Details of VAR-201706-0589

ID

VAR-201706-0589

CVE

CVE-2017-8083

TITLE

BIOS 2017-05-21 Less than CompuLab Intense PC and MintBox 2 Vulnerability to install firmware rootkit on devices

Trust: 0.8

sources: JVNDB: JVNDB-2017-004688

DESCRIPTION

CompuLab Intense PC and MintBox 2 devices with BIOS before 2017-05-21 do not use the CloseMnf protection mechanism for write protection of flash memory regions, which allows local users to install a firmware rootkit by leveraging administrative privileges. CompuLabIntensePC and MintBox2 are mini PC devices from CompuLab, Israel. The BIOS is an application on a ROM chip. A BIOS permission vulnerability exists in CompuLabIntensePC and MintBox2 versions prior to BIOS2017-05-21. The vulnerability stems from the program failing to implement write protection using the CloseMnf protection mechanism for the flash region. Credits: Hal Martin Website: watchmysys.com Source: https://watchmysys.com/blog/2017/06/cve-2017-8083-compulab-intensepc-lacks-bios-wp/ Vendor: ==================== CompuLab (compulab.com) Product: ==================== Intense PC / MintBox 2 Vulnerability type: ==================== Write-protection not enabled on system firmware CVE Reference: ==================== CVE-2017-8083 Summary: ==================== Since 2013 CompuLab manufactures and sells the IntensePC/MintBox 2, which is a small Intel-based fanless PC sold to end-users and industrial customers. It was discovered that in the default configuration write-protection is not enabled for the BIOS/ME/GbE regions of flash. CompuLab have created a patch to resolve the issue, however they have not yet released the patch publicly. This vulnerability is being published as the 90 day disclosure deadline has been reached. Affected versions: ==================== All firmware versions since product release (latest public firmware is 21 June 2016) Attack Vector: ==================== An attacker tricks the user into running a malicious executable with local administrator privileges, which updates the system firmware to include the attacker's code. Proof of concept: ==================== I have created a modified firmware update which replaces the stock UEFI shell with the UEFI shell from EDK2. The update can be flashed from within Windows without any user interaction or notification. Firmware updates are not signed by CompuLab or verified by the existing firmware before upgrade. The modified update can be downloaded here: https://watchmysys.com/blog/wp-content/uploads/2017/06/update-IPC-20160621-edk2.zip Details of the full proof of concept can be found at the Source link above. Disclosure timeline: ==================== 1 March 2017: Vulnerability is reported to CompuLab via their support email address 2 March 2017: CompuLab replies they will create a beta BIOS to address the vulnerability 6 March 2017: I request a timeline to fix the issue 7 March 2017: CompuLab replies they will create a beta BIOS for testing and they awill provide an official public release in the futurea 8 March 2017: CompuLab replies with instructions to run closemnf via the Intel FPT tool 8 March 2017: I inform CompuLab I am waiting for the official BIOS update to resolve the issue 8 March 2017: CompuLab replies with copy of Intel FPT tool and requests anot to publish or disclose this informationa 8 March 2017: CompuLab is informed that details of the vulnerability will be published on 4 June 2017 23 April 2017: Issue is reported to MITRE 24 April 2017: Vulnerability is assigned CVE-2017-8083 3 May 2017: CompuLab communicates that they will delay fixing this vulnerability until Intel provides an updated ME firmware to address CVE-2017-5689 4 May 2017: I inform CompuLab that details of this vulnerability will be published on 4 June 2017 as previously discussed 11 May 2017: CompuLab sends a proposed fix for testing, the update script fails due to invalid command syntax for flashrom 14 May 2017: I inform CompuLab of the invalid syntax and provide the correct usage, and confirm that the fix enables write-protection on the ME/BIOS/GbE regions of flash 15 May 2017: CompuLab replies with a revised update script 15 May 2017: I inform CompuLab that the syntax of the revised script is correct, however my unit has already been updated so I cannot re-test 4 June 2017: Details of the vulnerability are published

Trust: 2.34

sources: NVD: CVE-2017-8083 // JVNDB: JVNDB-2017-004688 // CNVD: CNVD-2017-11309 // VULHUB: VHN-116286 // PACKETSTORM: 142815

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2017-11309

AFFECTED PRODUCTS

vendor:	compulab	model:	intense pc	scope:	lte	version:	cr_2.2.0.400.2	Trust: 1.0
vendor:	compulab	model:	mintbox 2	scope:	lte	version:	cr_2.2.0.400.2	Trust: 1.0
vendor:	compulab	model:	intense pc	scope:	-	version:	-	Trust: 0.8
vendor:	compulab	model:	mintbox 2	scope:	-	version:	-	Trust: 0.8
vendor:	compulab	model:	mintbox	scope:	eq	version:	2<2017-05-21	Trust: 0.6
vendor:	compulab	model:	intense pc	scope:	lt	version:	2017-05-21	Trust: 0.6
vendor:	compulab	model:	mintbox 2	scope:	eq	version:	cr_2.2.0.400.2	Trust: 0.6
vendor:	compulab	model:	intense pc	scope:	eq	version:	cr_2.2.0.400.2	Trust: 0.6

