In order to load an untrusted or modified kernel, an attacker would first need to establish access to the system such as gaining physical access, obtain the ability to alter a pxe-boot network, or have remote access to a networked system with root access.
Or just leak the signing keys like they did with MSI. That quote describes the theory, but there are tons of shit-for-brains humans that can screw it up. The UEFI attack surface is much bigger than it has any right to be.
Oh man, I think you may have given me the clue I needed. On my second MSI X570s Max Edge WiFi board this year, because of what I believed was a UEFI/BIOS Rootkit. Strange things keep surviving complete wipes/reinstalls of my OS. Secureboot disabled/enabled, doesn’t matter. Plagued (among other annoyances) with some 10s sound clips that randomly play, network usage monitor showing I’m downloading half a TB a day, uploading a 1/4th of that, etc. ClamAV finding some Unix.Ransomware.eCh0raix process running (first install)…
Could you have solved my headache? Switch motherboard vendors altogether? Is my board affected? I built this thing less than a year ago, and money is tight. Need to stay on X570 chipset, too much invested in this AM4 build.
What the “How do attackers get in?” part doesn’t mention: What attackers actually need to get in.
For Boot Hole for example (taken from here: https://access.redhat.com/security/vulnerabilities/grub2bootloader):
Or just leak the signing keys like they did with MSI. That quote describes the theory, but there are tons of shit-for-brains humans that can screw it up. The UEFI attack surface is much bigger than it has any right to be.
Oh man, I think you may have given me the clue I needed. On my second MSI X570s Max Edge WiFi board this year, because of what I believed was a UEFI/BIOS Rootkit. Strange things keep surviving complete wipes/reinstalls of my OS. Secureboot disabled/enabled, doesn’t matter. Plagued (among other annoyances) with some 10s sound clips that randomly play, network usage monitor showing I’m downloading half a TB a day, uploading a 1/4th of that, etc. ClamAV finding some Unix.Ransomware.eCh0raix process running (first install)…
Could you have solved my headache? Switch motherboard vendors altogether? Is my board affected? I built this thing less than a year ago, and money is tight. Need to stay on X570 chipset, too much invested in this AM4 build.
Any environment that uses ipxe or maas is susceptible to these attacks