Supermicro, Pulse Secure Respond to Trickbot’s Ability to Target Firmware
Server and storage technology giant Supermicro and secure access solutions provider Pulse Secure have issued advisories to inform users that some of their products are vulnerable to the Trickbot malware’s ability to target firmware.
In early December, security researchers at Advanced Intelligence (AdvIntel) and enterprise device security firm Eclypsium revealed that Trickbot not only survived a takedown attempt, but also gained the ability to scan UEFI/BIOS firmware for vulnerabilities that would allow making modifications.
Referred to as Trickboot, the ability would enable TrickBot operators to use firmware implants and backdoors in their attacks, control the boot operations to fully control systems, or even start bricking devices, the researchers warned at the time.
“TrickBoot is a new functionality within the TrickBot malware toolset capable of discovering vulnerabilities and enabling attackers to read/write/erase the device’s BIOS,” Supermicro notes in an advisory published this week.
The malware can check if the BIOS control register is unlocked and if modifications could be made to the BIOS region contents, and then implant malicious code that would survive OS reinstalls.
Supermicro said the vulnerability affects a subset of the X10 UP motherboards and that a mitigation will be provided. However, only products that have not reached end of life (EOL) will automatically receive the BIOS update. Patches for EOL products will be provided at request.
“A vulnerability in the BIOS of Pulse Secure (PSA-Series Hardware) could allow an attacker to compromise BIOS firmware. This vulnerability can be exploited only as part of an attack chain. Before an attacker can compromise the BIOS, they must exploit the device,” Pulse Secure notes in its advisory.
The company says that only two of its device models are affected, namely PSA-5000 and PSA-7000. Patches are available for Pulse Connect Secure / Pulse Policy Secure and are pending release for Pulse One (the on-prem appliance only).