More than 200 models of GIGABYTE motherboards have a ``defect that allows malware to be installed on Windows when the PC starts''
It turned out that GIGABYTE's motherboard has a ``flaw that allows you to install arbitrary executable files on Windows''. The flaw has been confirmed on over 200 models and prompt firmware updates are recommended.
Supply Chain Risk from Gigabyte App Center Backdoor - Eclypsium | Supply Chain Security for the Modern Enterprise
The security company 'Eclypsium' discovered the flaw in the GIGABYTE motherboard. According to Eclypsium, the automatic detection system detected ``writing an executable file during the Windows boot process'' on a PC with a GIGABYTE motherboard. A detailed analysis conducted by Eclypsium revealed over 200 models capable of writing executables.
The UEFI firmware of the defective motherboard contains a volume with a GUID of 'AEB1671D-019C-4B3B-BA-00-35-A2-E6-28-04-36', and within the volume is '8ccbee6f7858ac6b92ce23594c9e2563ebcef59414b5ac13ebebde0c715971b2. bin' was saved as an executable file. The executable file that exists in UEFI was automatically written to '%SystemRoot%\system32\GigabyteUpdateService.exe' during the Windows boot process and was in a state of being executed as a Windows service.
The above operation itself looks like a normal operation of GIGABYTE's update system, but this update system is ' http://mb.download.gigabyte.com/FileList/Swhttp/LiveUpdate4 ' ' https://mb It was designed to access either .download.gigabyte.com/FileList/Swhttp/LiveUpdate4 or ' https://software-nas/Swhttp/LiveUpdate4 ' to download and execute the executable file. Of these, 'http://mb.download.gigabyte.com/FileList/Swhttp/LiveUpdate4' can be easily tampered with. There was a situation where a file could easily be executed.
The affected motherboard list published by Eclypsium (PDF file) is ``Intel Z790'', ``Intel B760'', ``Intel Z690'', ``Intel B660'', ``Intel H610'', ``AMD X670'', ``AMD B650'', ``AMD X570'', `` More than 200 motherboard models with chipsets such as 'AMD B550' are listed.
Since the flaws discovered this time exist in the UEFI firmware, reinstalling Windows will not prevent the threat. For this reason, Eclypsium is urging owners of affected motherboards to take the following actions:
・Update the firmware to the latest
・Disable 'APP Center Download & Install' in UEFI
・Set a password in the BIOS
・'http://mb.download.gigabyte.com/FileList/Swhttp/LiveUpdate4' 'https://mb.download.gigabyte.com/FileList/Swhttp/LiveUpdate4' 'https://software-nas/Swhttp/' Block LiveUpdate 4
In addition, the volume 'AEB1671D-019C-4B3B-BA-00-35-A2-E6-28-04-36' where the problematic executable file was saved is also included in Asrock's motherboard 'X670E Pro RS'. There are also reports that As such, similar risks may exist for motherboards from manufacturers other than GIGABYTE.
This issue is not specific to Gigabyte, but likely invented by AMI and pushed for downstream OEMs as a 'value-add' and 'major feature'.
— Nikolaj Schlej (@NikolajSchlej) May 31, 2023
Here is a file with the same GUID inside UEFI image for Asrock X670E Pro RS, and it does start a similar 'Auto Driver Update' tool using WPBT. https://t.co/3qu5Fi2Fta pic.twitter.com/yrQM78VGoS
Related Posts:
