By Deeba Ahmed
ESET assigned the vulnerability a CVSS score of 8.1 and tracked it as CVE-2022-4020.
This is a post from HackRead.com Read the original post: Acer Laptop Vulnerability Allows Malware Infection During Secure Boot

Cybersecurity firm ESET’s researchers have identified a vulnerability affecting Acer laptops. The bug isn’t new, as ESET already discovered it affecting Lenovo models, whereas this time, it is impacting several models of **Acer laptops**.

Lenovo fixed the issue and **published** a technical advisory. However, the bug allows attackers to install malware on the device by letting them disable Secure Boot and bypass security mechanisms.

**Vulnerability Details**

ESET assigned the vulnerability a CVSS score of 8.1 and tracked it as **CVE-2022-4020**. It was discovered in the HQSwSmiDxe DXE driver that checks the ‘BootOrderSecureBootDisable’ NVRAM variable for deactivating UEFI (Unified Extensible Firmware Interface) Secure Boot.

> In addition to #Lenovo vulnerabilities we disclosed earlier this month, we discovered another similar vulnerability in #Acer laptops. Same as in Lenovo case, it allows deactivating UEFI Secure Boot by creating NVRAM variable directly from OS. @smolar\_mhttps://t.co/zsDjKGIAjQ 1/3
> 
> — ESET research (@ESETresearch) November 28, 2022

Disabling this feature lets the attacker load their “own unsigned malicious bootloader” so as to gain complete control over the OS loading procedure. Moreover, they can bypass or disable protections to discreetly install malicious payloads, ESET **advisory** read.

“Vulnerability in the HQSwSmiDxe DXE driver on some consumer Acer Notebook devices may allow an attacker with elevated privileges to modify UEFI Secure Boot settings by modifying an NVRAM variable,” researchers explained. NVRAM refers to non-volatile random-access memory variables.

**Acer’s Explanation**

For your information, UEFI is responsible for kickstarting a computer’s hardware while the OS loads. The Secure Boot process has to ensure that malicious code doesn’t get loaded when the device is booting.

On November 23rd, 2022, Acer **explained** that the bug lets the attacker tamper with this mechanism’s settings by creating NVRAM variables. This happens because the firmware driver just checks for the variables’ presence and not their actual value.

At least five models of Acer computers are impacted by this bug, including A315-22, A115-21, A315-22G, Extensa EX215-21, and EX215-21G. Acer is currently trying to resolve the issue with a BIOS update, which will be posted on its **Support site** soon and will be included as a **Critical Windows Update**. The company recommends users update to the latest BIOS version.

Acer Laptop Vulnerability Allows Malware Infection During Secure Boot

The new Microsoft Defender for Endpoint capabilities include built-in protection and scanning network traffic for malicious activity.

Microsoft has announced several new capabilities for Microsoft Defender. The new features will protect devices from advanced attacks and emerging threats, the company said on Monday.

**Security Enabled by Default**

Built-in protection is generally available for all devices using Microsoft Defender for Endpoint, according to Microsoft.

Built-in protection is a set of default security settings for Microsoft's endpoint security platform to protect devices from ransomware attacks and other threats. Tamper protection, which detects unauthorized changes being made to security settings, is the first default setting being enabled, according to a Microsoft 365 knowledgebase article. Tamper protection prevents unauthorized users and malicious actors from making changes to security settings for real-time and cloud-delivered protection, behavior monitoring, and antivirus.

Microsoft enabled tamper protection by default for all customers with Defender for Endpoint Plan 2 or Microsoft 365 E5 licenses last year.

Enterprise administrators have the ability to customize built-in protection, such as setting tamper protection for some but not all devices, toggling protection on or off on an individual device, and temporarily disabling the setting for troubleshooting purposes.

**Zeek Comes to Defender**

Microsoft also partnered with Corelight to add Zeek integration to Defender for Endpoint, helping to reduce the time required to detect network-based threats. With Zeek, an open source tool that monitors network traffic packets to uncover malicious network activity, Defender can scan inbound and outbound traffic. The Zeek integration also allows Defender to detect attacks on nondefault ports, show alerts for password spray attacks, and identify network exploitation attempts such as PrintNightmare.

"The integration of Zeek into Microsoft Defender for Endpoint provides a powerful ability to detect malicious activity in a way that enhances our existing endpoint security capabilities, as well as enables a more accurate and complete discovery of endpoints & IoT devices," Microsoft stated.

Zeek won't replace traditional network detection and response technology, as it is designed to act as a complementary data source providing network signals. "Microsoft recommends that security teams combine both data sources — endpoint for depth, and network for breadth — to gain full visibility across all parts of the network," the company said.

**Detect Firmware Vulnerabilities**

Related, Microsoft provided some more details on the Microsoft Defender Vulnerability Management service, which is currently available under public preview. When it becomes publicly available, the service will be sold as a standalone product and as an add-on to Microsoft Defender for Endpoint Plan 2.

The Microsoft Defender Vulnerability Management now can assess the security of the device's firmware and report if the firmware is missing security updates to fix vulnerabilities. IT pros will also get "remediation instructions and recommended firmware versions to deploy," according to a Microsoft article on the vulnerability management service.

The hardware and firmware assessment will display a list of hardware and firmware in devices across the enterprise; an inventory of systems, processors, and BIOS used; and the number of weaknesses and exposed devices, Microsoft said. The information is based on security advisories from HP, Dell, and Lenovo and relates to processors and BIOS only.

Microsoft Defender Gets New Security Protections

Organizations must be prepared to root out bad actors by any means possible, even if it means setting traps and stringing lures.

As software supply chain attacks increase, cybersecurity talent wanes, and alert fatigue leads to burnout, an always-on, defense-first mentality will no longer suffice. While many defense strategies aim for zero incidents across an entire network, it's time to reevaluate that thinking. Take a page out of the bad actors' book by implementing new strategies that ensure fast detection and intelligence collection.

Enter cyber deception. Cyber deception is a proactive cyber defense methodology that, when executed well, puts the defender in the driver's seat. It enables defenders to lead the attacker and gather intelligence about the adversary's tools, methods, and behaviors via a system of honeypots, lures, tripwires, and much more. It is a strategy that cyber professionals deploy to gain the upper hand in operations against attackers, decreasing dwell time, obtaining valuable cyber threat intel, and mitigating data loss.

However, people oftentimes have a hard time grasping how cyber deception is going to assist them. The word "deception" has a negative connotation, making cyber professionals unclear about how effective it can really be. But organizations must accept that the cyber process is quickly shifting to be more proactive. Playing catch-up is no longer an option.

Understanding who benefits most from cyber deception, knowing the skill sets and technologies that must be applied throughout, and learning how organizations can successfully deploy this defense mechanism are crucial steps to getting started.

**Who Benefits Most**

The most frequently asked question is who will benefit from cyber deception — and who won't. When it comes to knowing whether your organization is up for the task, first consider your environment. If you have existing cybersecurity solutions, such as endpoint detection and response (EDR) and security operations centers (SOCs), systems that require high-fidelity alerting, or robust threat intelligence capabilities that can conduct analysis, produce reports, and shape public security postures, you're a good candidate.

However, deception will never be an effective solution for a team that does not have the resources to address alerts in a timely manner. It is meant to give the defenders an opening by producing high-fidelity alerts on top of existing solutions; without the proper staffing, these alerts become useless. Cyber deception would be inappropriate for even a large enterprise environment if it doesn't have a dedicated team to help manage the deception.

**What Skill Sets and Technologies Are Required**

Staffing a highly skilled and experienced team, with a breadth of experience working in blue team/red team scenarios, is key. Adequate training helps these teams deploy high-interaction decoys, lures, and services that will truly entice threat actors. For an even stronger approach, having logging/alerting solutions that help them respond to these "tripwires" in a timely manner will make all the difference.

On the technology front, honeypots, breadcrumbs, lures, and canary tokens are all crucial tools to trip high-fidelity alerts that identify threat actors. These deception tactics work by simulating critical infrastructures, services, and configurations so attackers can interact with these false IT assets. This effectively increases the cost of an attack.

However, these techniques can present logistical deployment issues and challenges. They are difficult to distribute widely and require significant resources to maintain and implement, so security teams can usually only deploy a limited number. That means, at times, there are not enough tools and resources to effectively detect cyber threats as a method of moving-target defense.

