winjer
Gold Member
Gigabyte Motherboards Affected by Firmware Backdoor, Over 250 Models Impacted
This security vulnerability encompasses a wide range of models containing both Intel and AMD chipsets, inclusive of the newest Z790 and X670 units. The issue stems from a poorly secured updater progra...
www.guru3d.com
This security vulnerability encompasses a wide range of models containing both Intel and AMD chipsets, inclusive of the newest Z790 and X670 units. The issue stems from a poorly secured updater program utilized by Gigabyte to maintain firmware currency.
Eclypsium, a cybersecurity research company, recently identified a firmware backdoor impacting 271 Gigabyte motherboard models. During a fresh Windows installation, users might encounter a program suggesting a download of the latest driver or firmware. Regrettably, this seemingly harmless program can potentially serve as a conduit for malevolent entities.
Upon each system restart, firmware-embedded code activates an updater program, connecting to the internet to search and download the newest motherboard firmware. According to Eclypsium, Gigabyte's approach to this updater program lacks the requisite security, offering a potential entry point for malicious software installations on susceptible systems. The complexity arises from the fact that this updater is ingrained in the motherboard's firmware, hence posing a challenge for consumer elimination.
The usage of such updater programs is not exclusive to Gigabyte, as other motherboard manufacturers incorporate similar methodologies, bringing into question the overall security of these systems. Asus' Armoury Crate software, for instance, operates similarly to Gigabyte's App Center. Eclypsium's analysis shows that Gigabyte's updater connects with three distinct sites for firmware updates:
The cybersecurity firm established that Gigabyte's updater downloads code to the user's system devoid of proper authentication, lacking cryptographic digital signature confirmation or alternative validation procedures. As a result, both HTTP and HTTPS connections remain vulnerable to Machine-in-the-Middle (MITM) attacks, with HTTP connections being especially susceptible. Additionally, beyond its online connections, the updater was found to download firmware updates from a local network's NAS device, creating potential for a harmful actor to impersonate the NAS and infect the user's system with spyware.
The updater comes as a standard tool in Gigabyte motherboards. Eclypsium has provided an extensive list of the impacted models, which consists of 271 motherboards from both Intel and AMD chipsets. These models span from older AMD 400-series chipsets to the most recent Intel 700-series and AMD 600-series motherboards, which are also affected by this issue.
Eclypsium has communicated its findings to Gigabyte, and the company is actively seeking a resolution to this issue, likely to be implemented via a firmware update. While this is being addressed, Gigabyte motherboard owners can take precautionary steps to safeguard their systems.
It is advisable, as per Eclypsium, to disable the "APP Center Download & Install" feature within the motherboard's firmware to deactivate the updater. Additionally, users can implement a BIOS-level password as a protective measure against unauthorized and harmful activities. Lastly, users can block the three aforementioned sites that the updater connects with
List of affected products here:
https://eclypsium.com/wp-content/uploads/Gigabyte-Affected-Models.pdf
Supply Chain Risk from Gigabyte App Center Backdoor - Eclypsium | Supply Chain Security for the Modern Enterprise
Eclypsium Research discovers that Gigabyte motherboards have an embedded backdoor in their firmware, which drops a Windows executable that can download and execute additional payloads insecurely. The backdoor affects gaming PCs and high-end computers.
eclypsium.com