Major Firmware Flaw in Gigabyte Systems Affects Approximately 7 Million Devices

Recent findings by cybersecurity researchers have uncovered significant vulnerabilities in the UEFI firmware of Gigabyte systems, exhibiting behaviors reminiscent of a backdoor. These vulnerabilities reportedly allow the firmware to silently download a Windows executable and retrieve updates through unsecured channels, raising serious security concerns.

Eclypsium, a firm specializing in firmware security, first identified these anomalies in April 2023. In response, Gigabyte has acknowledged the issue and rolled out necessary updates to mitigate risks associated with these vulnerabilities. According to John Loucaides, Eclypsium’s Senior Vice President of Strategy, the core of the problem lies in the fact that some Gigabyte firmware contains a Windows Native Binary executable embedded within it, which is executed during the Windows boot process.

This executable behaves similarly to attacks leveraging legitimate applications, such as the LoJack ‘double agent’ method, where it downloads and executes additional binaries via insecure means. Loucaides notes that distinguishing this type of vulnerability from a true malicious backdoor is challenging, as both can exhibit similar traits.

Eclypsium further highlights that the implicated executable, built on the .NET framework, is configured to download and run payloads from Gigabyte’s servers using plain HTTP. Such a setup opens the door for adversary-in-the-middle attacks, especially in situations involving compromised network devices. The security implications of this are profound, impacting an estimated 364 different Gigabyte systems, which could amount to around 7 million affected devices worldwide.

Given the evolving tactics employed by threat actors, vulnerabilities in firmware update mechanisms can lead to stealthy implants and UEFI bootkits that evade standard operating system security controls. This is particularly worrying because malware injected at the firmware level can persist even after hard drives are wiped or operating systems are reinstalled, elevating the risk profile for businesses utilizing these devices.

Organizations are urged to apply the latest firmware updates and take preventative measures by disabling the “APP Center Download & Install” option in their UEFI/BIOS settings. Setting a BIOS password is also recommended to provide an additional layer of security against unauthorized changes.

The underlying cause of these vulnerabilities stems from Gigabyte motherboards leveraging a function known as Windows Platform Binary Table (WPBT) to install auto-update applications. Microsoft documentation explains that the WPBT allows manufacturers to run executable programs in the UEFI layer each time Windows boots, thereby facilitating updates that may not be part of the standard installation media.

However, flaws in this implementation open avenues for cyber adversaries to exploit the process and deliver malicious versions of the executable through adversary-in-the-middle techniques.

In conclusion, Gigabyte has responded by releasing firmware updates to close these security gaps. Moreover, the company has instituted stricter verification measures and access controls during the operating system boot process to thwart potential malicious activities. As cyber threats became more complex, vigilance and proactive actions are essential for safeguarding critical business infrastructure.