**How to Deploy Cyber Deception Successfully**

To deploy cyber deception using a commercially available product, it is important to start with a plan that considers what comes with the product. From there, you should:

*   Take time to fully understand the product in place, establishing what it can and cannot do. After an initial pilot, prioritize a strategy around your high-value assets first if your organization is ill-prepared for an enterprise deployment.
*   Ensure that your staff is fully trained on the platform well in advance of the actual product deployment. They must be prepared to fuse this actionable data into routine SOC operations.
*   Identify and understand where within your environment stakeholders are comfortable using these deception products. If your CISO is not comfortable with a robust deception strategy, consider at least seeding false administrative credentials to defend against that common threat vector.

And if you don't want to use a commercially available product? The deployment plan would include similar preparation as the items outlined above, replacing the product with in-house experience and tools. These steps should include but are not limited to:

*   Develop the servers, services, and shares in a manner that is enticing to an attacker while also being able to alert immediately when they are interrogated.
*   Deploy and manage multiple sensors to feed back to an operations center.
*   Train and enable network defenders to be able to respond to these threats in a timely manner.

Without a framework, threat actors can easily work their way around a cyber deception plan, likely giving them the upper hand in such a time-sensitive environment.

Cyber deception tactics, techniques, and procedures (TTPs) have been around for quite some time, but they have recently gained mainstream attention because they can assist in credential compromise detection in zero-trust approaches. Deception technology will likely become more commonplace as an effective tool to complement existing defenses and tactics; however, the proper education, skill sets, and training are needed to make it a formidable defense mechanism for cyber generations to come.

How to Use Cyber Deception to Counter an Evolving and Advanced Threat Landscape

The vulnerability, disclosed In October, gives an unauthenticated attacker a way to take control of an affected product.

Fortinet customers that have not yet patched a critical authentication bypass vulnerability that the vendor disclosed in October in multiple versions of its FortiOS, FortiProxy, and FortiSwitch Manager technologies now have an additional reason to do so quickly.

At least one threat actor, operating on a Russian Dark Web forum, has begun selling access to multiple networks compromised via the vulnerability (CVE-2022-40684), and more could follow suit soon. Researchers from Cyble who spotted the threat activity described the victim organizations as likely using unpatched and outdated versions of FortiOS.

**Selling Access to Compromised Networks**

Dhanalakshmi PK, senior director of malware and research intelligence at Cyble, says the company's available intelligence indicates the threat actor might have access to five major organizations via the vulnerability. Cyble's analysis showed the attacker attempting to add their own public key to the admin user's account on the compromised systems.

"An attacker can update or add a valid public SSH key to a targeted account on a system and can then typically gain complete access to that system," Dhanalakshmi says. "Additionally, the threat actor could launch other attacks against the rest of the IT environment with the foothold and knowledge gained through exploiting this vulnerability."

Cyble said a scan it conducted showed more than 100,000 Internet-exposed FortiGate firewalls, a substantial number of which are likely exploitable because they remain unpatched against the vulnerability

Fortinet publicly disclosed CVE-2022-40684 on Oct. 10, a few days after privately notifying customers of affected products about the threat. The vulnerability essentially gives an unauthenticated attacker a way to gain full control of an affected Fortinet product by sending it specially crafted HTTP and HTTPS requests. Security researchers have described the vulnerability as easy to find and trivial to exploit because all that an attacker needs to do is gain access to the management interface of a vulnerable system.

**Popular Target for Attackers**

When Fortinet disclosed the vulnerability, it urged customers to immediately update to patched versions of the affected products and warned of active exploit activity targeting the flaw. It also urged companies that could not update to immediately disable HTTPS administration on their vulnerable Internet-facing Fortinet products. The US Cybersecurity and Infrastructure Security Agency (CISA) promptly listed the flaw its catalog of known exploited vulnerabilities and gave federal civilian agencies until Nov. 1, 2022, to address the issue.

Much of the concern stemmed from the popularity of Fortinet products — and technologies from other vendors in the same network edge category — among threat actors. Soon after Fortinet disclosed the flaw, proof-of-concept code for exploiting it became publicly available, and security vendors reported large-scale scanning activity targeting the flaw. The number of unique IP addresses targeting the flaw soared in a matter of days from the single digits to more than 40.

And that number has grown. James Horseman, exploit developer at Horizon3ai, a security vendor that did much of the initial research around the vulnerability, says the number of unique IPs currently targeting the Fortinet flaw has risen to 112, according to data from GreyNoise, which tracks malicious scanning activity on the Internet.

"These Fortinet devices are typically Internet-facing for corporations and are seldom monitored," adds Zach Hanley, chief attack engineer at Horizon3ai. "This combination makes it great for sustained initial access into a network for threat actors who are looking to conduct reconnaissance, deploy ransomware, steal data, etc."

