Gigabyte developers have updated the firmware of 270 motherboard models to fix a recently discovered vulnerability. The researchers considered this bug a backdoor that could be used to install malware.
Let me remind you that the problem was announced last week by experts of the Eclypsium company, which specializes in the security of firmware and equipment. Then the researchers determined that the firmware of many Gigabyte motherboards contains a Windows binary that is executed when the operating system boots. This file then downloads and launches another payload received from the Gigabyte servers.
It was noted that the payload is loaded through an insecure connection (HTTP or incorrectly configured HTTPS) and the legitimacy of the file is not checked in any way. That is, hackers can use an insecure connection between the system and Gigabyte servers to spoof the payload and implement a man-in-the-middle attack.
Let me remind you that we also talked about Cybercriminals that deliver backdoor to victims’ computers with NVIDIA driver.
Eclypsium created a list of more than 270 Gigabyte motherboard models affected by the issue with its report. The experts summarized that the backdoor is probably present on millions of devices.
As Gigabyte engineers now report, the problem has been fixed. The bug was related to the Windows Platform Binary Table (WPBT) feature, which allows firmware developers to automatically extract an executable file from an image and run it on the operating system.
Gigabyte motherboards use the WPBT feature to install an automatic update application in %SystemRoot%\system32\GigabyteUpdateService.exe on new Windows installations. This feature is enabled by default and can be disabled in the BIOS settings.
The manufacturer has now released motherboard firmware updates for Intel processors (400/500/600/700 series) and AMD processors (400/500/600 series).
The patch adds more stringent security checks during system startup, including improved verification of files and their signatures downloaded from remote servers, as well as standard verification of certificates for remote servers.
According to the company, the improvements will prevent the introduction of malicious code and ensure that any downloaded files come from servers with valid and trusted certificates.
Let me remind you that the media also wrote that RobbinHood Ransomware installs vulnerable Gigabyte drivers on victims’ computers.
Leave a Comment