Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

Dozens of Security Flaws Discovered in UEFI Firmware Used by Several Vendors

Off-Topic discussions about science, technology, and non Debian specific topics.
Post Reply
Message
Author
User avatar
argentwolf
Posts: 201
Joined: 2021-09-05 23:21
Has thanked: 185 times
Been thanked: 15 times

Dozens of Security Flaws Discovered in UEFI Firmware Used by Several Vendors

#1 Post by argentwolf »

Yikes! We knew it was only a matter of time...the planned cyberpandemic of FEAR happens, thanks Big Tech! :?

https://thehackernews.com/2022/02/dozen ... ed-in.html
Vanguard Debian, because nothing's worse than doing nothing, whimsically!
32-bit | 2 Duo T5270 @ 1.40GHz x 2 CPU | 3.9GiB RAM | NV86 117MiB GPU | 465.76GiB SSD
64-bit | i7-4790 @ 3.60GHz x 8 CPU | 15.6GiB RAM | NVD9 1.9GiB GPU | 931.51GiB SSD

LE_746F6D617A7A69
Posts: 932
Joined: 2020-05-03 14:16
Has thanked: 7 times
Been thanked: 65 times

Re: Dozens of Security Flaws Discovered in UEFI Firmware Used by Several Vendors

#2 Post by LE_746F6D617A7A69 »

Somehow I can't find Libreboot on that CVE list ...

It's funny to see how those "Big Tech" companies are failing to deliver high quality products (again and again...)

If You ask them why their products have closed source, You will hear always the same answer: "know-how protection" - the above link proves that they don't know how, or simply they just don't give a sh.it about their customers.

Have a nice day.
Bill Gates: "(...) In my case, I went to the garbage cans at the Computer Science Center and I fished out listings of their operating system."
The_full_story and Nothing_have_changed

User avatar
argentwolf
Posts: 201
Joined: 2021-09-05 23:21
Has thanked: 185 times
Been thanked: 15 times

Re: Dozens of Security Flaws Discovered in UEFI Firmware Used by Several Vendors

#3 Post by argentwolf »

LE_746F6D617A7A69 wrote: 2022-02-02 10:58 Somehow I can't find Libreboot on that CVE list ...

It's funny to see how those "Big Tech" companies are failing to deliver high quality products (again and again...)

If You ask them why their products have closed source, You will hear always the same answer: "know-how protection" - the above link proves that they don't know how, or simply they just don't give a sh.it about their customers.

Have a nice day.
It might be worthwhile to broach this issue with LIbreboot and get a definite answer.
Some of us witness the 'Big Tech' companies culpable pattern to intentionally create these vulnerabilities and generate the FEAR of our digital realm to manage the people farm.
Open source is 'only immune' if the 'competent' constantly review the code and provide their identity for responsibility of their effort(s) and endorsement...please show me the list where such is disclosed. I continue to believe it's ALL been compromised and we'd never know...open source ethos is trusted (maybe) more than closed only because everyone believes someone [in the know] looks at it. D'oh! :shock:
Vanguard Debian, because nothing's worse than doing nothing, whimsically!
32-bit | 2 Duo T5270 @ 1.40GHz x 2 CPU | 3.9GiB RAM | NV86 117MiB GPU | 465.76GiB SSD
64-bit | i7-4790 @ 3.60GHz x 8 CPU | 15.6GiB RAM | NVD9 1.9GiB GPU | 931.51GiB SSD

User avatar
ticojohn
Posts: 1284
Joined: 2009-08-29 18:10
Location: Costa Rica
Has thanked: 21 times
Been thanked: 44 times

Re: Dozens of Security Flaws Discovered in UEFI Firmware Used by Several Vendors

#4 Post by ticojohn »

What the heck does this post have to do with Debian? Just more GIGO.
I am not irrational, I'm just quantum probabilistic.

cynwulf

Re: Dozens of Security Flaws Discovered in UEFI Firmware Used by Several Vendors

#5 Post by cynwulf »

That article actually links to Microsoft's articles about it's ambitions with Windows 10/11 and TPM 2.0. Microsoft is pushing TPM 2.0 with Windows 11, so news like that only assists them in their efforts...

The "Unified EFI Forum" is in fact a consortium of Microsoft, Apple, Intel, AMD, ARM, several MS OEMs and BIOS vendors. This group also control the ACPI spec. They're in the position to create the problems and solutions at will. In this case, they created problems with older CPUs and within the UEFI firmware, now TPM 2.0 (and new hardware) is the solution. Yes amazingly the corporations who give you x86 PCs and MS Windows want you to buy new x86 PCs preloaded with MS Windows.

