Companies Report Several of Their Products Are Vulnerable
Supermicro and Pulse Secure have each issued advisories this past week warning users that some of their products are vulnerable to the updated version of Trickbot malware that features a bootkit module, nicknamed Trickboot, which can search for UEFI/BIOS firmware vulnerabilities.
Server maker Supermicro confirmed that its X10UP “Denlow” series of motherboards have vulnerabilities that can be detected by Trickboot. Secure access gateway manufacturer PulseSecure notes that two of its Pulse Secure Appliance models can be exploited.
“Supermicro is aware of the Trickboot issue which is observed only with a subset of the X10 UP motherboards,” the company says, adding it will be providing a patch; however, it did not offer a time frame for when the patch would be issued.
PulseSecure has issued one BIOS patch for Pulse Connect Secure and Pulse Policy Secure with an update for Pulse One, which is for on-premises appliances only. As of now, the fix is still pending.
Trickboot is capable of discovering vulnerabilities and enabling attackers to read/write/erase a device’s BIOS. Security firms Eclypsium and Advanced Intelligence issued the first alert on Trickboot in December 2020, noting the pairing of Trickbot with a bootkit enables an attacker to automate a search for vulnerable devices (see: Trickbot Now Uses a Bootkit to Attack Firmware).
Supermicro will only automatically issue patches for devices that have not yet reached end-of-life status. For those past that date, the operators will have to request the patch directly from the company.
These are the affected X10 UP-series H3 Single Socket “Denlow” motherboards and their end-of-life dates:
- X10SLH-F (will EOL on 3/11/2021)
- X10SLL-F (EOL’ed since 6/30/2015)
- X10SLM-F (EOL’ed since 6/30/2015)
- X10SLL+-F (EOL’ed since 6/30/2015)
- X10SLM+-F (EOL’ed since 6/30/2015)
- X10SLM+-LN4F (EOL’ed since 6/30/2015)
- X10SLA-F (EOL’ed since 6/30/2015)
- X10SL7-F (EOL’ed since 6/30/2015)
- X10SLL-S/-SF (EOL’ed since 6/30/2015)
Until the mitigations are made available, Supermicro recommends that users check devices to ensure that BIOS write protections are enabled, verify firmware integrity by checking firmware hashes against known good versions of firmware and update the firmware to mitigate numerous vulnerabilities that have been discovered.
PulseSecure’s PSA-5000 and PSA-7000 are the only products in the company’s inventory that are affected. The former is a secure access appliance for medium to large enterprise customers, while the latter is intended to be used by enterprise-level organizations and government agencies.
Trickbot has been a primary tool used to dispense banking Trojans along with Ryuk and Conti ransomware. It is generally distributed “as-a-service,” with Symantec attributing its use to the Wizard Spider group. In October, Microsoft and several federal agencies knocked Trickbot’s servers offline, but the operators quickly bounced back (see: Updated Trickbot Malware Is More Resilient).