Poor firmware implementation can lead to the bypass of advanced technologies created to protect Unified Extensible Firmware Interface (UEFI) BIOS, such as Intel Boot Guard, from illegal modifications, security researchers have discovered.
Initially launched in 2013, Intel Boot Guard is a hardware-assisted BIOS integrity verification mechanism that creates a trusted boot chain so that the integrity of boot components is cryptographically verified. The boot chain uses an RSA public key (its hash is hard-coded inside the CPU) and an OEM private key.
The OEM sets the final configuration and writes it to one-time-programmable Intel chipset fuses during the manufacturing process, thus making it almost impossible for an attacker to modify the BIOS without knowing the private part of the OEM Root Key.
However, because some OEMs might fail to properly configure Intel Boot Guard, attackers could end up injecting code and permanently modifying BIOS.
Earlier this year at Black Hat 2017, security researcher Alex Matrosov presented some vulnerabilities in poor BIOS implementations, explaining that not all vendors enable the protections offered by modern hardware. Because of that, attackers could elevate privileges, bypass protections, and install rootkits, he explained.
Alexander Ermolov, a scurity researcher at Embedi, now says that one such faulty implementation impacts a series of firmware releases based on AMI Aptio UEFI BIOS. The product is highly popular among many OEMs, including Gigabyte, MSI, Asus, Acer, Dell, HP, ASRock, which suggests that vulnerable code might be present in a huge number of motherboards.
Ermolov explains that, during the verification stage, a BootGuardPei routine checks for compatibility with Intel Boot Guard, after which a Hand-Off Block (HOB) binary containing the result of verification is created. Thus, if the verification is not successful, the zero value is written to the HOB.
While this should result in an enforcement policy being applied, further execution of BIOS is allowed, resulting in modified Driver Execution Environment (DXE) code being run. This is possible because of another Boot Guard-related module that analyzes the results written to HOB and shuts down the system if DXE code didn’t pass the integrity check.
If it doesn’t find the verification results, the routine returns an error. As a result, attacks that allow for the deletion of the HOB can result in bypassing the DXE code integrity check. Furthermore, if the module responsible for this step is deleted, there will be no code responsible for analyzing the integrity verification results.
The researcher says they notified AMI to inform them on the findings and were told that the issue had been already addressed and that OEMs were alerted on the matter. The latest AMI BIOS codebase available to customers (OEMs) is no longer vulnerable.
However, after verifying the implementation of the fix in the previously analyzed motherboard (a Gigabyte GA-H170-D3H model), Ermolov discovered that things went from bad to worse. If BootGuardPei doesn’t perform a successful verification, it now writes a positive value to HOB, thus effectively bypassing the Boot Guard protection for DXE integrity check.