[CLVA-2017-01-002]: Gigabyte BRIX BIOS Write Protection is not enabled
Cylance identified a vulnerability in the UEFI firmware for the Gigabyte GB-BSi7H-6500 and GB-BXi7-5775 platforms, which could allow attacker modify firmware from ring 0.
The Gigabyte BRIX is a common Mini-PC Barebone platform (via http://www.gigabyte.us/products/list.aspx?s=47&ck=104).
- GB-BSi7H-6500 (UEFI firmware version: vF6 from 2016/05/18)
- GB-BXi7-5775 (UEFI firmware version: vF2 from 2016/07/19)
An attacker can modify the SPI flash image to install a persistent rootkit/bootkit or corrupt the firmware due to disabled-by-default flash write protection features.
- Cylance Identifier: CLVA-2017-01-002
- CVE Identifier: CVE-2017-3198
A vulnerability has been identified in one of the UEFI firmwares from American Megatrends Inc. (AMI) used in Gigabyte's GB-BSi7H-6500 and GB-BXi7-5775 platforms. The security features (BIOSWE, BLE, SMM_BWP, PRx) for protecting the BIOS from arbitrary modifications are not enabled by default. The flash write protection mechanisms are not enabled by default and Intel BootGuard is not available for Gigabyte BRIX platforms. The firmware updates for Gigabyte BRIX platforms are not signed. During the firmware update process, an attacker may modify the platform firmware with persistent malicious code since no integrity check is performed.
An attacker can use the AMI Firmware Update (AFU) to make arbitrary modifications of the SPI flash image from ring 0. As an example, this vulnerability may be used to write a rootkit/bootkit to the SPI flash image. The rootkit could persist across operating system re-installs and allow an attacker to bypass security features such as Secure Boot, Virtual Secure Mode, Device Guard. An attacker can also modify firmware policies using the AMI BIOS Configuration Program (AMIBCP) to unlock the Intel Direct Connect Interface (DCI) which may be used for platform debugging when running an Intel Skylake CPU over USB3 with the Intel SVT adapter.
An attacker could use the AMI or Gigabyte firmware update tool to install a custom UEFI firmware or modify the SPI flash memory to install a persistent rootkit/bootkit.
Gigabyte has released UEFI firmware version F7 to address this issue for the GB-BSi7H-6500 platform. However, the GB-BXi7-5775 is End Of Life (EOL), and therefore may not be receiving an update. Affected users should update the firmware as soon as possible. Firmware updates can be found at Gigabyte's Support Page.
- Alex Matrosov, Principal Research Scientist, Cylance
Details for CLVA-2017-01-002
- Example of the vulnerability detection by Chipsec
python chipsec_main.py -m common.bios_wp
- Output information from Chipsec:
[CHIPSEC] API mode: using CHIPSEC kernel module API [CHIPSEC] OS : Windows 10 10.0.14393 AMD64 [CHIPSEC] Platform: Mobile 6th Generation Core Processor (Skylake U) [CHIPSEC] VID: 8086 [CHIPSEC] DID: 1904 [+] loaded chipsec.modules.common.bios_wp [*] running loaded modules .. [*] running module: chipsec.modules.common.bios_wp [*] Module path: c:\Chipsec\chipsec\modules\common\bios_wp.pyc [x][ ======================================================================= [x][ Module: BIOS Region Write Protection [x][ ======================================================================= [*] BC = 0x00000A88 << BIOS Control (b:d.f 00:31.5 + 0xDC)  BIOSWE = 0 << BIOS Write Enable  BLE = 0 << BIOS Lock Enable  SRC = 2 << SPI Read Configuration  TSS = 0 << Top Swap Status  SMM_BWP = 0 << SMM BIOS Write Protection  BBS = 0 << Boot BIOS Strap  BILD = 1 << BIOS Interface Lock Down [-] BIOS region write protection is disabled! [*] BIOS Region: Base = 0x00A00000, Limit = 0x00FFFFFF SPI Protected Ranges ------------------------------------------------------------ PRx (offset) | Value | Base | Limit | WP? | RP? ------------------------------------------------------------ PR0 (84) | 00000000 | 00000000 | 00000000 | 0 | 0 PR1 (88) | 00000000 | 00000000 | 00000000 | 0 | 0 PR2 (8C) | 00000000 | 00000000 | 00000000 | 0 | 0 PR3 (90) | 00000000 | 00000000 | 00000000 | 0 | 0 PR4 (94) | 00000000 | 00000000 | 00000000 | 0 | 0 [!] None of the SPI protected ranges write-protect BIOS region [!] BIOS should enable all available SMM based write protection mechanisms or configure SPI protected ranges to protect the entire BIOS region [-] FAILED: BIOS is NOT protected completely
- Discovery Date: 2016-12-20
- Vendor Notification Date: 2017-01-17
- CERT/CC Contact Date: 2017-01-18
- Vendor Acknowledgement Date: 2017-02-17
- Patch Release Date: 2017-03-30
- Public Disclosure Date: 2017-03-30