Vulnerabilities

32 hardware and firmware vulnerabilities

Hardware and firmware vulnerabilities can put your business and your customers’ sensitive data at risk, costing you in diminished sales, reputation loss and penalties. Most of them arise from continued use of legacy systems and out-of-date software that are no longer maintained by their respective vendors. The fact that the majority of these loopholes don’t necessarily raise a red flag may allow hackers to steal information, inject malware or completely hijack your applications or corporate systems.

Below, we give a breakdown of the 32 most commonly exploited hardware and firmware vulnerabilities. If any of these relate to systems or devices that are under your jurisdiction, it’s extremely important that you take steps to plug these holes before disaster strikes.

Learn Vulnerability Management

Get hands-on experience with dozens of courses covering vulnerability assessments, tools, management and more.

Start Learning

Hardware vulnerabilities

1. Directory traversal

Old computer routers can have serious flaws that enable remote adversaries to take control of them. A Kyle Lovett security researcher, for instance, found that more than 700,000 ADSL routers distributed to various customers suffered from the “directory traversal” vulnerability that provides hackers with a way to extract administrative details.

2. Rowhammer

Rowhammer is classified as a vulnerability affecting some recent DDR DRAM devices where repeated access to a memory row can result in bit flips in adjustment rows. This means that, tentatively, a hacker can change any value of the memory’s bit.

3. Meltdown RDCL

Meltdown RDCL (Rogue Data Cache Load) capitalizes on the non-functional execution capabilities of Intel CPUs. Hackers can use it to break through the kernel’s privilege boundaries, which typically safeguard sensitive secrets.

4. Thunderclap 

Thunderclap is a collection of hardware vulnerabilities that reside in the Thunderbolt hardware interface produced by Intel. It can be used by hackers with physical access to a Thunderbolt port to overtake a target system in just a few seconds, executing arbitrary code at the highest level of privilege and gaining access to encryption keys, passwords, banking logins and other data.

5. Speculative Store Bypass (SBS)

A variant of the Spectre security vulnerability, SSB or Speculative Store Bypass enables hackers to execute memory readers before memory write addresses are revealed. It can also be used to leak cross-process data. The vulnerability impacts Intel, AMD and ARM variants of processors.

6. Screwed drivers 

According to researchers at Eclypsium, over 40 drivers from major BIOS vendors — including Huawei, Asus, Toshiba and NVIDIA — are susceptible to “screwed drivers” vulnerabilities. These are driver design flaws that enable hackers to escalate user privileges in order to access OS kernel models. The escalation opens and writes access to control registers (CR), model-specific registers (MSR), chipset I/O space, kernel and physical virtual memory.

7. Foreshadow

Foreshadow is an execution-related vulnerability that affects Intel CPUs. Hackers use it to extract sensitive data from the CPUs’ L1 data cache, which is accessible to all processor cores. An adversary could utilize the loopholes to read any information present in the cache, including protected data associated with the SMM (System Management Mode), the OS’s kernel or with other virtual machines managed by external cloud providers.

8. Intel LazyFP

This is a vulnerability that can be used to leak the state of the FPU (floating-point unit), which is a unique math coprocessor present in modern-day Intel CPUs. The FPU is generally used to enhance mathematical processors on point numbers. By capitalizing on this vulnerability, hackers can make local presses leak the contents of floating-point unit registers that connect with another process.

9. SWAPGS attack

Researchers at Bitdefender found a side-channel vulnerability that can be used against Intel CPUs and PCs running on them. Dubbed SWAPGS attack, the vulnerability is a novel side-channel exploit that benefits from the poorly documented behavior of SWAPGS, a system instruction that is used by the OS to switch between two “model-specific registers.” Hackers can use it to leak sensitive aspects of the kernel memory, including encryption keys and passwords.

10. Fallout

This is another speculative execution vulnerability that enables hackers to leak sensitive information across arbitrary protected boundaries on a target computer by, for instance, attacking data stored in the cloud or leaking it on malicious websites. This is done by exploiting the Microarchitectural Data Sampling (MDS) side-channel loopholes in Intel CPUs. The vulnerability impacts both hypervisors and operating systems.

11. CVE-2018-6260

This vulnerability was discovered in the kernel mode layer handler component of the NVIDIA Windows GPU Display Driver. In this case, the layer handler for DxgDgiEscape (nvlddmkm.sys) inside the kernel doesn’t correctly organize shared data, which could result in glitches in the behavior of information, leading to the potential escalation of privileges, data disclosure and DoS (Denial of Service) in gaming devices.