Threat actors have hammered away in similar fashion at other Fortinet flaws for the same reason. Notable examples include CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591, a set of three flaws that Iran-backed threat groups were observed exploiting in numerous attacks. In April 2021, the FBI and CISA warned of other advanced persistent threat groups exploiting the same set of flaws in attacks against organizations in the US and elsewhere.

.

Cyberattackers Selling Access to Networks Compromised via Recent Fortinet Flaw

Beverage of Choice: Krating Daeng (Thai Red Bull) Industry Influencer he Admires: Casey John Ellis What did you want to be when you grew up? A physician and nearly did Hobbies (Present & Past): Motorcycling & Australian Football Bucket List: Continuing to discover new software Fun Fact: He currently has 2,000 tabs open “People keep …
  A Ride on the Wild Side with Hacking Heavyweight Sick Codes Read More »

**Beverage of Choice:** _Krating Daeng (_Thai Red Bull)

**Industry Influencer he Admires:** Casey John Ellis

**What did you want to be when you grew up?** A physician and nearly did

**Hobbies (Present & Past):** Motorcycling & Australian Football

**Bucket List:** Continuing to discover new software

**Fun Fact:** He currently has 2,000 tabs open

> “People keep saying to me, ‘nah this is impossible…’. Then I’ll go do it anyway and be like alright, it’s actually possible.”

Roaring through the streets of Thailand helmetless on his motorcycle wearing nothing but shorts and sandals is the perfect depiction of the controlled chaos that is Sick Codes. Sick is an electric factory; his energy is unmatched and won’t go unnoticed. A man who is defined by living life on the edge, thinking outside of the box and some mighty impressive hacking!

It all began in Australia where he grew up. In the 3rd grade he got his hands on the classroom computer and proceeded to install the original Soldier of Fortune and other adult rated games, hiding them within thousands of folders to evade deletion. His inability to follow the rules got him banned from using the class computer, and such bans became a trend for Sick.

Fast forward to high school where he was up against a lifetime ban from eBay. Unphased and agitated, he stood up his own online stores and carried about his business, on his own. A rude awakening came his way in the form of “some nation state cyber army” carding at checkout on his stores, having one of his hundreds of sites defaced as a result. This would be the beginning of Sick’s security trajectory.  For him, the silver lining of getting hacked was a fire that ignited in him, a burning desire to uncover how things happen the way they do. This curiosity was now permanently engrained in his being, always reading between the lines, inspecting all software he uses, and rejecting the notion that something is impossible. The curiosity was so strong, Sick now devotes significant time discovering zero-day vulnerabilities in many software projects, including several Microsoft Azure Open-Source projects.

If you’ve met the man, you would never expect he wanted to pursue a relatively tame career path as an aspiring medical professional. However, unpredictable by nature, Sick seeks out excitement and prefers to live on the edge, or slightly over it.  Roughly 10 years ago Sick left his home country for the rest of the World.  He says he’s been to around 40 countries now, and his time in Sur America was his favorite, but also the furthest thing from tame, more like a blur of hedonism mixed with getting really, really good at code, computers, and attacking both of those. While wild, it was also formidable for his hacking career having committed 10-18 hours a day, sometimes up to 30 hours straight, racking up vulnerabilities and beginning to master the art of “cyber-warfare”.  Apart from offensive cyber security, he was also able to learn Spanish.

Wishing to remain anonymous and seemingly never in one place, it was about time his work put him on the map. Sick said the turning point in his career was when the acting secretary for Homeland Security gave him a ‘shout out’ for discovering large security holes in the Android TV manufacturer, TCL. The vulnerabilities he discovered in 2020 on the Android Smart TVs made him a mainstay, wreaking havoc in the field of security research.

Sick admittedly was not exactly an angel growing up, however he has now, “changed his ways” for the better. He now only performs good faith security research and is an approachable ethical hacker that provides resources for those who, like him, are also acting “in good faith”. Moreover, Sick helps co-maintain a Repositor_y of Legal Threats Against Security Researchers on GitHub_ with the goal of educating organizations on the benefits (and harsh realities) of ethical hacking, while helping researchers stay on the right side of the law. While a bit of a rebel, people respect his work and he’s built a vast community to show for it. 

