Idan aka yi amfani da su, waɗannan kurakuran na iya ba wa maharan damar samun dama ga bayanai masu mahimmanci ba tare da izini ba ko kuma gabaɗaya haifar da matsala
Kwanan nan an bayyana bayani game da wani rauni (wanda aka riga aka rubuta a ƙarƙashin CVE-2021-33164) wanda aka gano a cikin firmware na UEFI, kuskuren da aka gano yana ba da damar aiwatar da lambar a matakin SMM (Yanayin Gudanar da Tsarin), wanda ke da fifiko mafi girma fiye da yanayin hypervisor da sifilin zobe na kariya, kuma yana ba da damar mara iyaka. duk tsarin ƙwaƙwalwar ajiya.
Da rauni, wanda lambar sunan shine RingHopper, ne dangane da yiwuwar harin lokaci ta amfani da DMA (Direct Memory Access) don lalata ƙwaƙwalwar ajiya a lambar da ke gudana a Layer SMM.
Yanayin tseren da ya ƙunshi samun damar SMRAM da tabbatarwa ana iya samun su ta hanyar harin lokaci na DMA wanda ya dogara da yanayin lokacin amfani (TOCTOU). Mai hari na iya amfani da kada kuri'a akan lokaci don yunƙurin sake rubuta abubuwan da ke cikin SMRAM tare da bayanan sabani, wanda zai kai ga lambar maharin tana gudana tare da manyan gata guda ɗaya da ke akwai ga CPU (watau yanayin Ring-2). Yanayin asynchronous yanayin samun SMRAM ta hanyar masu kula da DMA yana ba maharin damar yin irin wannan damar mara izini da ketare cak ɗin da API mai sarrafa SMI ke bayarwa.
Fasahar Intel-VT da Intel VT-d suna ba da wasu kariya daga hare-haren DMA ta amfani da Sashin Gudanar da Ƙwararren Ƙwararren Ƙwararren Ƙwaƙwalwa (IOMMU) don magance barazanar DMA. Kodayake IOMMU na iya karewa daga harin DMA na kayan masarufi, ana iya cin zarafin masu kula da SMI masu rauni ga RingHopper.
Ularfafawa Ana iya amfani da su daga tsarin aiki ta amfani da direbobi SMI m (System Administration Interrupt), wanda ke buƙatar haƙƙin gudanarwa don samun dama. Harin Hakanan za'a iya yin idan akwai damar jiki a farkon matakin taya, a wani mataki kafin fara tsarin aiki. Don toshe batun, ana ba masu amfani da Linux shawarar sabunta firmware ta hanyar LVFS (Linux Vendor Firmware Service) ta amfani da fwupdmgr (fwupdmgr samu-updates) mai amfani daga fakitin fwupd.
Bukatar samun haƙƙin gudanarwa don kai hari yana iyakance haɗari daga matsala, amma ba ya hana amfani da shi azaman raunin hanyar haɗin gwiwa na biyu, don kula da kasancewar su bayan yin amfani da wasu lahani a cikin tsarin ko amfani da hanyoyin injiniya na kafofin watsa labarun.
Samun dama ga SMM (Ring -2) yana ba da damar yin amfani da lambar a matakin da ba a sarrafa shi ta hanyar tsarin aiki, wanda za a iya amfani da shi don gyara firmware da sanya lambar ɓarna ko rootkits da ke ɓoye a cikin SPI Flash wanda ba a gano ta tsarin aiki ba. . , da kuma musaki tabbaci a matakin taya (UEFI Secure Boot, Intel BootGuard) da kuma kai hari kan hypervisors don ketare hanyoyin tabbatar da amincin mahalli.
Matsalar ta samo asali ne saboda yanayin tsere a cikin mai kula da SMI (System management katse) wanda ke faruwa tsakanin rajistan shiga da shiga SMRAM. Ana iya amfani da nazarin tashoshi na gefe tare da DMA don ƙayyade lokacin da ya dace tsakanin tantance hali da amfani da sakamakon rajistan.
Sakamakon haka, saboda yanayin asynchronous yanayin samun damar SMRAM ta hanyar DMA, maharin na iya lokaci da sake rubuta abubuwan da ke cikin SMRAM ta hanyar DMA, yana ƙetare API ɗin direban SMI.
Intel-VT da Intel VT-d masu sarrafawa sun haɗa da kariya daga hare-haren DMA dangane da amfani da IOMMU (Input Output Memory Management Unit), amma wannan kariyar tana da tasiri wajen toshe hare-haren DMA na hardware da aka yi tare da na'urorin da aka shirya, kuma ba ta da kariya. hare-hare ta hanyar masu kula da SMI.
An tabbatar da rauni a ciki firmware Intel, Dell da Insyde Software (An yi ikirarin cewa batun ya shafi masana'antun 8, amma sauran 5 ba a bayyana ba.) firmware na AMD, Phoenix da Toshiba ba su shafi matsalar ba.
Source: https://kb.cert.org/