Intel has confirmed that some of its UEFI source code has been leaked, and while some security experts believe the incident could have serious implications the chipmaker says it's not concerned.
Intel has confirmed that some of its UEFI source code has been leaked, and while some security experts believe the incident could have serious implications the chipmaker says it’s not concerned.
Last week, someone announced leaking source code associated with the Alder Lake BIOS — Alder Lake is Intel’s codename for its 12th generation Core processors. The files total nearly 6 Gb and they were made public on GitHub and other websites.
Mark Ermolov, a security researcher who specializes in Intel products, analyzed the leaked code and reported finding a private signing key which, he claimed, meant the Intel Boot Guard feature, which is designed to protect the integrity of the boot process, could no longer be trusted.
Intel has confirmed the unauthorized disclosure of proprietary UEFI code and blamed the leak on an unnamed third-party.
“Intel does not believe this exposes, or creates, any new security vulnerabilities as we do not rely on obfuscation of information as a security measure,” the tech giant told SecurityWeek.
“This code is covered under Intel Bug Bounty Program within a Project Circuit Breaker campaign, and we encourage any security researchers who may identify potential vulnerabilities to bring them to our attention through this program or our vulnerability disclosure program. We are reaching out to customers, partners and the security research community to keep them informed of this situation,” Intel added.
Hong Kong-based cybersecurity firm Hardened Vault has analyzed the leak and reported that the code was written by Insyde, a company that provides UEFI firmware and engineering services.
In the past, researchers warned that vulnerabilities affecting Insyde UEFI firmware code had impacted millions of devices, including from major vendors such as HP, Lenovo, Fujitsu, Microsoft, Intel, and Dell.
Evidence suggests that the leaked source code may have originated from China, specifically a company that manufactures Lenovo computers and tablets.
“We do not have a comprehensive review of the leaked content,” Hardened Vault said. “[An] attacker/bug hunter can hugely benefit from the leaks even if the leaked OEM implementation is only partially used in the production. Insyde’s solution can help security researchers, bug hunters (and the attackers) find the vulnerability and understand the result of reverse engineering easily, which adds up to long-term high risk to the users.”
By Eduard Kovacs on Tue, 11 Oct 2022 12:04:24 +0000
Original link