Sick has what he describes as an innate obligation to show others the ropes, having once been reliant on free software. Now he is a stern advocate for free software and a well-rounded coder, with very large GitHub following, and throughout the security research community. His Docker-OSX open-source project on GitHub has nearly 25,000 stars, over 400,000 downloads, and he personally maintains another 20+ packages, with thousands of contributions, and counting. His influence continues on Twitter and Discord where he keeps other researchers on the edge of their seats awaiting his next major breakthrough and thousands of followers in the loop about his package updates, project developments, feedback, and support.

Not listening to others when told how to be or what to do, Sick embodies the mindset of a hacker. With some style points and a devilish grin on his face he is motivated to expose anything that isn’t right in the research space, targeting the most highly used products and industries. If your local McDonalds soft-serve machine is out of service, you may have a bone to pick with Sick. Microsoft made his hit list as well, and he is quickly moving up the MSRC 2022 Most Valuable Researcher (MVR) Azure Leaderboard with at least five valid vulnerability reports submitted in the past year, and achieving Top 10 positions for Azure Cloud security, which he says he is very proud of. The contributions don’t actually stop there, with dozens of newsworthy findings showcased on his website, and plenty more to come knowing Sick.

Speaking of… Sick stole the show at this year’s DefCon with his viral tractor hack. In his most notable exploit and demo yet, he broke into a widely used agricultural touch screen terminal, gaining root access, and eventually crafting a crude jailbreak that went absolutely viral. To top that off, he reconfigured the console to run a modified tractor-themed version of the 90’s shooter game Doom.  His passion is pushing computers to their limits, and there’s no denying that going against the grain was the right path for Sick. While the tables have turned, some things just never change.

A Ride on the Wild Side with Hacking Heavyweight Sick Codes

A lack of federal regulatory legislation leaves US privacy concerns to battle for attention with other business priorities.

Over the past 15 years, several events have reshaped how we think about data — what it means from a business perspective and what rights individuals have regarding how their personal information is used. Data security governance undoubtedly will play a large role in the future; however, conversations are still in relatively early stages. 

In 2016, when European regulators created the General Data Protection Regulation (GDPR) as a legislative framework that clearly mandates rules and fines, a fundamental shift occurred that elevated privacy to a board-level discussion. This resulted in CEOs taking part in the conversation while empowering the C-suite to make more decisions. 

Next, the data culture quickly evolved from one of implicit trust (where organizations freely used data without much restriction) to limiting risk (controlling data access based on regulations and customer feedback). While the data protection industry in Europe has made great strides since GDPR came into existence, we still have a long way to go because, for decades, technology solutions were built without privacy in mind. 

In the United States, the picture is quite different, as the lack of federal regulatory legislation leaves privacy concerns to battle for attention with other business priorities. Let's dig deeper into what the future of data privacy looks like across the pond. 

**Beyond Cookies: Delving Beneath the Data Veneer**

Marketplaces built around selling data need to pivot, because the future is about protecting individual data rights and that change goes far beyond a website pop-up asking to approve the use of cookies. Historically, data brokers have cashed in on users' data, which precipitated state laws in Vermont and California that aim to protect consumers by identifying the brokers and determining how they use the information. 

Tech giants like Apple and Google have also increased privacy protections with app-tracking transparency and plans to phase out third-party cookies. These titans of industry are pioneering an important movement that other companies need to follow. There's hope that legislation may spark further change, especially with privacy receiving bipartisan support.

If the American Data Privacy and Protection Act (ADPPA) takes effect in the United States, the biggest win would be a common standard for how to handle data. States like California have already established stricter standards for data privacy through the California Consumer Privacy Act (CCPA). Compliance requirements and hefty fines would be important accelerators in protecting consumer data. 

**Privacy Needs Security **

A comprehensive data security strategy is essential and a prerequisite to an overall privacy-centric posture for data-driven organizations. It's imperative to implement scalable, fine-grained access controls so policies can keep the data safe in the first place.

As the pendulum shifts toward implementing broader and complete data security strategies, companies need to adjust. The work of chief information security officers (CISOs), chief data officers (CDOs), and chief information officers (CIOs) alongside their actions is more critical than ever, because they are responsible for implementing tools and processes that help align companies toward their privacy-related goals. The increased focus on a complete data security strategy applies to data-driven organizations of any size. 

