IT companies Supermicro and Pulse Secure have released advisories warning that some of their motherboards are vulnerable to malware. More specifically, the hardware is susceptible to a UEFI firmware-infecting module, known as TrickBot.
Supermicro is an information technology company based in San Jose, California, and Pulse Secure is a manufacturer of secure access solutions headquartered in Silicon Valley.
Last year, cybersecurity firms Advanced Intelligence and Eclypsium reported a new malicious ‘TrickBoot’ module that targeted firmware. To deliver the module, the attackers used the notorious TrickBot malware.
The module has the capability to analyze a device’s Unified Extensible Firmware Interface (UEFI) firmware to determine if it has “write protection” enabled or disabled. To check the “write protection,” the module uses the RwDrv.sys driver from the RWEverything utility.
If it is disabled, the malware can read, write, and wipe the firmware. This allows hackers to bypass the operating system’s security controls and do things like reinfecting a system after a full reinstall or bricking a device.
“All requests to the UEFI firmware stored in the SPI flash chip go through the SPI controller, which is part of the Platform Controller Hub (PCH) on Intel platforms,” Eclypsium and Advanced Intel team wrote.
The SPI controller has access control mechanisms that can be locked during the boot process in order to prevent tampering with the UEFI firmware stored in the SPI flash memory chip. However, these protections are often disabled or misconfigured. If the BIOS does not have write-protection enabled, a hacker can easily modify the firmware or even delete it.
The malware’s ability to analyze a device’s firmware is currently restricted to specific Intel platforms, including Skylake, Coffee Lake, Kaby Lake, Comet Lake, according to the researchers.
In today’s advisory, Supermicro warns that some of their X10 UP motherboards are vulnerable to the TrickBoot malware. The company has released a BIOS hotfix that will enable “write protection.”
The vulnerable X10 UP-series motherboards are:
- X10SLH-F (will EOL on 3/11/2021)
- X10SLL-F (EOL’ed since 6/30/2015)
- X10SLM-F (EOL’ed since 6/30/2015)
- X10SLL+-F (EOL’ed since 6/30/2015)
- X10SLM+-F (EOL’ed since 6/30/2015)
- X10SLM+-LN4F (EOL’ed since 6/30/2015)
- X10SLA-F (EOL’ed since 6/30/2015)
- X10SL7-F (EOL’ed since 6/30/2015)
- X10SLL-S/-SF (EOL’ed since 6/30/2015)
Pulse Secure issued a similar advisory because their Pulse Secure Appliance 5000 (PSA-5000) and Pulse Secure Appliance 7000 (PSA-7000) devices run on vulnerable Supermicro hardware.
