The National Institute of Standards and Technology (NIST) has released a report titled Hardware Security Failure Scenarios, enumerating 98 scenarios in which hardware and firmware weaknesses, and flaws in the supply chains that produce hardware and firmware, could be exploited by an adversary, and what kind of damage could be done.
Introduction to Malware Binary Triage (IMBT) Course
Looking to level up your skills? Get 10% off using coupon code: MWNEWS10 for any flavor of the Malware Binary Triage (IMBT) course starting this Black Friday and Cyber Monday!
Enroll Now and Save 10%: Coupon Code MWNEWS10
Note: This is an affiliate link – your enrollment helps support this platform at no extra cost to you.
The report is 79 pages long, and contains more detail than is likely to be useful for most cybersecurity professionals or teams. However, the overall message of the report is crystal clear and critically important. The report concludes:
“Hardware is a new focal point in the unending conflict between computer security hackers and defenders. Vulnerabilities can have serious consequences because of the largely deployed base of chips and the inability to fix vulnerabilities on those chips. There are many ways in which HW can fail from a security perspective, and there is ample justification for securing the HW infrastructure. HW is the foundation of computing and must be trustworthy.”
Weaknesses vs. Vulnerabilities
The NIST report focuses on Common Weakness Enumerations (CWEs) instead of Common Vulnerabilities and Exposures (CVEs). CWEs are described as “conditions in a software, firmware, or hardware, or service component that, under certain circumstances, could contribute to the introduction of vulnerabilities.” There may not have been specific vulnerabilities leveraging a particular CWE, but multiple vulnerabilities and exploits are possible, depending on the nature of each weakness. It is safe to say that it is not a matter of if, but when, these weaknesses are targeted for exploitation.
As of April 2024, there were 108 hardware-specific CWEs. The CWEs are organized in various ways, the most interesting of which is dubbed the “Research Concepts” view, which categorizes the CWEs by “the method through which an exploitation can occur.” The ten categories in this view are:
- Improper Access Control (CWE-284)
- Improper Adherence to Coding Standards (CWE-710)
- Improper Check or Handling of Exceptional Conditions (CWE-703)
- Improper Control of a Resource Through its Lifetime (CWE-664)
- Improper Interaction Between Multiple Correctly-Behaving Entities (CWE-435)
- Improper Neutralization (CWE-707)
- Incorrect Calculation (CWE-682)
- Incorrect Comparison (CWE-697)
- Insufficient Control Flow Management (CWE-691)
- Protection Mechanism Failure (CWE-693)
Prevalence of Improper Access Control
Improper Access Control and Improper Control of a Resource Through Its Lifetime are the two categories that represent the most weaknesses, accounting for 83 of the 98 security failure scenarios in the report. Among these 83, many of the weaknesses describe the potential for an attacker to conduct malicious actions either BEFORE security controls are initiated within the system, or in locations within the system, such as memory regions, where security controls have not been properly configured.
The existence of these weaknesses outside the purview, or before the initiation, of security controls, represents a massive attack surface that is difficult to measure, and therefore difficult to secure. The fact that these weaknesses exist within proprietary chips and systems with little transparency to their end users creates further obstacles to securing them.
As the NIST report notes:
“Each scenario describes a type of vulnerability that can be instantiated in many different ways on distinct hardware platforms. Almost all of these scenarios represent significant security concerns.”
Some of these weaknesses could be corrected with a firmware or ROM update. This would require organizations to have the ability to detect the presence of insecure firmware versions in the first place which is an increasingly important, but not yet widespread, security capability.
The Rise in Attacks on Network Devices and Infrastructure
The past several years have seen a sharp uptick in disclosure, and exploitation, of vulnerabilities in firmware and low level components of IT and network infrastructure devices. Some firmware exploits have become widely available in the form of rootkits and bootkits, making them trivial for even non-sophisticated hackers to use in cyberattack campaigns. A recent CISA report on the most routinely exploited vulnerabilities of 2023 showed that over half of them impacted network infrastructure and devices. These are the exact categories of device that are likely to contain unmonitored, out-of-date firmware and custom microcode that cannot be monitored or secured through traditional endpoint agent based solutions.
As the attack tactics for compromising firmware and maintaining persistence outside the view of security tools grow more widespread, enterprises will need to pursue more robust programs of vulnerability management and integrity checking, and threat detection, on these increasingly targeted devices. This will require increased transparency and support from the vendors themselves.
Ultimately, it is clear that hardware and firmware vulnerabilities pose an increasing threat to organizations of all sizes. And while there is a robust cybersecurity industry focused on protecting Windows and Linux endpoints, there has been far less attention paid to the security risks associated with Enterprise IT Hardware and the firmware and microcode that runs on it. As hardware and firmware exploits become more prevalent, this will need to change.
How Eclypsium can Help
Eclypsium can detect vulnerabilities, misconfigurations, and conduct integrity checks deep within the firmware and microcode of network devices. This capability is a foundational necessity for organizations needing assurance that they are safe from exploitation of weaknesses and vulnerabilities in the firmware of their foundational network resources.
For those interested in learning more, Eclypsium and TAG Cyber are hosting an upcoming webinar on this topic, titled “Securing the Foundation: The Critical Role of Hardware in Supply Chain Attacks” on December 4, 2024. Join to learn more about this important topic.
Further Reading
- CISA: Over Half of Top Routinely Exploited Vulnerabilities in 2023 Affected Network Devices and Infrastructure
- NIST Hardware Security Failure Scenarios
- Eclypsium Firmware Security for Enterprises
The post Unpacking NIST Hardware and Firmware Security Failure Scenarios appeared first on Eclypsium | Supply Chain Security for the Modern Enterprise.
Article Link: Unpacking NIST Hardware and Firmware Security Failure Scenarios - Eclypsium | Supply Chain Security for the Modern Enterprise