cancel
Showing results for 
Search instead for 
Did you mean: 
workless
New member
3 1 0 0
Message 1 of 3
405
Flag Post

Solved!

LoJax: can a HPZ series workstation be configured to be immune to the (UEFI / ?BIOS?) LoJax malware?

HP Recommended
Z820
Linux

Question: What can be done to secure an older HP workstation against firmware based malware?

Notes:

1) Secure Boot doesn’t protect against the UEFI LoJax rootkit.
2) Secure Boot is a feature that is found in the UEFI setup utility but not the BIOS setup - see attached image.
3) Security community recommends keeping UEFI firmware up-to-date and, if possible, have a processor with a hardware root of trust.
4) Intel processors have Intel Boot Guard (from the Haswell family of Intel processors onwards) introduced in 2013.
5) The exploited vulnerability affects only older chipsets, make sure that critical systems have modern chipsets with the Platform Controller Hub (introduced with Intel Series 5 chipsets in 2008).

 

In summary, Boot Guard is a hardware-based technology designed to prevent malware and other unauthorized software from replacing or tampering with the low-level UEFI firmware. If the UEFI firmware isn’t signed by the OEM—that is, created by the OEM—the computer will halt and refuse to boot. That’s why you can’t modify the UEFI firmware or change it to something else. Systems targeted by LoJax usually also showed signs of these three examples of Sednit malware:
 SedUploader, a first-stage backdoor
 XAgent, Sednit’s flagship backdoor
 Xtunnel, a network proxy tool that can relay any kind of network traffic between a C&C server on the Internet and an endpoint computer inside a local network

 

HP SetupHP Setup

 

 

 

 

1 ACCEPTED SOLUTION

Accepted Solutions
DGroves
Level 11
4,690 4,664 440 991
Message 2 of 3
Flag Post
HP Recommended

the HP "z" series of workstations for the most part (some low end models like the z210 may not have this feature) have a checksumed bios that prevents any modified bios from being installed if you try to install a modified bios, the update program will report sucesses, but the bios is not actually updated

 

to date there are no known tools that allow a modified bios to be installed om HP systems that implement this feature short of perhaps desoldering the bios and reprograming it using a eprom programer to burn a new image onto the chip and then reinstallin said chip

View solution in original post

Tags (2)
Was this reply helpful? Yes No
2 REPLIES 2
DGroves
Level 11
4,690 4,664 440 991
Message 2 of 3
Flag Post
HP Recommended

the HP "z" series of workstations for the most part (some low end models like the z210 may not have this feature) have a checksumed bios that prevents any modified bios from being installed if you try to install a modified bios, the update program will report sucesses, but the bios is not actually updated

 

to date there are no known tools that allow a modified bios to be installed om HP systems that implement this feature short of perhaps desoldering the bios and reprograming it using a eprom programer to burn a new image onto the chip and then reinstallin said chip

View solution in original post

Tags (2)
Was this reply helpful? Yes No
workless
Author
New member
3 1 0 0
Message 3 of 3
Flag Post
HP Recommended

Thanks for the reply. This was the type of answer I was hoping for.

Was this reply helpful? Yes No
Warning Be alert for scammers posting fake support phone numbers and/or email addresses on the community. If you think you have received a fake HP Support message, please report it to us by clicking on "Flag Post".
† The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation