Intel Q35 Chipset Motherboard
Written by IT News on 4:50 PMIntel BIOS has issued security updates for several desktop and mobile motherboards. The updates address a flaw in Q35 chip that can be used to run the rootkit in the System Management Mode (SMM). The motherboard models are DQ35JO, DQ35MP, DP35DP, DG33FB, DG33BU, DG33TL, DX38BT and MGM965TW (mobile).
Earlier this year, at the Black Hat conference, security researchers from the Invisible Things Lab presented several exploits that can be used to hack the Xen hypervisor. One of these uses exploited a vulnerability in Q35 Intel chipset. The researchers had to keep a few slides and proof-of-concept code confidential until Intel issued fixes.
A hypervisor is the most privileged layers of a virtual machine. The boots along with the primary guest OS, called domain0 (dom0) and revenue from direct access to physical hardware. The other guest operating systems have limited privileges.
The advisory released by Intel along with updates, notes that in certain circumstances, an attacker can change the code running on the System Management Mode (SMM). "SMM is a privileged operating environment is running outside the OS control," the advisory. Running malware during SMM makes it os-independence and protect it from security software within the operating system.
At Black Hat, Sherri Sparks and Shawn Embleton clear Hat Consulting presented a Keylogger, which can be installed in SMM on older systems, but claimed it would be impossible to achieve in the newer system because of a certain safety feature. The security feature consists of a piece called D_LCK resident in SMRAM control register.However, Joanna Rutkowska, founder and CEO of Invisible Things Lab, passed over this on Intel VT enabled system to hack the Xen Hypervisor. She explained that the errors in Q35 chip makes it possible to D_LCK bit to be phased out without restart is required.
Even more, Joanna added corrections to the Intel advisory on her blog. First, she argues that this error is not strictly limited to SMM - "in fact, an attacker can also use this mistake to directly change the hypervisor memory, but jumping into the SMM first." She contradicts the advisory, who claim that administrative (ring0) privileges are needed. "Even in areas such as Linux systems, Ring0 access is not absolutely necessary to carry out the attack, so it is appropriate for the attacker to gain access to PCI-config space for the unit in 0:0:0, as t. items. Linux can be granted usermode applications via IO system call, "she notes.
Since the fault has been fixed, Invisible Things Lab team plans to publish the previously secret documents and code next week. The advisory information on how to determine if your hardware is affected and how to upgrade their firmware.
0 comments: Responses to “ Intel Q35 Chipset Motherboard ”