Eclypsium researchers have found tools resembling backdoors in hundreds of Gigabyte motherboard models. Gigabyte has the appropriate mechanisms for updating, but threat actors could misuse them to attack systems and place persistent malware.
The implementation by Gigabyte is designed to download updates. Eclypsium explains that Gigabyte has embedded a Windows executable file in the motherboard’s UEFI firmware. This file is written to disk as part of the boot process and loaded into memory.
Later on, it is loaded during Windows startup, contacts an Internet server operated by Gigabyte, to check for and download updates. The researchers discovered that one of the servers was still using HTTP and that the HTTPS implementation of the other servers was not validating remote server certificates correctly.
This allows third-parties to attack systems using Machine-in-the-middle attacks. Furthermore, the researchers note, there is no cryptographic digital signature verification or other validation in place regarding the firmware. While Gigabyte’s executable that is embedded in the firmware and downloaded tools from the manufacturer are cryptographically signed, threat actors may nevertheless use the backdoor to attack systems and infect them with persistent malware.
Eclypsium published a list of affected motherboard models here. It is a PDF document that lists motherboards and revisions. Programs such as the free Speccy reveal the make and model of the motherboard, and you may also find out how much RAM the motherboard supports.
Windows includes options to look up the information without using third-party tools. Here is how that works:
Use Windows-X to open the admin menu.
Run the following command wmic baseboard get product,Manufacturer,version,serialnumber
The command returns the information required.
The researchers recommend that administrators disable the “App Center Download & Install” feature in the system’s UEFI/BIOS. Doing so blocks the process, so that it can’t be exploited. They also recommend setting BIOS passwords to protect the setting from manipulation by third-parties.
Other options include checking for firmware updates released recently by Gigabyte that address the issue, and to block the server addresses that Gigabyte’s tool uses for its downloads.
The firmware of Gigabyte motherboards can still be updated manually. This requires downloading the latest version of the BIOS from Gigabyte’s website and then using the company’s BIOS flash tool to apply the update.
While the risk appears relatively low for Home systems, administrators of these systems may still want to make sure that the functionality is disabled in the BIOS. Organizations are the more likely target, and system administrators should also ensure that the functionality is turned off.
Installation of new firmware updates for Gigabyte motherboards, if released by the manufacturer, may address the vulnerability. Gigabyte has not published an official response and it is unclear if and when firmware updates will become available.