[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FD] CVE-2017-8083 CompuLab IntensePC lacks BIOS Write Protection

Credits: Hal Martin
Website: watchmysys.com
Source: 
https://watchmysys.com/blog/2017/06/cve-2017-8083-compulab-intensepc-lacks-bios-wp/


Vendor:
====================
CompuLab (compulab.com)


Product:
====================
Intense PC / MintBox 2


Vulnerability type:
====================
Write-protection not enabled on system firmware


CVE Reference:
====================
CVE-2017-8083


Summary:
====================
Since 2013 CompuLab manufactures and sells the IntensePC/MintBox 2, which is a 
small Intel-based fanless PC sold to end-users and industrial customers. It was 
discovered that in the default configuration write-protection is not enabled 
for the BIOS/ME/GbE regions of flash.

CompuLab have created a patch to resolve the issue, however they have not yet 
released the patch publicly. This vulnerability is being published as the 90 
day disclosure deadline has been reached.


Affected versions:
====================
All firmware versions since product release (latest public firmware is 21 June 
2016)


Attack Vector:
====================
An attacker tricks the user into running a malicious executable with local 
administrator privileges, which updates the system firmware to include the 
attacker's code. The attacker may instead use a known OS exploit to perform the 
upgrade remotely (without user interaction or notification).


Proof of concept:
====================
I have created a modified firmware update which replaces the stock UEFI shell 
with the UEFI shell from EDK2. The update can be flashed from within Windows 
without any user interaction or notification. Firmware updates are not signed 
by CompuLab or verified by the existing firmware before upgrade.

The modified update can be downloaded here: 
https://watchmysys.com/blog/wp-content/uploads/2017/06/update-IPC-20160621-edk2.zip

Details of the full proof of concept can be found at the Source link above.


Disclosure timeline:
====================
1 March 2017: Vulnerability is reported to CompuLab via their support email 
address
2 March 2017: CompuLab replies they will create a beta BIOS to address the 
vulnerability
6 March 2017: I request a timeline to fix the issue
7 March 2017: CompuLab replies they will create a beta BIOS for testing and 
they “will provide an official public release in the future”
8 March 2017: CompuLab replies with instructions to run closemnf via the Intel 
FPT tool
8 March 2017: I inform CompuLab I am waiting for the official BIOS update to 
resolve the issue
8 March 2017: CompuLab replies with copy of Intel FPT tool and requests “not to 
publish or disclose this information”
8 March 2017: CompuLab is informed that details of the vulnerability will be 
published on 4 June 2017
23 April 2017: Issue is reported to MITRE
24 April 2017: Vulnerability is assigned CVE-2017-8083
3 May 2017: CompuLab communicates that they will delay fixing this 
vulnerability until Intel provides an updated ME firmware to address 
CVE-2017-5689
4 May 2017: I inform CompuLab that details of this vulnerability will be 
published on 4 June 2017 as previously discussed
11 May 2017: CompuLab sends a proposed fix for testing, the update script fails 
due to invalid command syntax for flashrom
14 May 2017: I inform CompuLab of the invalid syntax and provide the correct 
usage, and confirm that the fix enables write-protection on the ME/BIOS/GbE 
regions of flash
15 May 2017: CompuLab replies with a revised update script
15 May 2017: I inform CompuLab that the syntax of the revised script is 
correct, however my unit has already been updated so I cannot re-test
4 June 2017: Details of the vulnerability are published.

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/