- “Discovering vulnerable UEFI BIOS firmware at scale”, 44CON 2017
- “Attacking hypervisors through hardware emulation”, Troopers 2017
- “BARing the System New vulnerabilities in Coreboot & UEFI based systems”, Recon Brussels 2017
- “Digging Into The Core of Boot”, Recon 2017
- “Driving Down the Rabbit Hole”, DEF CON 25
- “Exploring Your System Deeper [with CHIPSEC] is Not Naughty”, CanSecWest 2017
- “Fractured Backbone: Breaking Modern OS Defenses with Firmware Attacks”, Black Hat 2017
- “Blue Pill for Your Phone”, Black Hat 2017
- “Different methods of BIOS analysis: Static, Dynamic and Symbolic execution”, Analyze 2016
- “Symbolic execution for BIOS security”, USENIX WOOT 2015
- “Reaching the far corners of MATRIX: generic VMM fingerprinting”, SOURCE 2015
- “Attacking and Defending BIOS in 2015”, Recon 2015
- “ASN.1 parsing in crypto libraries: what could go wrong?”, Latincrypt 2015
- “A New Class of Vulnerabilities in SMI Handlers”, CanSecWest 2015
- “Attacking Hypervisors via Firmware and Hardware”, Black Hat 2015 and DEF CON 23
- “BERserk: New RSA Signature Forgery Attack”, Ekoparty 2014
- “Summary of Attacks Against BIOS and Secure Boot”, DEF CON 22
- “All Your Boot Are Belong To Us”, CanSecWest 2014
- “A Tale of One Software Bypass of Windows 8 Secure Boot”, Black Hat USA 2013
- “HI-CFG: Construction by Binary Analysis, and Application to Attack Polymorphism”, ESORICS 2013
- “Automatically Searching for Vulnerabilities: How to Use Taint Analysis to Find Security Bugs”, Hack In The Box 2012
- “The System of Automatic Searching for Vulnerabilities or how to use Taint Analysis to find security bugs”, Hackito Ergo Sum 2012
- CVE-2017-9633 – An attacker with a physical connection to the TCU may exploit a buffer overflow condition that exists in the processing of AT commands. This may allow arbitrary code execution on the baseband radio processor of the TCU: Advisory (ICSA-17-208-01) Continental AG Infineon S-Gold 2 (PMB 8876)
- CVE-2017-9647 – A vulnerability in the temporary mobile subscriber identity (TMSI) may allow an attacker to access and control memory. This may allow remote code execution on the baseband radio processor of the TCU:
Advisory (ICSA-17-208-01) Continental AG Infineon S-Gold 2 (PMB 8876)
AFFECTED PRODUCTS
All telematics control modules (TCUs) built by Continental AG that contain the S-Gold 2 (PMB 8876) cellular baseband chipset are affected. The S-Gold 2 (PMB 8876) is found in the following vehicles:
– BMW several models produced between 2009-2010
– Ford - program to update 2G modems has been active since 2016 and impact is restricted to the limited number of P-HEV vehicles equipped with this older technology that remain in service
– Infiniti 2013 JX35, Infiniti 2014-2016 QX60, Infiniti 2014-2016 QX60 Hybrid, Infiniti 2014-2015 QX50, Infiniti 2014-2015 QX50 Hybrid, Infiniti 2013 M37/M56, Infiniti 2014-2016 Q70, Infiniti 2014-2016 Q70L, Infiniti 2015-2016 Q70 Hybrid, Infiniti 2013 QX56, Infiniti 2014-2016 QX 80
– Nissan 2011-2015 Leaf - CVE-2016-4002 – Buffer overflow in the mipsnet_receive function in hw/net/mipsnet.c in QEMU, when the guest NIC is configured to accept large packets, allows remote attackers to cause a denial of service (memory corruption and QEMU crash) or possibly execute arbitrary code via a packet larger than 1514 bytes
- CVE-2016-4001 – Buffer overflow in the stellaris_enet_receive function in hw/net/stellaris_enet.c in QEMU, when the Stellaris ethernet controller is configured to accept large packets, allows remote attackers to cause a denial of service (QEMU crash) via a large packet
- CVE-2015-0427 – Integer overflow causes memory corruption in VMSVGAFIFOGETCMDBUFFER in Oracle VirtualBox prior to 4.3.20
- CVE-2015-0418 – VirtualBox guest crashes when execute INVEPT/INVVPID instructions in user mode application
- CVE-2015-4856 (2 vulnerability) - Read un-initialization memory at in Oracle VirtualBox prior to 4.0.30, 4.1.38, 4.2.30, 4.3.26, 5.0.0 by overlapping MMIO BARs with each other
- CVE-2014-6588 – Memory corruption in VMSVGAGMRTRANSFER in Oracle VirtualBox
- CVE-2014-6589 – Memory corruptions in VMSVGAFIFOLOOP in Oracle VirtualBox
- CVE-2014-6590 – Memory corruptions in VMSVGAFIFOLOOP in Oracle VirtualBox
- CVE-2014-3689 (3 vulnerability) – The vmware-vga driver (hw/display/vmware_vga.c) in QEMU allows local guest users to write to qemu memory locations and gain privileges via unspecified parameters related to rectangle handling
- CVE-2014-3645 – QEMU guest crashes when execute INVEPT instructions in user mode application
- CVE-2014-3646 – QEMU guest crashes when execute INVVPID instructions in user mode application
- CVE-2014-8274 – Vulnerability Note VU#976132: UEFI implementations do not properly secure the EFI S3 Resume Boot Path boot script
- CVE-2014-1568 – Vulnerability Note VU#772676: Mozilla Network Security Services (NSS) fails to properly verify RSA signatures
- CVE-2011-0222 – Remotely exploitable memory corruption vulnerability in WebKit, as included with multiple vendors' browsers, could allow an attacker to execute arbitrary code with the privileges of the current user: About the security content of Safari 5.1 and Safari 5.0.6 , Advisory: CVE-2011-0222
- Privilege escalation vulnerability from Android Kernel to Hypervisor on phones based on Qualcomm Snapdragon 808 and 810 SoC. Presented at Black Hat 2017: “Blue Pill for Your Phone”
- Number of vulnerabilities in EDK2 open source firmware reference implementation.
EDK II Security Advisories
Presented at RECon 2015: “Attacking and Defending BIOS in 2015” - Number of vulnerabilities in open source firmware implementation for Minnowboard systems:
MinnowBoard MAX 0.81 Release Notes - Bypass Windows 10 Virtualization Based Technology:
Presented at Black Hat 2017: “Fractured Backbone: Breaking Modern OS Defenses with Firmware Attacks” - Privilege escalation vulnerability from Dom0 or Root Partition to Hypervisor on Xen and Microsoft Hyper-V systems:
Presented at Black Hat 2015: “Attacking and Defending BIOS in 2015” - Firmware S3 Boot Script vulnerabilities:
"Technical Details of the S3 Resume Boot Script Vulnerability" - RSA Padding check vulnerability in WolfSSL:
wolfSSL 3.2.0 Release Notes