Every bit of new "you must have", "security" tech from "Big Tech" - is designed to very securely compromise your privacy...

LE_746F6D617A7A69
Posts: 932
Joined: 2020-05-03 14:16
Has thanked: 7 times
Been thanked: 65 times

Re: Dozens of Security Flaws Discovered in UEFI Firmware Used by Several Vendors

#6 Post by LE_746F6D617A7A69 »

argentwolf wrote: 2022-02-02 11:31 Open source is 'only immune' if the 'competent' constantly review the code and provide their identity for responsibility of their effort(s) and endorsement...please show me the list where such is disclosed.
For open source projects there is such list: it contains names and e-mail addresses of thousands of programmers, who are reviewing the code, who are reporting bugs and who are providing patches - each project has its own list, available through bug tracking services/systems.

Closed source also has to be reviewed by 'competent' people - have You seen any list?

.
Bill Gates: "(...) In my case, I went to the garbage cans at the Computer Science Center and I fished out listings of their operating system."
The_full_story and Nothing_have_changed

User avatar
argentwolf
Posts: 201
Joined: 2021-09-05 23:21
Has thanked: 185 times
Been thanked: 15 times

Re: Dozens of Security Flaws Discovered in UEFI Firmware Used by Several Vendors

#7 Post by argentwolf »

LE_746F6D617A7A69 wrote: 2022-02-02 13:44 For open source projects there is such list: it contains names and e-mail addresses of thousands of programmers, who are reviewing the code, who are reporting bugs and who are providing patches - each project has its own list, available through bug tracking services/systems.
Okay, I'm not saying it doesn't exist, but let's take your identified example of Libreboot, please show me the list of programmers and their competency, who've reviewed the code and they're not associated with the project (bias)?
Vanguard Debian, because nothing's worse than doing nothing, whimsically!
32-bit | 2 Duo T5270 @ 1.40GHz x 2 CPU | 3.9GiB RAM | NV86 117MiB GPU | 465.76GiB SSD
64-bit | i7-4790 @ 3.60GHz x 8 CPU | 15.6GiB RAM | NVD9 1.9GiB GPU | 931.51GiB SSD

User avatar
argentwolf
Posts: 201
Joined: 2021-09-05 23:21
Has thanked: 185 times
Been thanked: 15 times

Re: Dozens of Security Flaws Discovered in UEFI Firmware Used by Several Vendors

#8 Post by argentwolf »

D'oh! "May 2009"...how can this exploit possibly exist with to many non-project 'competent' auditors? :oops:

"Linux system service bug gives root on all major distros, exploit released"
https://www.bleepingcomputer.com/news/s ... -released/

"Twelve-Year-Old Linux Vulnerability Discovered and Patched"
https://www.schneier.com/blog/archives/ ... tched.html
Vanguard Debian, because nothing's worse than doing nothing, whimsically!
32-bit | 2 Duo T5270 @ 1.40GHz x 2 CPU | 3.9GiB RAM | NV86 117MiB GPU | 465.76GiB SSD
64-bit | i7-4790 @ 3.60GHz x 8 CPU | 15.6GiB RAM | NVD9 1.9GiB GPU | 931.51GiB SSD

LE_746F6D617A7A69
Posts: 932
Joined: 2020-05-03 14:16
Has thanked: 7 times
Been thanked: 65 times

Re: Dozens of Security Flaws Discovered in UEFI Firmware Used by Several Vendors

#9 Post by LE_746F6D617A7A69 »

argentwolf wrote: 2022-02-02 14:11 (...) let's take your identified example of Libreboot, please show me the list of programmers and their competency, who've reviewed the code and they're not associated with the project (bias)?
Libreboot has only 3 listed developers, because it is based on other projects, like coreboot and seabios. Coreboot and seabios contributors are listed on the respective project's GitHub pages.
(coreboot: 510 registered contributors, seabios: 61).

