Eclypsium’s cyber security experts discovered an unpatched weakness in Microsoft’s Windows Platform Binary Table (WPBT). This issue, which has been affecting every Windows-based system since Windows 8, may be used to implant a rootkit and also negotiate device integrity. Furthermore, these vulnerabilities render every Windows machine vulnerable and dangerous, making it easy for threat actors to create attacks that install fake vendor-specific tables.
Researchers from Eclypsium stated in a study released recently that “these vulnerabilities render any Windows machine susceptible to easily-crafted cyberattacks that install fake vendor-specific tables.” Attackers with extreme physical access, remote access, or via manufacturer supply chains may all abuse these tables. Because of the widespread need for ACPI as well as WPBT, these motherboard-level vulnerabilities may negate efforts like Secured-core.
The OEM Rootkit (WPBT) –
A Windows Platform Binary Table (WPBT), on the other hand, is an ACPI table that was first introduced in Windows 8. WPBT may offer the firmware a footing in the OS, whereas ACPI aims to give the OS greater control.
In other words, it enables PC makers to refer to certified mobile executable code or any other vendor-specific drivers included in the UEFI firmware ROM image, allowing them to be transferred onto primary storage at Windows startup and before any operating system code are executed.
The primary goal of WPBT is to keep essential functions like anti-theft software working even after the OS has indeed been changed, formatted, or reinstalled. However, since the feature allows such software to “stay at such device forever,” Microsoft has cautioned that abuse of WPBT may result in security concerns, such as the deployment of rootkits on Windows PCs. Because this capability allows system software to run permanently there in the framework of Windows, it’s essential that WPBT-based solutions be as safe as feasible and don’t expose Windows users to vulnerable situations.
This feature was created to allow OEMs to provide the following features:-
- Important documents
- The system’s executables
Because it does not need to change any Windows image of the disc, this technique has been adopted by several manufacturers, including Lenovo, ASUS, and others.
WPBT uses and technique through which it could be abused –
Following the conclusion of the study, the analysts released information on BIOSDisconnect in June, as well as a series of standardized vulnerabilities which allowed them to obtain remote execution within a device’s firmware. However, the most intriguing and crucial aspect of this assault is that it can be carried out on the most current and secure Dell systems, including Secured-Core PCs. Not only that, but the authorities may install their custom implanted DXE drivers which also handle numerous boot-related tasks while negotiating the software update process.
Vectors of attack and situations –
While it is critical to understand that this vulnerability may be exploited in a variety of ways. Any technique that can access RAM in which the ACPI tables have been stored may be used in this kind of attack. The WPBT technique could acknowledge a signed binary with such a revoked as well as an expired certificate to totally and utterly bypass the integrity check, allowing an attacker to log a malevolent binary from an already accessible expired certificate & run obfuscated code with kernel privileges whenever the device boots up, according to the organization firmware security company.
There are many attack vectors, which we have listed below:-
- Physically Accessible Attacker
- Remote Assailant
- Attack on the Supply Chain
Impact of such attacks –
Customers should utilize the “Windows Defender Application Control” (WDAC) to restrict what is allowed to operate on their devices, according to Microsoft. This flaw may be exploited in a variety of ways and using a variety of methods. To guarantee that all available patches are implemented and any possible device breaches are identified, organizations will need to examine these vectors and use a tiered approach to security.
Customers should additionally minimize this problem since the WDAC guideline has been applied for binaries included in the WPBT. They also advise clients to adopt a WDAC approach that is as restrictive as possible for their particular environment. Organizations must pay close attention to this kind of assault since it is very hazardous and may result in significant losses. The fact that it may be abused in various ways is the most significant factor that makes it hazardous.