CVE-2017-8083 CompuLab IntensePC lacks BIOS Write Protection

["Hal Martin" <hal.martin () watchmysys com>]

Credits: Hal Martin
Website: watchmysys.com
Source: https://watchmysys.com/blog/2017/06/cve-2017-8083-compulab-intensepc-lacks-bios-wp/


Vendor:
====================
CompuLab (compulab.com)


Product:
====================
Intense PC / MintBox 2


Vulnerability type:
====================
Write-protection not enabled on system firmware


CVE Reference:
====================
CVE-2017-8083


Summary:
====================
Since 2013 CompuLab manufactures and sells the IntensePC/MintBox 2, which is a small Intel-based fanless PC sold to 
end-users and industrial customers. It was discovered that in the default configuration write-protection is not enabled 
for the BIOS/ME/GbE regions of flash.

CompuLab have created a patch to resolve the issue, however they have not yet released the patch publicly. This 
vulnerability is being published as the 90 day disclosure deadline has been reached.


Affected versions:
====================
All firmware versions since product release (latest public firmware is 21 June 2016)


Attack Vector:
====================
An attacker tricks the user into running a malicious executable with local administrator privileges, which updates the 
system firmware to include the attacker's code. The attacker may instead use a known OS exploit to perform the upgrade 
remotely (without user interaction or notification).


Proof of concept:
====================
I have created a modified firmware update which replaces the stock UEFI shell with the UEFI shell from EDK2. The update 
can be flashed from within Windows without any user interaction or notification. Firmware updates are not signed by 
CompuLab or verified by the existing firmware before upgrade.

The modified update can be downloaded here: 
https://watchmysys.com/blog/wp-content/uploads/2017/06/update-IPC-20160621-edk2.zip

Details of the full proof of concept can be found at the Source link above.


Disclosure timeline:
====================
1 March 2017: Vulnerability is reported to CompuLab via their support email address
2 March 2017: CompuLab replies they will create a beta BIOS to address the vulnerability
6 March 2017: I request a timeline to fix the issue
7 March 2017: CompuLab replies they will create a beta BIOS for testing and they “will provide an official public 
release in the future”
8 March 2017: CompuLab replies with instructions to run closemnf via the Intel FPT tool
8 March 2017: I inform CompuLab I am waiting for the official BIOS update to resolve the issue
8 March 2017: CompuLab replies with copy of Intel FPT tool and requests “not to publish or disclose this information”
8 March 2017: CompuLab is informed that details of the vulnerability will be published on 4 June 2017
23 April 2017: Issue is reported to MITRE
24 April 2017: Vulnerability is assigned CVE-2017-8083
3 May 2017: CompuLab communicates that they will delay fixing this vulnerability until Intel provides an updated ME 
firmware to address CVE-2017-5689
4 May 2017: I inform CompuLab that details of this vulnerability will be published on 4 June 2017 as previously 
discussed
11 May 2017: CompuLab sends a proposed fix for testing, the update script fails due to invalid command syntax for 
flashrom
14 May 2017: I inform CompuLab of the invalid syntax and provide the correct usage, and confirm that the fix enables 
write-protection on the ME/BIOS/GbE regions of flash
15 May 2017: CompuLab replies with a revised update script
15 May 2017: I inform CompuLab that the syntax of the revised script is correct, however my unit has already been 
updated so I cannot re-test
4 June 2017: Details of the vulnerability are published.

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/