不好了
最近3个新爆出的漏洞,以使黑客能够修改计算机的 UEFI。影响超过 100 万台笔记本电脑!UEFI是Unified Extensible Firmware Interface的缩写,是一种将计算机设备固件与其操作系统连接起来的软件。作为几乎任何现代机器开启时运行的第一款软件,它是安全链中的初始环节。由于 UEFI 驻留在主板上的闪存芯片中,因此感染很难检测,甚至更难清除。
其中两个漏洞(跟踪为 CVE-2021-3971 和 CVE-2021-3972)位于 UEFI 固件驱动程序中,仅在联想消费类笔记本电脑的制造过程中使用。联想工程师无意中将驱动程序包含在生产 BIOS 映像中,而没有正确停用。黑客可以利用这些有缺陷的驱动程序来禁用保护,包括 UEFI 安全启动、BIOS 控制寄存器位和受保护的范围寄存器,它们被嵌入到串行外围接口(SPI) 中,旨在防止对其运行的固件进行未经授权的更改。
在发现和分析漏洞后,安全公司 ESET 的研究人员发现了第三个漏洞 CVE-2021-3970。它允许黑客在机器进入系统管理模式时运行恶意固件,这是一种高权限操作模式,通常由硬件制造商用于低级系统管理。
“根据描述,对于足够高级的攻击者来说,这些都是非常‘哦,不’的攻击,”专门研究固件黑客的安全研究员 Trammel Hudson 告诉 Ars。“绕过 SPI 闪存权限非常糟糕。”
No good. 3 new vulnerabilities have recently emerged to allow hackers to modify a computer's UEFI. Affects over 1 million laptops! UEFI, short for Unified Extensible Firmware Interface, is a software that connects the firmware of a computer device to its operating system. As the first piece of software that almost any modern machine runs when it is turned on, it is the initial link in the security chain. Because UEFI resides in the flash memory chip on the motherboard, the infection is difficult to detect and even harder to clear.
Two of the vulnerabilities, tracked as CVE-2021-3971 and CVE-2021-3972, are in UEFI firmware drivers and are only used during the manufacture of Lenovo consumer laptops. Lenovo engineers inadvertently included the driver in the production BIOS image without properly deactivating it. Hackers can take advantage of these flawed drivers to disable protections, including UEFI Secure Boot, BIOS control register bits, and protected range registers, which are embedded in the Serial Peripheral Interface (SPI) designed to prevent firmware running on it Make unauthorized changes.
After discovering and analyzing the vulnerability, researchers from security firm ESET discovered a third vulnerability, CVE-2021-3970. It allows hackers to run malicious firmware when the machine enters system management mode, a high-privilege mode of operation often used by hardware manufacturers for low-level system management.
"By the description, these are very 'oh no' attacks for a sufficiently advanced attacker," Trammel Hudson, a security researcher specializing in firmware hacking, told Ars. "Bypassing SPI flash permissions is terrible."
The only two documented cases of malicious UEFI firmware being used in the wild is LoJax, which was written by a Russian state hacking group and goes by several names, including Sednit, Fancy Bear, or APT 28. The second instance is UEFI malware, whose security Kaspersky found on the computers of Asian diplomats.
All three Lenovo vulnerabilities discovered by ESET require local access, which means an attacker must already have control of a vulnerable machine with unrestricted privileges. The barrier to entry for such access is high and may require exploiting one or more other critical vulnerabilities elsewhere that already put users at considerable risk.
Still, the vulnerabilities are serious because they can infect vulnerable laptops with malware that goes far beyond what more traditional malware can usually achieve. Lenovo lists over 100 affected models here.
仅有的两个在野外使用的恶意 UEFI 固件的记录案例是LoJax,它是由俄罗斯国家黑客组织编写的,有多个名称,包括 Sednit、Fancy Bear 或 APT 28。第二个实例是 UEFI 恶意软件,其安全性卡巴斯基公司在亚洲外交人士的电脑上发现。
ESET 发现的所有三个 Lenovo 漏洞都需要本地访问,这意味着攻击者必须已经以不受限制的权限控制易受攻击的机器。这种访问的门槛很高,可能需要在其他地方利用一个或多个其他关键漏洞,这些漏洞已经使用户面临相当大的风险。
尽管如此,这些漏洞仍然很严重,因为它们可以用恶意软件感染易受攻击的笔记本电脑,这远远超出了更传统的恶意软件通常所能达到的程度。联想在此处列出了 100 多种受影响的型号。
