Security at the Core
From the United States to Europe, Taiwan, Japan, and Korea, our knowledgeable staff of UEFI firmware development experts are dedicated to building and securing trust at the firmware level.
Phoenix Security Team directly receives security notifications from industry partners and security agencies, and actively monitors security conferences and public Internet sources. If there is a new or emerging threat to firmware security, Phoenix is one of the first to know.
Phoenix works closely with silicon and operating system vendors, OEM and ODM customers, distribution partners and numerous industry groups to quickly deliver solutions to help keep computing devices secure. We issue regular security advisories to our licensees with detailed information on known product vulnerabilities, patches and mitigations, CVSS scoring, and references to external sources.
Product security doesn’t stop with us, or with your device vendor. All users should take care to keep their system firmware up to date to provide a safe computing experience.
Sunburst and SolarWinds Data Breach
In December 2020, cybersecurity researchers at FireEye discovered and reported a supply chain attack on SolarWinds software. The attack was conducted via a malicious software update to install a backdoor dubbed “SunBurst”, allowing attackers remote access to exfiltrate data and install additional malware. Phoenix does not use any SolarWinds products, and we have not heard of any proliferation of affected products beyond those of SolarWinds. We will continue to monitor the situation closely to act upon new information as it becomes available.
WinFlash and WinFlash32 Drivers
In May 2019, Phoenix was contacted by researchers from Eclypsium about a security concern regarding our WinFlash and WinFlash32 drivers. Upon investigation, we found that some of the interfaces could be used in unintended ways, as described in the Eclypsium report. Phoenix began reworking the drivers to remove those interfaces.
In late June 2019, Phoenix made available to its customers the updated drivers signed with new certificates. In addition, we advised customers that prior certificates for these drivers would be revoked in early Austust.
The researchers at Eclypsium publicly disclosed their findings at DEC CON 27.
Phoenix would like to thank Mickey Shkatov and Jesse Michael from Eclypsium for reporting this issue and working with us on a coordinated disclosure.
On September 27, 2018, security researchers from ESET publicly disclosed the discovery of a UEFI rootkit named “LoJax” that was “found in the wild”. LoJax is installed by using OS-level tools to modify the UEFI platform firmware in the system’s SPI flash memory. The LoJax rootkit installs malicious code into the operating system that allows a remote attacker to gain access to the system without the user’s knowledge.
Phoenix UEFI firmware provides protection against the LoJax attack by locking the SPI flash memory and implementing additional protections against the bypass mechanism described in the ESET public disclosure. We work closely with our valued customers and authorized distributors to help ensure their computing devices that include Phoenix UEFI firmware are safeguarded.
You may notice that the ESET whitepaper references an early version of Absolute Software Corporation’s anti-theft solution, Computrace (or LoJack small agent), and includes an image from a Lenovo ThinkPad laptop. Please note that LoJax is not an attack against Computrace, and the ThinkPad image was used to provide context for describing the legitimate Computrace component. Indeed, the researchers have named the rootkit “LoJax” because it uses a maliciously modified version of the Computrace OS agent software (also called LoJack small agent) to bypass OS-level anti-malware detection.
End users should also note that Secure Boot does not protect against LoJax, as previously stated in the first iteration of the ESET public disclosure. Phoenix recommends applying all firmware updates provided by your computing device manufacturer.
AMD Silicon (MASTERKEY, RYZENFALL, FALLOUT and CHIMERA)
On March 13, 2018, security researchers from CTS Labs publicly disclosed vulnerabilities discovered in certain AMD silicon, named MASTERKEY, RYZENFALL, FALLOUT, and CHIMERA. Phoenix’s UEFI firmware is not vulnerable to these attacks. Rather, attackers can take advantage of current designs in the AMD silicon to circumvent certain security controls and inject malware.
AMD has completed an assessment of the threats and provided a response regarding potential impacts and mitigation plans as stated on AMD’s corporate community blog. In short, AMD has determined that exploiting these vulnerabilities requires “administrative access to the system”, and that this level of access would provide an attacker with “a wide range of attacks well beyond the exploits identified” by CTS Labs. Nevertheless, the impact of a successful attack is a concern.
These vulnerabilities can be mitigated with a patch through a UEFI firmware update. Phoenix is working closely with AMD to deliver the relevant updates to our valued customers and authorized distributors as they are made available to us. For devices that include Phoenix’s UEFI firmware, please apply updates immediately once the patch is available. For end users, Phoenix recommends applying all firmware updates provided by your computing device manufacturer.
CVE-2018-8930, CVE-2018-8931, CVE-2018-8932, CVE-2018-8933, CVE-2018-8934, CVE-2018-8935, CVE-2018-8936
Meltdown and Spectre
A new class of security vulnerabilities, named Meltdown and Spectre, became public knowledge in early January 2018. Phoenix has been working closely with industry partners to quickly deliver patches to computing device manufacturers to protect against these new security vulnerabilities.
Phoenix’s firmware is not vulnerable to Meltdown and Spectre. Rather, attackers can use innovative new methods that exploit techniques used by Intel, AMD, and ARM to improve performance of their processors. By employing Meltdown/Spectre tactics, an attacker could potentially steal secrets, such as passwords and credit card information, which would normally be hidden by operating system protections.
While some aspects of these vulnerabilities can be mitigated with software patches, other aspects
require a patch for the processor itself, called a microcode update. Microcode updates are incorporated into the UEFI firmware. Phoenix is working closely with Intel and AMD to deliver firmware with the relevant microcode updates to our valued customers and authorized distributors as those updates are made available to us.
For end users, Phoenix recommends applying all software patches, including those provided for Operating Systems and Web Browsers, and firmware updates provided by your computing device manufacturer.
CVE-2017-5715, CVE-2017-5753, CVE-2017-5754
Reporting a Vulnerability
- Have you discovered a security vulnerability in a computer device that uses Phoenix UEFI firmware? If so, please use our secure reporting webpage to report the problem.
- Please do not send sensitive information over email.