Security researchers have recently uncovered a vulnerability in Gigabyte systems, revealing a potential backdoor within the UEFI firmware. According to firmware security firm Eclypsium, the flaw allows the firmware to drop a Windows executable and retrieve updates in an insecure format.
Eclypsium detected this flaw in April 2023 and promptly informed Gigabyte, who has acknowledged and resolved the issue since. John Loucaides, Senior Vice President of Strategy at Eclypsium, explained that most Gigabyte firmware contains a Windows Native Binary executable embedded in the UEFI firmware. This executable is dropped to disk and executed during the Windows startup process, resembling the LoJack double agent attack. The executable then proceeds to download and run additional binaries using insecure methods.
Loucaides emphasized the importance of understanding the author’s intentions to distinguish this vulnerability from a malicious backdoor. While the embedded executable appears to be a legitimate update application, it exposes the system to potential attacks due to its insecure download process. The .NET-based application downloads and executes a payload from Gigabyte’s update servers over plain HTTP, leaving it vulnerable to adversary-in-the-middle attacks via compromised routers.
Approximately 364 Gigabyte systems, comprising an estimated 7 million devices, are potentially impacted by this issue. Such vulnerabilities in the privileged firmware update mechanism can provide threat actors with a stealthy means to implant firmware malware that bypasses security controls in the operating system. Additionally, because UEFI code resides on the motherboard, malware injected into the firmware can persist and even survive a disk wipe and reinstallation of the operating system.
Preventing this risk or reducing it is possible if organizations keep their firmware updated. Inspecting and disabling the “APP Center Download & Install” feature in UEFI/BIOS Setup and setting a BIOS password to deter malicious changes is highly encouraged.
Loucaides acknowledged the challenges associated with firmware updates, as they often have low user uptake. However, He is not ignorant of the reality of an insecure update application embedded in firmware automatically downloading and running a payload. By resolving this vulnerability, Gigabyte and its users can ensure a more secure computing environment.