Product Security

In May 2019, Phoenix was contacted by researchers from Eclypsium about a security concern regarding our WinFlash and WinFlash32 drivers. Upon investigation, we found that some of the interfaces could be used in unintended ways, as described in the Eclypsium report. Phoenix began reworking the drivers to remove those interfaces.

In late June 2019, Phoenix made available to its customers the updated drivers signed with new certificates. In addition, we advised customers that prior certificates for these drivers would be revoked in early Austust.

The researchers at Eclypsium publicly disclosed their findings at DEC CON 27.

Phoenix would like to thank Mickey Shkatov and Jesse Michael from Eclypsium for reporting this issue and working with us on a coordinated disclosure.

CVE-2019-18279

On September 27, 2018, security researchers from ESET publicly disclosed the discovery of a UEFI rootkit named “LoJax” that was “found in the wild”. LoJax is installed by using OS-level tools to modify the UEFI platform firmware in the system’s SPI flash memory. The LoJax rootkit installs malicious code into the operating system that allows a remote attacker to gain access to the system without the user’s knowledge.

Phoenix UEFI firmware provides protection against the LoJax attack by locking the SPI flash memory and implementing additional protections against the bypass mechanism described in the ESET public disclosure. We work closely with our valued customers and authorized distributors to help ensure their computing devices that include Phoenix UEFI firmware are safeguarded.

You may notice that the ESET whitepaper references an early version of Absolute Software Corporation’s anti-theft solution, Computrace (or LoJack small agent), and includes an image from a Lenovo ThinkPad laptop. Please note that LoJax is not an attack against Computrace, and the ThinkPad image was used to provide context for describing the legitimate Computrace component. Indeed, the researchers have named the rootkit “LoJax” because it uses a maliciously modified version of the Computrace OS agent software (also called LoJack small agent) to bypass OS-level anti-malware detection.

End users should also note that Secure Boot does not protect against LoJax, as previously stated in the first iteration of the ESET public disclosure. Phoenix recommends applying all firmware updates provided by your computing device manufacturer.

On March 13, 2018, security researchers from CTS Labs publicly disclosed vulnerabilities discovered in certain AMD silicon, named MASTERKEY, RYZENFALL, FALLOUT, and CHIMERA. Phoenix’s UEFI firmware is not vulnerable to these attacks. Rather, attackers can take advantage of current designs in the AMD silicon to circumvent certain security controls and inject malware.

AMD has completed an assessment of the threats and provided a response regarding potential impacts and mitigation plans as stated on AMD’s corporate community blog. In short, AMD has determined that exploiting these vulnerabilities requires “administrative access to the system”, and that this level of access would provide an attacker with “a wide range of attacks well beyond the exploits identified” by CTS Labs. Nevertheless, the impact of a successful attack is a concern.

These vulnerabilities can be mitigated with a patch through a UEFI firmware update. Phoenix is working closely with AMD to deliver the relevant updates to our valued customers and authorized distributors as they are made available to us. For devices that include Phoenix’s UEFI firmware, please apply updates immediately once the patch is available. For end users, Phoenix recommends applying all firmware updates provided by your computing device manufacturer.

CVE-2018-8930, CVE-2018-8931, CVE-2018-8932, CVE-2018-8933, CVE-2018-8934, CVE-2018-8935, CVE-2018-8936