Are they competent?
Well, IMO they are more competent than the programmers working for HW manufacturers - because there's nothing special in writing firmware if You have full access to every part of the documentation. Reverse engineering is a far more harder task and requires more knowledge and experience.

argentwolf wrote: 2022-02-02 14:46 D'oh! "May 2009"...how can this exploit possibly exist with to many non-project 'competent' auditors? :oops:
(...)
Statistics are clear: in the whole history of GNU/Linux there was just few tens of viruses, out of which 99% has been created as a proof of concept - they have never left the lab.
Compare this to MacOS or Winblows, to avoid bias.
Bill Gates: "(...) In my case, I went to the garbage cans at the Computer Science Center and I fished out listings of their operating system."
The_full_story and Nothing_have_changed

User avatar
argentwolf
Posts: 201
Joined: 2021-09-05 23:21
Has thanked: 185 times
Been thanked: 15 times

Re: Dozens of Security Flaws Discovered in UEFI Firmware Used by Several Vendors

#10 Post by argentwolf »

Innerstand, we're not talking about a simple virus, this is a serious vulnerability...and let's not lose focus on the subject of this thread, UEFI.
What's the point of opensource if it 'gives' the ability for outside programmers to review/audit the code and yet the 10's if not 100's of thousands who supposedly looked at the code, deemed it solid, and yet 12+ years later a huge vulnerability is discovered and EVERYONE missed it, EVERYONE? Again, I don't think this 'opensource' ethos works as well as everyone boasts...you're right, 'statistics are clear and don't lie, do all the distros simply trust everything they build their shinny on? AMAZING!
Is there a difference between opensource and proprietary software if no one looks? If a tree falls in a forest, and there’s no one around to hear it, does it make a sound? :|

"PwnKit: Local Privilege Escalation Vulnerability Discovered in polkit’s pkexec (CVE-2021-4034)"
https://blog.qualys.com/vulnerabilities ... -2021-4034
Vanguard Debian, because nothing's worse than doing nothing, whimsically!
32-bit | 2 Duo T5270 @ 1.40GHz x 2 CPU | 3.9GiB RAM | NV86 117MiB GPU | 465.76GiB SSD
64-bit | i7-4790 @ 3.60GHz x 8 CPU | 15.6GiB RAM | NVD9 1.9GiB GPU | 931.51GiB SSD

LE_746F6D617A7A69
Posts: 932
Joined: 2020-05-03 14:16
Has thanked: 7 times
Been thanked: 65 times

Re: Dozens of Security Flaws Discovered in UEFI Firmware Used by Several Vendors

#11 Post by LE_746F6D617A7A69 »

Consider this: the bug in pkexec was discovered exactly because it's an open source software - some programmers found it by reviewing the code - otherwise it would probably never get caught.
The exploit is described with exact source line numbers, and because the whole OS is open source, it can be even explained what the kernel will do in such case - a complete analysis is possible, and independent programmers can confirm if the analysis is correct.

See also this:
viewtopic.php?p=725356#p725356

;)
Bill Gates: "(...) In my case, I went to the garbage cans at the Computer Science Center and I fished out listings of their operating system."
The_full_story and Nothing_have_changed

User avatar
argentwolf
Posts: 201
Joined: 2021-09-05 23:21
Has thanked: 185 times
Been thanked: 15 times

Re: Dozens of Security Flaws Discovered in UEFI Firmware Used by Several Vendors

#12 Post by argentwolf »

Huh, so the difference between opensource and proprietary software is simply what makes you 'feel' safer and phonetics in a forest. BAM! :wink:
Now, with all that our-of-the-way, the original link in the starting post of this thread suggested 'security flaws' in the title, 'security vulnerabilities' within the article, and a link within the article suggested 'anomalies' of 25+ impacted vendors.
What the hell are they talking about with these 23 "high severity" issues which can't be viewed, and why would anyone feel secure about any system built upon a seriously flawed/vulnerable/abnormal foundation?
Trust is a dangerous practice, the whole corrupt DARPA system must be brought down and rebuilt! TNO! TNO! TNO!
At least coders are motivated with money...as our only hope. D'oh!

"Finding Vulnerabilities in Open Source Projects"
https://www.schneier.com/blog/archives/ ... jects.html
Vanguard Debian, because nothing's worse than doing nothing, whimsically!
32-bit | 2 Duo T5270 @ 1.40GHz x 2 CPU | 3.9GiB RAM | NV86 117MiB GPU | 465.76GiB SSD
64-bit | i7-4790 @ 3.60GHz x 8 CPU | 15.6GiB RAM | NVD9 1.9GiB GPU | 931.51GiB SSD

User avatar
sunrat
Administrator
Administrator
Posts: 6412
Joined: 2006-08-29 09:12
Location: Melbourne, Australia
Has thanked: 116 times
Been thanked: 462 times

Re: Dozens of Security Flaws Discovered in UEFI Firmware Used by Several Vendors

#13 Post by sunrat »

Moved this to Offtopic as it was originally incorrectly posted in the Help and Support section which it is not.
“ computer users can be divided into 2 categories:
Those who have lost data
...and those who have not lost data YET ”
Remember to BACKUP!

