Intel has issued BIOS security updates for several desktop and mobile motherboards. The updates address a flaw in the Q35 chipset that can be exploited in order to run rootkits within the System Management Mode (SMM). The affected motherboard models are DQ35JO, DQ35MP, DP35DP, DG33FB, DG33BU, DG33TL, DX38BT and MGM965TW (Mobile).
Earlier this year, at the Black Hat Conference, security researchers from the Invisible Things Lab presented multiple exploits that can be used to hack the Xen hypervisor. One of these exploits made use of a vulnerability in the Q35 Intel chipset. The researchers were forced to keep some slides and the proof-of-concept code secret until Intel issued fixes.
A hypervisor represents the most privileged layer of a virtual machine. It boots along with the primary guest OS, called domain0 (dom0) and benefits from direct access to physical hardware. The other guest operating systems have limited privileges.
The advisory released by Intel along with the updates notes that under certain circumstances an attacker can modify code running in the System Management Mode (SMM). "SMM is a privileged operating environment running outside of OS control," explains the advisory. Running malware under the SMM makes it os-independent and protects it from security software running within the operating systems.
At Black Hat, Sherri Sparks and Shawn Embleton of Clear Hat Consulting presented a keylogger that can be installed in SMM on older systems, but claimed this would be impossible to achieve on newer systems because of a certain security feature. The security feature consists of a bit called D_LCK residing in the SMRAM control register.However, Joanna Rutkowska, Founder and CEO of Invisible Things Lab, bypassed this on Intel VT enabled systems in order to hack the Xen Hypervisor. She explained that the bug in the Q35 chipset allows for the D_LCK bit to be cleared without reboot being necessary.
Even more, Joanna added corrections to the Intel advisory on her blog. First, she claims that this bug is not strictly limited to SMM - "in fact an attacker might also use this bug to directly modify the hypervisor memory, without jumping into the SMM first". She then contradicts the advisory, which claims that administrative (ring0) privileges are needed. "Also, in case of e.g. Linux systems, the Ring0 access is not strictly required to perform the attack, as it's just enough for the attacker to get access to the PCI config space of the device 0:0:0, which e.g. on Linux can be granted to usermode applications via the iopl() system call," she notes.
Since the bug has been fixed, the Invisible Things Lab teams plans to publish the previously kept secret documentation and code next week. The advisory provides information on how to determine if your hardware is affected and how to upgrade its firmware.