Gigabyte rolls out firmware update to close backdoor

Updated BIOS code and signature verification process for files downloaded from remote servers

Gigabyte has released new firmware to mitigate the potential security risk posed by a firmware issue affecting over 270 of its motherboard models.

The updates come after researchers at cybersecurity firm Eclypsium identified backdoor-like behaviour on certain Gigabyte motherboards.

It was discovered that the firmware on the identified models triggered and executed a Windows native executable during system startup, which downloaded and executed additional payloads.

Within the Windows operating system, there exists a feature known as Windows Platform Binary Table (WPBT), which enables firmware developers to automatically extract an executable from the firmware image and run it within the operating system. The WPBT feature allows vendors and OEMs to execute an .exe programme within the UEFI layer. During each boot-up, Windows checks the UEFI and executes the .exe accordingly.

Gigabyte motherboards also use the WPBT functionality to automatically install an auto-update application on new Windows installations.

While the feature provides a convenient method for updating the motherboard firmware, the researchers discovered several security vulnerabilities in the process used by Gigabyte.

These vulnerabilities could potentially be exploited by attackers to deliver malware through man-in-the-middle (MiTM) attacks.

As per Eclypsium's investigation, the Gigabyte updater program establishes communication with three separate URLs to perform firmware update checks:

• https://mb.download.gigabyte.com/FileList/Swhttp/LiveUpdate4
• http://mb.download.gigabyte.com/FileList/Swhttp/LiveUpdate4
• https://software-nas/Swhttp/LiveUpdate4

The researchers noted that in some instances, the downloads take place over the less secure HTTP protocol instead of the encrypted HTTPS.

Additionally, Gigabyte did not implement any signature verification for the downloaded files, the researchers noted, another potential security gap in the process.

Due to the fact that the UEFI code is stored directly on the motherboard, any malware that manages to infiltrate the firmware can persist even if the drives are wiped and the operating system is reinstalled. Malware persisting within the firmware presents a considerable challenge for complete eradication and necessitates specialised measures to ensure comprehensive removal.

Eclypsium compiled an extensive list of the impacted models, encompassing a total of 271 motherboards across both Intel and AMD platforms. This list includes various models, including those dating back to AMD 400-series chipsets. It is worth noting that even the latest Intel 700-series and AMD 600-series motherboards contain this vulnerability, underscoring the wide-ranging nature of the issue.

Gigabyte has now released firmware updates for a range of motherboard series, including Intel 400/500/600/700 and AMD 400/500/600 series, in order to address these identified issues.

Additionally, the company has emphasised its commitment to enhancing security measures by implementing stricter security checks during the operating system boot process.

"These measures are designed to detect and prevent any possible malicious activities, providing users with enhanced protection," it noted.

The company has made significant improvements to the signature verification process for files downloaded from their remote servers. This enhanced verification process ensures the integrity and legitimacy of the contents, effectively thwarting any attempts by attackers to insert malicious code.

Gigabyte has also enabled standard cryptographic verification for remote server certificates.

This important step helps guarantee that files are exclusively downloaded from servers that possess valid and trusted certificates. By incorporating this measure, an additional layer of protection is established, further enhancing the security of the downloading process.