12. Bounds Check Bypass Store (BCBS)

This is another variant of the Spectre hardware vulnerability. BCBS enables hackers to compromise the branch prediction capability of modern-day CPUs. After this, they can utilize the CPU’s cache as a side-channel exploit to extract data from the memory of other processes. The vulnerability enables one process to spoof information from the memory of another process but could also bypass the privilege boundary of kernel/user memory. BCBS affects IBM, Intel and a small range of ARM central processing units.

13. USBAnywhere

This is a collection of USB vulnerabilities that affect the BMC (baseboard management controller) on Supermicro’s server hardware. Hackers can use them to hijack thousands of server boards. The vulnerabilities include unauthenticated network traffic and plaintext authentication, an authentication bypass flaw and weak encryption for remote connections in X11 and X10 server boards that would enable new users on the virtual machine to utilize a previous user’s permissions. 

14. Rowhammer.js

This vulnerability is an execution of the previously discussed Rowhammer attack through JavaScript. In this case, hackers need nothing but a JavaScript to launch a fully automated attack that triggers errors on remote hardware, thereby gaining access to the unrestricted areas of the target system.

15. NDProxy buffer overflow

This is an escalated privilege vulnerability that affects the Remote Access and Routing NDProxy component of the Windows kernel. The usual cause is the incorrect validation of commands passed from user mode to the kernel mode. Adversaries could utilize it to execute code with escalated privileges and gain full control over a target system. They could then view, change or delete data, as well as install malicious programs on the machine.

16. Flip Feng Shui (FFS)

This is an exploitation vector that enables a virtual machine of a malicious actor to flip a bit in a memory page of a targeted virtual machine that’s active and operating on the same host as the hacker’s VM. FFS utilizes the hardware vulnerability for flipping of bits and a “physical memory massaging” primitive to redirect a victim page on an at-risk physical memory base.

17. SpectreRSB

Researchers at the University of California at Riverside discovered a side-channel vulnerability that manipulates a unique part of the speculative execution process known as the return stack buffer (RSB). RSB can be manipulated via user code and direct pollution, where an adversary can insert a call instruction as a value pushed to the software stack and the RSB. Specifically, the stack is manipulated to ensure the return address doesn’t match the return buffer stack, allowing the bad actor to spoof data running on a CPU. The vulnerability may impact CPUs made by ARM, AMD and Intel. 

18. Secure Boot hardware vulnerability

Outdated variants of Secure Boot, Cisco’s trusted hardware root-of-trust, contain a bug that could enable a local hacker to compose a modified firmware image to a target component. Successful exploits could either result in the device becoming unusable or enable tampering with the verification process. The main reason behind the vulnerability is improper checks on the area of code that regulates on-premise installations to a FPGA (Field Programmable Gate Array), part of the Secure Boot implementation.

19. RAMBleed

RAMBleed is a Rowhammer-type vulnerability that could allow hackers to potentially steal sensitive information from memory cells rather than simply modifying them. While conventional Rowhammer attacks are used to cause bits in adjacent memory rows to flip their values, RAMBleed attacks are used as a side-channel to infer details about and eventually extract information from neighboring memory cells.

Firmware vulnerabilities

20. Intel SA-00191 

Specific Intel firmware is susceptible to security vulnerabilities that may allow hackers to disclose sensitive information, escalate privileges and launch DoS (Denial of Service) attacks. Products that incorporate Intel technology, such as the NetApp suite of products, are also at risk until hardware vendors move them to a patched and secure platform.

21. Thunderstrike

Thunderstrike allows hackers to exploit vulnerabilities in the firmware of Apple Macbooks in order to inject firmware rootkits when malicious systems were connected with Thunderbolt ports. Attackers primarily target Thunderbolt-linked accessories that are using Option ROMs, infecting all Macs that connected to it at boot. The infected machines can then pass the malicious code to other accessories, which could then affect other Macs.

22. MergePoint EMS command injection

Researchers at Eclypsium found a command injection vulnerability in MergePoint EMS component of BMC firmware. Hackers can use it to run malicious code with escalated privileges on a machine running the vulnerable BMC firmware. Companies like Lenovo and Gigabyte use the MergePoint EMS component as the firmware of the baseboard management controller that ships with some variants of their server-line motherboards.

23. ROCA

ROCA, or the Return of Coppersmith, allows the RSKA keys generated through Infineon’s SEs (Secure Elements) and TPMs (Trusted Platform Modules) to be highly vulnerable to factorization attacks. These attacks are specifically designed to recover the RSA keys. Successful exploitation could potentially enable a hacker to remotely reverse-calculate encryption keys by just having a single victim’s public key.

24. Windows Error Reporting CVE-2019-0863

Certain versions of Microsoft Windows are prone to a privilege-hijacking vulnerability that allows hackers to gain escalated privileges. The vulnerability, referred to as CVE-2019-0863, is associated with the Windows Error Reporting feature and is being leveraged by adversaries who have gained remote access to target systems. They’re able to activate arbitrary code execution at the kernel level via malware that allows them to go from user to admin-level execution in a matter of seconds.

