Intel is investigating the leak of alleged non-public keys utilized by the Intel Boot Guard safety function, doubtlessly impacting its capability to dam the set up of malicious UEFI firmware on MSI units.
In March, the Cash Message extortion gang attacked pc {hardware} make MSI, claiming to have stolen 1.5TB of information throughout the assault, together with firmware, supply code, and databases.
As first reported by BleepingComputer, the ransomware gang demanded a $4,000,000 ransom and, after not being paid, started leaking the info for MSI on their information leak website.
Final week, the menace actors started leaking MSI’s stolen information, together with the supply code for firmware utilized by the corporate’s motherboards.
Supply: BleepingComputer
Intel Boot Guard impacted by assault
On Friday, Alex Matrosov, the CEO of firmware provide chain safety platform Binarly, warned that the leaked supply code incorporates the picture signing non-public keys for 57 MSI merchandise and Intel Boot Guard non-public keys for 116 MSI merchandise.
“Intel is conscious of those experiences and actively investigating. There have been researcher claims that personal signing keys are included within the information together with MSI OEM Signing Keys for Intel® BootGuard,” Intel advised BleepingComputer in response to our questions concerning the leak.
“It must be famous that Intel BootGuard OEM keys are generated by the system producer, and these are usually not Intel signing keys.”
Matrosov stated that this leak could have brought about Intel Boot Guard to not be efficient on MSI units utilizing “eleventh Tiger Lake, twelfth Adler Lake, and thirteenth Raptor Lake” CPUs.
“We’ve proof the entire Intel ecosystem is impacted by this MSI information breach. It is a direct menace to MSI prospects and sadly not solely to them,” Matrosov advised BleepingComputer Friday afternoon.
“The signing keys for fw picture enable an attacker to craft malicious firmware updates and it may be delivered by way of a traditional bios replace course of with MSI replace instruments.”
“The Intel Boot Guard keys leak impacts the entire ecosystem (not solely MSI) and makes this safety function ineffective.”
Intel Boot Guard is a safety function constructed into trendy Intel {hardware} designed to stop the loading of malicious firmware, often known as UEFI bootkits. It’s a vital function used to satisfy Home windows UEFI Safe Boot necessities.
It is because malicious firmware hundreds earlier than the working system, permitting it to cover its actions from the kernel and safety software program, persist even after an working system is reinstalled, and assist set up malware on compromised units.
To guard towards malicious firmware, Intel Boot Guard will confirm if a firmware picture is signed utilizing a professional non-public signing key utilizing an embedded public key constructed into the Intel {hardware}.
If the firmware will be verified as legitimately signed, Intel Boot Guard will enable it to be loaded on the machine. Nonetheless, if the signature fails, the firmware is not going to be allowed to load.
Supply: Binarly
The most important downside with this leak is that the general public keys used to confirm firmware signed utilizing the leaked keys are believed to be constructed into Intel {hardware}. In the event that they can’t be modified, the safety function is not reliable on units utilizing these leaked keys.
“The Manifest (KM) and Boot Coverage Manifest (BPM) non-public keys had been discovered within the leaked MSI supply code. These keys are used for Boot Guard expertise which offers firmware picture verification with a {hardware} Root of Belief,” warns Binarly in an advisory shared on Twitter.
“The hash OEM Root RSA public key from the KM supervisor is programmed into chipset’s Subject Programmable (FPFs). The primary goal of the KM is to retailer the hash of an RSA public key from the BPM which in flip incorporates the data on the Boot Coverage, Preliminary Boot Block (IBB) description and it is hash.”
“The leaked non-public components of the talked about keys permits a possible attacker to signal the modified firmware for this machine, so it might cross Intel Boot Guard’s verification making this expertise fully ineffective.”
Whereas these keys is not going to doubtless be useful to most menace actors, some expert attackers have beforehand used malicious firmware in assaults, akin to CosmicStrand and BlackLotus UEFI malware.
“Now the function will be compromised and attackers can craft malicious firmware updates on impacted units with out concern about Intel Boot Guard,” Matrosov stated in a last warning shared with BleepingComputer
Binarly has launched a listing of impacted MSI {hardware}, comprising 116 MSI units reportedly compromised by the leaked Intel Boot Guard keys.
BleepingComputer has additionally contacted MSI and Intel with additional questions, however a response was not instantly out there.
Replace 5/8/23: Added assertion from Intel