LE_746F6D617A7A69
Posts: 932
Joined: 2020-05-03 14:16
Has thanked: 7 times
Been thanked: 65 times

Re: Dozens of Security Flaws Discovered in UEFI Firmware Used by Several Vendors

#14 Post by LE_746F6D617A7A69 »

argentwolf wrote: 2022-02-02 21:36 Huh, so the difference between opensource and proprietary software is simply what makes you 'feel' safer and phonetics in a forest. BAM!
Where did you get such conclusion?
Bill Gates: "(...) In my case, I went to the garbage cans at the Computer Science Center and I fished out listings of their operating system."
The_full_story and Nothing_have_changed

cynwulf

Re: Dozens of Security Flaws Discovered in UEFI Firmware Used by Several Vendors

#15 Post by cynwulf »

argentwolf wrote: 2022-02-02 18:18What's the point of opensource if it 'gives' the ability for outside programmers to review/audit the code and yet the 10's if not 100's of thousands who supposedly looked at the code, deemed it solid, and yet 12+ years later a huge vulnerability is discovered and EVERYONE missed it, EVERYONE? Again, I don't think this 'opensource' ethos works as well as everyone boasts...you're right, 'statistics are clear and don't lie, do all the distros simply trust everything they build their shinny on? AMAZING!
The open source "ethos" is more about collaboration. The idea that "many eyeballs" will find bugs much more quickly than in a closed development model is mainly a "selling point". It's not true in every case, and it's also based on the assumption that these many eyeballs are all proactively looking for bugs, are interested in code quality, follows KISS principles, etc - that is often not the case. When there is increased complexity there will be more bugs. That part of the open source "ethos" only works well when there is a modular approach and reuse of code. When there is a lot of reinvention and complexity, an ever growing codebase, the only "eyeballs" are often those belonging to the development team.

Qualys proactively look for this kind of thing - it's a global company and finding these kind of vulnerabilities boosts it's profile. That's why it's emblazoned on their website with the catchy brand name "PwnKit". That's not to take anything away from Qualys, they have have made some good catches.

The pkexec vulnerability is nothing new and nothing surprising either. Have a look at the CVE history for polkit:

https://www.cvedetails.com/vendor/12901 ... oject.html

That's actually not so terrible...

Looking at Linux kernel CVE data:

https://www.cvedetails.com/vendor/33/Linux.html

Make up your own mind on that one.

And again this pkexec vulnerability was discovered in a proactive effort by people auditing the polkit code. polkit is widely used - it's not part of any larger monolithic project, thus the eyeball count and the interest in finding problems such as this increases significantly.

Whether we think polkit is great code / a good idea, is a different matter altogether. I personally never allow X applications to run with root privileges on my own systems.

***

Back on topic: UEFI

To understand these vulnerabilities and why they exist, you have to take a trip through why UEFI was devised in the first place. If you read a site like Wikipedia, you will probably see a few bullet points about larger than 2TB boot partitions and some other buzzwords and waffle about backward compatibility. The real focus of UEFI is the "pre-OS environment" - and that's where all of the potential privacy and security problems with UEFI reside.

User avatar
canci
Global Moderator
Global Moderator
Posts: 2502
Joined: 2006-09-24 11:28
Has thanked: 136 times
Been thanked: 136 times

Re: Dozens of Security Flaws Discovered in UEFI Firmware Used by Several Vendors

#16 Post by canci »

I agree with cynwulf. The aging BIOS wasn't the only reason for UEFI. Vendor payload control and DRM were the main reasons.

