Security researchers have discovered serious flaws in the firmware of Gigabyte's Brix small form factor (SFF) systems that allow malicious code to be written into firmware and stored even if you replace the system's storage device.
Researchers from security specialist Cylance revealed the vulnerabilities at the BlackHat Asia 2017 event, following hints at the earlier RSA Conference 2017 and after contacting Gigabyte privately with its findings. Known to affect at least two models of Brix systems - the GB-BSi7H-6500 with firmware F6 and GB-BXi7-5775 with firmware F2 - the company's discovery includes the creation of a proof of concept (PoC) exploit capable of acting as a backdoor at a system level and of bypassing any and all security protections in place at the operating system level.
'Firmware backdoors are difficult to detect because they execute in the early stages of the boot process and they can persist across operating system (OS) re-installations,
' the company explains in its write-up of the vulnerabilities
. 'Write-protection mechanisms exist to prevent attackers from modifying the firmware; however, the affected systems do not enable them. It is up to the motherboard manufacturers to correctly implement the UEFI firmware and enable the appropriate protection mechanisms to prevent unauthorised modifications to the firmware.
Sadly, the two affected Brix systems are among those shipped in a vulnerable state, which can then be exploited by a vulnerable SMI handler. Worse still for those who currently have a Brix system, Gigabyte has confirmed it will only fix one of the two known-vulnerable units: The GB-BSi7H-6500 will receive a firmware update fixing the flaw and updated it to version F7, but the GB-BXi7-5775 is officially considered end-of-life and will receive no such update; instead, the older model will be left vulnerable.
Full details of the flaws are available in the Cylance write-up