Pulse and Supermicro had released an advisory and warns the users that few motherboards of the organization may be vulnerable to TrickBot malware’s UEFI firmware that targeted the entire module.

How this Started?

In 2020, the security firms named Advanced Intelligence and Eclypsium also published a joint report related to this new malware that targets the TrickBoot module which is delivered by TrickBoot malware.

Once the module is executed it will analyze the device that consists of UEFI firmware and verified the write protection disabled. In case the malware is capable to erase, read and write the firmware.

This action authorizes the malware to perform multiple malicious activities that deal with bricking a device, bypassing an operating system security tool, or retargeting the system after reset.

While verifying that UEFI BIOS write protection is enabled then the module uses the RwDrv.sys drivers from RWEverything utility.

“All the requests that UEFI firmware stored in the SPI flash chip that does through with the SPI controller, which is the part of Platform Controller Hub (PCH) on Intel platforms. The SPI controller deals with access control mechanisms and gets locked during the boot process while preventing the unauthorized modification of UEFI firmware that was stored in the SPI flash memory.

However, the Modern systems are intended and enabled these bios while writing the protections and prevent the firmware from further modifications; since these protections are not enabled or misconfigured. In case the BIOS is not write-protected then the hackers can easily able to edit the firmware or they can delete the data completely.

This malware can examine the device firmware which is currently restricted to some Intel platforms like Kaby Lake, Coffee lake, Sky Lake, and Comet Lake.

What Advisories Includes?

The advisory released today that issues the warning that X10 UP motherboards are vulnerable to the TrickBoot malware that released a serious BIOS update and enabled write protection.

The organization Supermicro is already aware of this Trickboot issued, first identified while setting a subset of the X10 UP motherboards. Now the organization is working to provide a resolution for this vulnerability and the organization also shared the serial no of motherboards that may consist of the vulnerabilities.

The vulnerable X10 UP-series (“Denlow“) motherboards are listed below.

1. X10SLH-F (will EOL on 3/11/2021)
2. X10SLL-F (EOL’ed since 6/30/2015)
3. X10SLM-F (EOL’ed since 6/30/2015)
4. X10SLL+-F (EOL’ed since 6/30/2015)
5. X10SLM+-F (EOL’ed since 6/30/2015)
6. X10SLM+-LN4F (EOL’ed since 6/30/2015)
7. X10SLA-F (EOL’ed since 6/30/2015)
8. X10SL7-F (EOL’ed since 6/30/2015)
9. X10SLL-S/-SF (EOL’ed since 6/30/2015)

Summering Up

Whereas, the organization also released an update named BIOS version 3.4 to fix this issue and this fix is released for the X10SLH-F motherboard only. Users also contact the organization to get the new BIOS in case their motherboards have reached the end.

Pulse Secure also released an advisory that followed Pulse Secure Appliance 5000 (PSA-5000) and Pulse Secure Appliance 7000 (PSA-7000) devices that run on the Supermicro motherboard.

Pulse released a BIOS patch update for devices that are connected or running with Pulse Connect Secure or Pulse Policy Secure. Pulse One (On-Prem Appliance Only) users will have to wait for a long period while getting the update.

The organization also advised the users to apply and update the patch that will reboot the device.