And yeah, open source is not about ethics - hence the difference in open source vs free software. Code quality is also not a primary concern. The industry just likes free code that would otherwise cost a lot of engineering money (and in some cases would still not necessarily yield better or more efficient code - see Windows)
Image Stable / Asus VivoBook X421DA / AMD Ryzen 7 3700U / Radeon Vega Mobile Gfx (Picasso) / 8 GB RAM / 512GB NVMe

READ THIS:

* How to Post a Thread Here
* Other Tips and Great Resources

User avatar
argentwolf
Posts: 201
Joined: 2021-09-05 23:21
Has thanked: 185 times
Been thanked: 15 times

Re: Dozens of Security Flaws Discovered in UEFI Firmware Used by Several Vendors

#17 Post by argentwolf »

I don't understand why this UEFI Firmware issue(s) isn't burning down the interweb?
Vanguard Debian, because nothing's worse than doing nothing, whimsically!
32-bit | 2 Duo T5270 @ 1.40GHz x 2 CPU | 3.9GiB RAM | NV86 117MiB GPU | 465.76GiB SSD
64-bit | i7-4790 @ 3.60GHz x 8 CPU | 15.6GiB RAM | NVD9 1.9GiB GPU | 931.51GiB SSD

cynwulf

Re: Dozens of Security Flaws Discovered in UEFI Firmware Used by Several Vendors

#18 Post by cynwulf »

https://meltdownattack.com/
https://foreshadowattack.eu/
https://zombieloadattack.com/

That didn't burn down the interweb either...

Neither did the Numerous critical security flaws in the Intel Management Engine - notably those revealed in 2017, which had existed in the firmware since 2008.

The Intel situation is scandalous and they walked away virtually unscathed.

User avatar
argentwolf
Posts: 201
Joined: 2021-09-05 23:21
Has thanked: 185 times
Been thanked: 15 times

Re: Dozens of Security Flaws Discovered in UEFI Firmware Used by Several Vendors

#19 Post by argentwolf »

cynwulf wrote: 2022-02-03 14:02 https://meltdownattack.com/
https://foreshadowattack.eu/
https://zombieloadattack.com/

That didn't burn down the interweb either...

Neither did the Numerous critical security flaws in the Intel Management Engine - notably those revealed in 2017, which had existed in the firmware since 2008.

The Intel situation is scandalous and they walked away virtually unscathed.
I was booted from multiple forums and groups over those divulges.
Your impotent approach is very disappointing as with the whole nonchalant attitude of the security industry. Everyone is a matchstick, and should at the least strike. WTH!
We technologists are better than this, or maybe not... AMAZING! :cry:
drops mic
Vanguard Debian, because nothing's worse than doing nothing, whimsically!
32-bit | 2 Duo T5270 @ 1.40GHz x 2 CPU | 3.9GiB RAM | NV86 117MiB GPU | 465.76GiB SSD
64-bit | i7-4790 @ 3.60GHz x 8 CPU | 15.6GiB RAM | NVD9 1.9GiB GPU | 931.51GiB SSD

LE_746F6D617A7A69
Posts: 932
Joined: 2020-05-03 14:16
Has thanked: 7 times
Been thanked: 65 times

Re: Dozens of Security Flaws Discovered in UEFI Firmware Used by Several Vendors

#20 Post by LE_746F6D617A7A69 »

I don't want to defend Intel, but those vulnerabilities were presented as critical, while in fact they are useless outside of laboratory.

It's true that it's possible to read various CPU buffers using side-channel read methods, but the thing is, that for the attacker such data are no different from a stream of random numbers - they cannot be interpreted in any way without knowing the context.
The data context depends on so many factors, that it can't be predicted - f.e. it depends on how user is moving the mouse - because this generates interrupts and changes the order of code execution in other processes.

The UEFI case is different - those vulnerabilities allow to take full control of the hardware, where even re-installation of the OS won't help. It's also interesting why it affects so many vendors - all of them relied on outsourcing - they were using the same UEFI code.
It's amazing that such Big Tech companies can't afford hiring professional programmers directly.
cynwulf wrote: 2022-02-03 09:56 (..) The idea that "many eyeballs" will find bugs much more quickly than in a closed development model is mainly a "selling point".
It's not about "more quickly" - it's about possibility to eliminate bugs.
If You carefully read the report from 1st post, You should notice that the vulnerabilities were discovered by observing some strange behaviour of the UEFI API - there's no explanation what's wrong inside the UEFI. It can be a bug, but it also can be a backdoor - and if it's a backdoor, then the only effect of publishing this discovery will be that the authors will just use better methods for hiding it.
This is one of the most important differences - i.e. transparency.
Bill Gates: "(...) In my case, I went to the garbage cans at the Computer Science Center and I fished out listings of their operating system."
The_full_story and Nothing_have_changed

Post Reply