There are three scenarios involving a UEFI infection:
- Remote infection
- Infection with physical access
- Infection via supply chain
To carry out a remote infection, attackers must gain elevated privileges to install a payload that will be run at the OS kernel level. After that, they must exploit the SMM vulnerability
. This will make it possible to execute the code in SMM mode, thereby bypassing various firmware protection mechanisms (Flash Write Protection) and gaining direct access to the firmware memory.
In case of infections involving physical access, attackers can exploit errors in the UEFI configuration
or the firmware update mechanism.
If the supply chain becomes infected, the criminals can add their own implant to the firmware or update it and bypass existing protection methods. For such attacks, it is necessary to compromise the manufacturer and gain access to the firmware source codes, for example.
Chipsec can also be used for basic UEFI configuration check or to scan for vulnerabilities. To do this, the main module must be run using the python command python chipsec_main.py, which will run various security checks, such as a check to overwrite protection.
It should be noted that successfully passing this test does not mean that your system is not infected since Chipsec provides only a basic set of security checks. However, failing the test means that the latest UEFI updates must be installed or the reason why the firmware's basic security mechanisms are violated must be found.