The latest malware attack vector is the network interface card (NICs). According to a post at Gizmo’s Freeware, two separate presentations at the CanSecWest international security conference demonstrated exploits utilizing network cards. The article reports that both exploits focused on Broadcom (AVGO) NIC’s.
The post reports that in at least one of the demo’s the researcher used the Broadcom remote factory diagnostic mechanism to install custom firmware on the network card. The researcher used the compromised firmware to create a tunnel into the PC in such a way that packets sent via the tunnel were not visible to the system firewall. Using the network card’s access to memory, the attacker could then run whatever code he wanted.
HP uses the vulnerable NICs in PCs
HP (HPQ) uses the vulnerable Broadcom NICs in many PCs. In response, the HP Software Security Response Team has released a Security Bulletin (Document ID: c02048471) “HP Small Form Factor or Microtower PC with Broadcom Integrated NIC Firmware, Remote Execution of Arbitrary Code.” In the bulletin, HP says this information should be acted upon as soon as possible.
H
P has made softpaq SP47557 available to resolve the vulnerability. In the bulletin, HP says the following models contain the Broadcom Integrated NIC firmware
- HP Compaq 6005
- HP Compaq dc5700
- HP Compaq dc5750
- HP Compaq dc5850
- HP Compaq dc7600
- HP Compaq dx7200
- HP rp3000 Point of Sale System
- HP rp5700 Desktop PC
- HP rp5700 Point of Sale System
Rb-
This is a new hole, not a new attack. The premise appears to be poor design. Why would a manufacturer leave “the remote factory diagnostic mechanism enabled.” The article goes on to say that, ”by default, the remote factory diagnostic mechanism (ASFor Alert Standard Format 2.0) is normally turned off.” That’s a good thing unless it’s not then you got troubles.
This technique would allow a very low-level attack that is not visible to traditional desktop security software. The network security devices would have to pick up the threat and not desktop security software. This also proves the case for good asset management, I can think of one client who has 80+ of the HP 5700’s distributed at 80+ sites without a management tool such as Intel’s vPro to push these low-level updates to PC’s. There is no telling if these PCs will ever get patches unless Microsoft adds it Windows Update.
Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn, Facebook, and Twitter. Email the Bach Seat here.