25. Intel NUC Kit buffer overflow

Outdated firmware in Intel NUC (Next Unit of Computing), a mini-computer kit used for digital signage, gaming and more, suffers from a buffer overflow vulnerability that could enable hackers to potentially execute DoS (Denial of Service), escalation of privileges and data disclosure through local access. Typically, the root cause of such vulnerabilities is coding errors. Common development errors that can result in buffer overflows include neglecting to cross-check overflow issues and failing to assign big enough buffers.

26. Key Reinstallation Attacks (KRACK)

Key Reinstallation Attacks, or KRACK, target a weakness in the firmware of the WPA2 wireless security standard, which is used to secure most Wi-Fi networks in existence. Adversaries can use the exploit to intercept the traffic between a victim’s device and their router and launch man-in-the-middle attacks, such as injecting malicious data into the wireless stream for modifying web pages or installing malware.

27. QualPwn CVE-2019-10540

This is a buffer-overflow vulnerability that could potentially affect millions of Android handsets using Qualcomm’s Wi-Fi controller firmware. Hackers can exploit it by maliciously broadcasting crafted packets of data over the air so that when they’re accommodated by vulnerable devices, the arbitrary code present in the packets is injected by the controller. The executed code will run within the standard environment of the Wi-Fi controller, and can consequently allow the adversary to spoof on the device’s wireless communications.

28. BadUSB

This is a major security vulnerability that enables hackers to convert simple USB devices, such as keyboards, into a way of executing malicious commands from the user’s PC to trigger actions or communicate with a command-and-control server owned by hackers. For the purpose, the USB controller chip’s firmware needs to be reprogrammed — that’s exactly what the vulnerability allows hackers to do. 

29. CVE-2018-14847 WinBox RouterOS vulnerability

Specific firmware in WinBox, a small utility that enables administration of MikroTik RouterOS, suffers from a vulnerability that allows a special tool to connect to its port and request user database file. Successful exploitation of this vulnerability could allow hackers to gain escalated privileges and write arbitrary files in the WinBox interface.

30. TPM Firmware RSA vulnerability

Certain versions of the Infineon TPM firmware suffer from a vulnerability that results in the RSA keys created by the TPM being prone to attacks. These attacks enable hackers to spoof the private half of the RSA keys just by using the public key. The RSA vulnerability affects a variety of Chrome OS devices, such as Toshiba computers and devices that use TPMs.

31. Intel Management Engine MFS file system vulnerability

Dmitry Sklyarov, a security expert at Positive Technologies, discovered a serious vulnerability in the Intel Management Engine firmware that exploits safety mechanisms in the MFS file system. Hackers can exploit this flaw to manipulate the setup of MFS (which is used by Intel to save data) and extract sensitive secrets.

32. CVE-2018-4251 Blade firmware vulnerability

The last on this list is a firmware vulnerability present in Razor Blade laptops. CVE-2018-4251 associates to the Intel Manufacturing Mode, which is part of Intel-based systems’ motherboard firmware. 

While the vulnerability doesn’t let hackers gain control over a Blade computer on its own, it provides a tempting goal if they manage to gain access. They can, for example, modify system settings to conceal the malware from being thwarted by telling the laptop that the malware is supposed to be there. In addition, adversaries could use the Manufacturing Mode to generate their own system configuration choices and inject them into the hacked computer.

Conclusion

While you might think it’s impossible to protect against all of these hardware and firmware vulnerabilities, you can significantly reduce your risk exposure by replacing legacy systems and updating to the latest available firmware. Organizations should also strive to automate as much of the process as possible, which includes automatic updating of applications and the OS as soon as the vendor seeds a new version. Running hardware and software on the latest firmware is critical to safeguarding both household and corporate computing devices.

Learn Vulnerability Management

Get hands-on experience with dozens of courses covering vulnerability assessments, tools, management and more.

Start Learning

Sources

• ‘Directory Traversal’ Flaw exposes 700,000 ADSL Routers provided by ISPs to remote hacking, ETech
• SCREWED DRIVERS – SIGNED, SEALED, DELIVERED, Eclypsium
• CRITICAL SWAPGS ATTACK, Bitdefender
• Esmaiel Mohammadian Koruyeh, Khaled Khasawneh, Chengyu Song and Nael Abu-Ghazaleh, "Spectre Returns! Speculation Attacks using the Return Stack Buffer"
• VULNERABLE FIRMWARE IN THE SUPPLY CHAIN OF ENTERPRISE SERVERS, Eclypsium
• Positive Technologies researcher finds vulnerability enabling disclosure of Intel ME encryption keys, Positive Technologies