has publicly disclosed 19 critical vulnerabilities, dubbed “Ripple20” which impact a widely used TCP/IP software library. The software library, developed by Treck Inc. and later incorporated and used in multiple industries and device types, shows how a single element in a product implementation can have an extremely widespread effect.
According to the JSOF, impacted device vendors range from Fortune 500 to small boutique shops in various industry segments including telecom, energy, medical, transportation etc. See the Treck Inc. vulnerability response for more.
Ensuring Device Security in Federal Environments
A new white paper from Eclypsium helps you build device security into your overall cybersecurity plan with simple steps that progress from basic cyber hygiene to preventing advanced persistent threats using the Cybersecurity Maturity Model Certification (CMMC) framework as a guideline.
DEVICE & FIRMWARE THREATS IN THE WILD
- Hacked VPN likely started Mitsubishi Electric attacks
- UK electricity middleman hit by cyber-attack
- QNAP NAS devices targeted in another wave of ransomware attacks
- Zyxel Flaw Powers New Mirai IoT Botnet Strain
INDUSTRY NEWS OVERVIEW
- Intel brings novel CET technology to Tiger Lake mobile CPUs
- Executive Order on Securing the United States Bulk-Power System
- U.S. Restriction on Chipmakers Deals Critical Blow to Huawei
- Secure a Networked Printer Before It Can Be Breached
- FBI: People’s Republic of China (PRC) Targeting of COVID-19 Research Organizations
DEVICE & FIRMWARE SECURITY ADVISORIES
- Cisco Fixes High-Severity Flaws In Firepower Security Software, ASA
- Cisco and Palo Alto Networks appliances impacted by Kerberos authentication bypass
- Cisco’s warning: Critical flaw in IOS routers allows ‘complete system compromise’
- New CrossTalk attack impacts Intel’s mobile, desktop, and server CPUs
- 2020.1 IPU – Intel CSME, SPS, TXE, AMT, ISM and DAL Advisory
- The Intel Converged Security Management Engine (CSME) Delayed Authentication Mode (DAM) vulnerability – CVE-2018-3659 and CVE-2018-3643
- Arm CPUs impacted by rare side-channel attack
- Palo Alto Networks reveals D-Link home router vulnerabilities
DEVICE & FIRMWARE SECURITY RESEARCH
- Revisiting RowHammer: An Experimental Analysis of Modern DRAM Devices and Mitigation Techniques
- Full papers on the CacheOut attack and SGAxe attacks that breach SGX attestation, recovering private EPID keys
- A Journey in Reversing UEFI Lenovo passwords management
- OuterHaven – The UEFI memory space that’s just itching to be misused
- How to use Trend Micro’s Rootkit Remover to Install a Rootkit
- Unpacking HP Firmware Printer Updates Part 1 Part 2 Part 3
- Research of the Zephyr RTOS and MCUboot bootloader
- Attacking the Golden Ring on AMD Mini-PC
ADDITIONAL READING & LISTENING
- Hardware-Enabled Security for Server Platforms: Enabling a Layered Approach to Platform Security for Cloud and Edge Computing Use Cases – a NIST white paper.
- Protecting Device Integrity in the Supply Chain
- Designing Firmware Resilience for 3 Top Attack Vectors
- Hardware Root of Trust — Bios and UEFI
- Leaking Data from Air-Gapped Systems by Turning the Power-Supplies Into Speakers
- Pursuing Durable Safety for Systems Software – Matt Miller.
TOOLS
UPCOMING WEBINARS
- Improve Device Security Using The CMMC Framework – John Loucaides, VP of R&D at Eclypsium, will share insights on how attackers compromise device integrity and how you can defeat them by designing device security into your cybersecurity practices. Whether you are part of the defense industry, the broader federal government or a commercial entity, you’ll benefit from this approach to securing critical devices.