
Lenovo, HP, Dell Peripherals Face Unpatched Firmware Bugs - LinuxBender
https://threatpost.com/lenovo-hp-dell-peripherals-unpatched-firmware/152936/
======
T3OU-736
Hrmmm. So, this seems a bit sneaky in its description. To wit: "First, an
attacker gains access to a device via any method, be it physical access,
malware that allows remote code execution and so on, and, with basic user
privileges, the attacker can write malicious firmware to a vulnerable
component. If the component doesn’t require the firmware to be properly
signed, the attacker’s code is loaded. Depending on the peripheral in
question, this can lead to a range of malicious activity."

Right, except in Linux and Windows, one must be an admin to the PCI/USB
devices in a manner necessary to update the FW.

Additionally, and arguably more importantly, the lack of meaningful signature
verification for device FW updates is a rather old state of affairs, going
back at least a decade and a half, so why is this being released now? The
cynic in me thinks about this being a PR piece, masquerading as an InfoSec
article.

Without going down the path of "what is the root of trust for a signed
update?" (for the sake of brevity), this is non-trivial problem to solve. Some
FW, as part of the more general "driver", do go via Microsoft's WQHL, and some
manufacturers do have signed updates on Linux (RPM signatures as an example).