A Cisco study cites that 92% of organizations claim privacy to be integral to their culture, but it comes with a technical challenge. Oftentimes, CISOs and CIOs are confronted with data spread across their organization and they need to gain visibility into all their siloed, heterogeneous data to understand who controls, maintains, processes, and accesses which parts of the data. 

This challenge is exacerbated by the need to modernize with cloud-native technologies so companies have a better understanding of how data is used and that it is used in accordance with privacy guidelines, principles, and any governing legislation. 

**A Look into the Future**

None of this happened by accident. Consumers didn't like data collection practices and they spoke up. Legislators heard from their constituents and started creating regulations like the ADPPA. Companies started serving consumers differently and taking data privacy seriously.

Consumer awareness of how data is collected and used is becoming mainstream. According to HubSpot's "2022 State of U.S. Consumer Trends Report," 80% of consumers consider data privacy a human right and believe individuals should have complete control over how companies use their data. As a result of these growing trends, more businesses should leverage privacy as a differentiator. 

There is still a gap between companies' intent to satisfy data privacy concerns and the action that protects that information. As consumers become better educated about how their data is used, and legislation inches closer to reality, it becomes even more critical. Making the right investments in data security provides visibility, access control, and insights into your data while ensuring compliance, and can help make all the difference.

Why the Culture Shift on Privacy and Security Means Today's Data Looks Different

Acer has released a firmware update to address a security vulnerability that could be potentially weaponized to turn off UEFI Secure Boot on affected machines.
Tracked as CVE-2022-4020, the high-severity vulnerability affects five different models that consist of Aspire A315-22, A115-21, and A315-22G, and Extensa EX215-21 and EX215-21G.

The PC maker described the vulnerability as

Acer has released a firmware update to address a security vulnerability that could be potentially weaponized to turn off UEFI Secure Boot on affected machines.

Tracked as **CVE-2022-4020**, the high-severity vulnerability affects five different models that consist of Aspire A315-22, A115-21, and A315-22G, and Extensa EX215-21 and EX215-21G.

The PC maker described the vulnerability as an issue that "may allow changes to Secure Boot settings by creating NVRAM variables." Credited with discovering the flaw is ESET researcher Martin Smolár, who previously disclosed similar bugs in Lenovo computers.

Disabling Secure Boot, an integrity mechanism that guarantees that only trusted software is loaded during system startup, enables a malicious actor to tamper with boot loaders, leading to severe consequences.

This includes granting the attacker complete control over the operating system loading process as well as "disable or bypass protections to silently deploy their own payloads with the system privileges."

Per the Slovak cybersecurity company, the flaw resides in a DXE driver called HQSwSmiDxe.

The BIOS update is expected to be released as part of a critical Windows update. Alternatively, users can download the fixes from Acer's Support portal.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

New Flaw in Acer Laptops Could Let Attackers Disable Secure Boot Protection

Acer has released a firmware update to address a security vulnerability that could be potentially weaponized to turn off UEFI Secure Boot on affected machines.

Tracked as **CVE-2022-4020**, the high-severity vulnerability affects five different models that consist of Aspire A315-22, A115-21, and A315-22G, and Extensa EX215-21 and EX215-21G.

The PC maker described the vulnerability as an issue that "may allow changes to Secure Boot settings by creating NVRAM variables." Credited with discovering the flaw is ESET researcher Martin Smolár, who previously disclosed similar bugs in Lenovo computers.

Disabling Secure Boot, an integrity mechanism that guarantees that only trusted software is loaded during system startup, enables a malicious actor to tamper with boot loaders, leading to severe consequences.

This includes granting the attacker complete control over the operating system loading process as well as "disable or bypass protections to silently deploy their own payloads with the system privileges."

Per the Slovak cybersecurity company, the flaw resides in a DXE driver called HQSwSmiDxe.

The BIOS update is expected to be released as part of a critical Windows update. Alternatively, users can download the fixes from Acer's Support portal.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

The manufacturer is working to fix a vulnerability — similar to a previous problem in Lenovo laptops — that allows threat actors to modify or disable Secure Boot settings to load malware.

Acer is working to fix a firmware flaw affecting five of its laptop models. An exploit could allow attackers to disable a machine's Secure Boot settings to bypass key security measures and load malware, researchers have found.

ESET Research researcher Martin Smolar discovered the flaw, tracked as CVE-2022-4020, in the HQSwSmiDxe DXE driver on some versions of consumer Acer Aspire and Extensa notebooks. An attacker with elevated privileges can use the flaw to modify UEFI Secure Boot settings via an NVRAM variable, ESET disclosed in a series of tweets posted Nov. 28.