sources: CNVD: CNVD-2017-11309 // JVNDB: JVNDB-2017-004688 // CNNVD: CNNVD-201704-1168 // NVD: CVE-2017-8083

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2017-8083
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2017-8083
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2017-11309
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-201704-1168
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-116286
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2017-8083
severity:	HIGH
baseScore:	7.2
vectorString:	AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	3.9
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2017-11309
severity:	HIGH
baseScore:	7.2
vectorString:	AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	3.9
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-116286
severity:	HIGH
baseScore:	7.2
vectorString:	AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	3.9
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2017-8083
baseSeverity:	MEDIUM
baseScore:	6.7
vectorString:	CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	0.8
impactScore:	5.9
version:	3.0
Trust: 1.8

sources: CNVD: CNVD-2017-11309 // VULHUB: VHN-116286 // JVNDB: JVNDB-2017-004688 // CNNVD: CNNVD-201704-1168 // NVD: CVE-2017-8083

PROBLEMTYPE DATA

problemtype:	CWE-862	Trust: 1.1
problemtype:	CWE-254	Trust: 0.9

sources: VULHUB: VHN-116286 // JVNDB: JVNDB-2017-004688 // NVD: CVE-2017-8083

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-201704-1168

TYPE

lack of information

Trust: 0.6

sources: CNNVD: CNNVD-201704-1168

CONFIGURATIONS

sources: JVNDB: JVNDB-2017-004688

EXPLOIT AVAILABILITY

sources: VULHUB: VHN-116286

PATCH

title:	Top Page	url:	http://www.compulab.com/	Trust: 0.8
title:	Patch for CompuLabIntensePC and MintBox2BIOS Permission Vulnerabilities	url:	https://www.cnvd.org.cn/patchInfo/show/96412	Trust: 0.6
title:	CompuLab Intense PC and MintBox 2 Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=99757	Trust: 0.6

sources: CNVD: CNVD-2017-11309 // JVNDB: JVNDB-2017-004688 // CNNVD: CNNVD-201704-1168

EXTERNAL IDS

db:	NVD	id:	CVE-2017-8083	Trust: 3.2
db:	JVNDB	id:	JVNDB-2017-004688	Trust: 0.8
db:	CNNVD	id:	CNNVD-201704-1168	Trust: 0.7
db:	CNVD	id:	CNVD-2017-11309	Trust: 0.6
db:	PACKETSTORM	id:	142815	Trust: 0.2
db:	VULHUB	id:	VHN-116286	Trust: 0.1

sources: CNVD: CNVD-2017-11309 // VULHUB: VHN-116286 // JVNDB: JVNDB-2017-004688 // PACKETSTORM: 142815 // CNNVD: CNNVD-201704-1168 // NVD: CVE-2017-8083

REFERENCES

url:	https://watchmysys.com/blog/2017/06/cve-2017-8083-compulab-intensepc-lacks-bios-wp/	Trust: 2.6
url:	http://seclists.org/fulldisclosure/2017/jun/6	Trust: 2.3
url:	https://nvd.nist.gov/vuln/detail/cve-2017-8083	Trust: 0.9
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-8083	Trust: 0.8
url:	https://watchmysys.com/blog/wp-content/uploads/2017/06/update-ipc-20160621-edk2.zip	Trust: 0.1

sources: CNVD: CNVD-2017-11309 // VULHUB: VHN-116286 // JVNDB: JVNDB-2017-004688 // PACKETSTORM: 142815 // CNNVD: CNNVD-201704-1168 // NVD: CVE-2017-8083

CREDITS

Hal Martin

Trust: 0.1

sources: PACKETSTORM: 142815

SOURCES

db:	CNVD	id:	CNVD-2017-11309
db:	VULHUB	id:	VHN-116286
db:	JVNDB	id:	JVNDB-2017-004688
db:	PACKETSTORM	id:	142815
db:	CNNVD	id:	CNNVD-201704-1168
db:	NVD	id:	CVE-2017-8083

LAST UPDATE DATE

2025-04-20T23:35:49.547000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2017-11309	date:	2017-06-26T00:00:00
db:	VULHUB	id:	VHN-116286	date:	2019-10-03T00:00:00
db:	JVNDB	id:	JVNDB-2017-004688	date:	2017-07-05T00:00:00
db:	CNNVD	id:	CNNVD-201704-1168	date:	2019-10-23T00:00:00
db:	NVD	id:	CVE-2017-8083	date:	2025-04-20T01:37:25.860

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2017-11309	date:	2017-06-26T00:00:00
db:	VULHUB	id:	VHN-116286	date:	2017-06-06T00:00:00
db:	JVNDB	id:	JVNDB-2017-004688	date:	2017-07-05T00:00:00
db:	PACKETSTORM	id:	142815	date:	2017-06-05T03:01:11
db:	CNNVD	id:	CNNVD-201704-1168	date:	2017-04-25T00:00:00
db:	NVD	id:	CVE-2017-8083	date:	2017-06-06T14:29:01