"#CVE-2022-4020 is found in the DXE driver HQSwSmiDxe, which checks for the 'BootOrderSecureBootDisable' NVRAM variable," according to ESET. "If the variable exists, the driver disables Secure Boot."

Secure Boot is a security feature of the Unified Extensible Firmware Interface (UEFI) 2.3.1 designed to detect tampering with boot loaders, OS files, and unauthorized option ROMs by validating their digital signatures. The feature blocks any malicious activity before it can infect the system.

By exploiting the flaw, threat actors can bypass this feature and run whatever code they want on the machine, malware or otherwise, even achieving persistence in a case in which an OS is reinstalled, the researchers said.

**Different Manufacturer, Similar Security Vulnerability**

Specifically, CVE-2020-4020 affects Acer Aspire A315-22, A115-21, and A315-22G, and Extensa EX215-21 and EX215-21G notebooks. The flaw creates a similar opportunity for attackers to the one caused by vulnerabilities tracked as CVE-2022-3430, CVE-2022-3431, and CVE-2022-3432 that ESET researchers found in early November in various Lenovo Yoga IdeaPad and ThinkBook devices, and subsequently detailed extensively in a series of tweets.

As in that case, ESET also reported the vulnerability to the computer manufacturer for remediation. Acer quickly responded on Nov. 29 with a security update corroborating Smolar's findings and stressing the serious nature of the flaw.

"By disabling the Secure Boot feature, an attacker can load their own unsigned malicious bootloader to allow absolute control over the OS loading process," the company said. "This can allow them to disable or bypass protections to silently deploy their own payloads with the system privileges."

Acer is working on a BIOS update to resolve the issue that it will post on the Acer Support site, and recommends that affected users update their BIOS, once available, to the latest version to resolve the problem. The patch also will be included as a critical Windows update, the company said.

**Common NVRAM Variable Problem**

In both the Lenovo and Acer scenarios, attackers can exploit the Acer bug by creating special NVRAM variables, the actual value of which is not important—the existence of the variable itself is the only thing an affected firmware driver checks, the researchers noted.

NVRAM variables define a name for the boot option that can be displayed to a user. The variable also contains a pointer to the hardware device and to a file on that hardware device that contains the UEFI image to be loaded.

This problem appears to be quite well known, with researchers already advising against firmware developers storing security-sensitive components in these variables. Firmware security engineer Nikolaj Schlej even tweeted a plea to firmware developers in October to "stop using common NVRAM as trusted storage" because of the security problem it poses.

"It is indeed really tempting to use NVRAM or CMOS SRAM for storing triggers for various things, but both need to be assumed being under full attacker control," he said in a response to his own tweet. "Even volatile NVRAM variables aren't completely safe because there is still a chance of incorrect attribute check."

In the case of the Lenovo flaws, it does appear that developers already were aware of the issue before it made its way into the company's laptops, as some of the affected components were only meant to be used during manufacturing and were mistakenly included in production, according to ESET.

Acer Firmware Flaw Lets Attackers Bypass Key Security Feature

Prometheus Exporter Toolkit is a utility package to build exporters. Prior to versions 0.7.2 and 0.8.2, i someone has access to a Prometheus web.yml file and users' bcrypted passwords, they can bypass security by poisoning the built-in authentication cache. Versions 0.7.2 and 0.8.2 contain a fix for the issue. There is no workaround, but attacker must have access to the hashed password to use this functionality.

**Impact**

Prometheus and its exporters can be secured by a web.yml file that specifies usernames and hashed passwords for basic authentication.

Passwords are hashed with bcrypt, which means that even if you have access to the hash, it is very hard to find the original password back.

However, a flaw in the way this mechanism was implemented in the exporter toolkit makes it possible with people who know the hashed password to authenticate against Prometheus.

A request can be forged by an attacker to poison the internal cache used to cache the computation of hashes and make subsequent requests successful. This cache is used in both happy and unhappy scenarios in order to limit side channel attacks that could tell an attacker if a user is present in the file or not.

**Patches**

The exporter-toolkit v0.7.2 and v0.8.2 have been released to address this issue.

**Workarounds**

There is no workaround but attacker must have access to the hashed password, stored in disk, to bypass the authentication.

**Credit**

We want to thank Lei Wan reporting this security issue.

Tag

#ios