Cybercrime , Endpoint Security , Fraud Management & Cybercrime

Supermicro and PulseSecure Issue Advisories on Trickboot

Companies Report Several of Their Products Are Vulnerable
Supermicro and PulseSecure Issue Advisories on Trickboot

Supermicro and Pulse Secure have each issued advisories this past week warning users that some of their products are vulnerable to the updated version of Trickbot malware that features a bootkit module, nicknamed Trickboot, which can search for UEFI/BIOS firmware vulnerabilities.

See Also: Webinar | Everything You Can Do to Fight Social Engineering and Phishing

Server maker Supermicro confirmed that its X10UP "Denlow" series of motherboards has vulnerabilities that can be detected by Trickboot. Secure access gateway manufacturer PulseSecure notes that two of its Pulse Secure Appliance models can be exploited.

"Supermicro is aware of the Trickboot issue which is observed only with a subset of the X10 UP motherboards," the company says, adding it will be providing a patch. It did not, however, offer a time frame for when the patch would be issued.

PulseSecure has issued one BIOS patch for Pulse Connect Secure and Pulse Policy Secure. An update for Pulse One, which is for on-premises appliances only is still pending.

Trickboot is capable of discovering vulnerabilities and enabling attackers to read/write/erase a device's BIOS. Security firms Eclypsium and Advanced Intelligence issued the first alert on Trickboot in December 2020, noting the pairing of Trickbot with a bootkit enables an attacker to automate a search for vulnerable devices (see: Trickbot Now Uses a Bootkit to Attack Firmware).

Affected Devices

Supermicro will only automatically issue patches for devices that have not yet reached end-of-life status. For those past that date, the operators will have to request the patch directly from the company.

These are the affected X10 UP-series H3 Single Socket "Denlow" motherboards and their end-of-life dates:

  • X10SLH-F (will EOL on 3/11/2021)
  • X10SLL-F (6/30/2015)
  • X10SLM-F (6/30/2015)
  • X10SLL+-F (6/30/2015)
  • X10SLM+-F (6/30/2015)
  • X10SLM+-LN4F (6/30/2015)
  • X10SLA-F (6/30/2015)
  • X10SL7-F (6/30/2015)
  • X10SLL-S/-SF (6/30/2015)

Until the mitigations are made available, Supermicro recommends that users check devices to ensure that BIOS write protections are enabled, verify firmware integrity by checking firmware hashes against known good versions of firmware and update the firmware to mitigate numerous vulnerabilities that have been discovered.

PulseSecure's PSA-5000 and PSA-7000 are the only products in the company's inventory that are affected. The former is a secure access appliance for medium to large enterprise customers, while the latter is intended to be used by enterprise-level organizations and government agencies.


Trickbot has been a primary tool used to dispense banking Trojans along with Ryuk and Conti ransomware. It is generally distributed "as-a-service," with Symantec attributing its use to the Wizard Spider group.

In October, Microsoft and several federal agencies knocked Trickbot's servers offline, but the operators quickly bounced back (see: Updated Trickbot Malware Is More Resilient).

About the Author

Doug Olenick

Doug Olenick

Former News Editor, ISMG

Olenick has covered the cybersecurity and computer technology sectors for more than 25 years. Prior to his stint as ISMG as news editor, Olenick was online editor for SC Media, where he covered every aspect of the cybersecurity industry and managed the brand's online presence. Earlier, he worked at TWICE - This Week in Consumer Electronics - for 15 years. He also has contributed to, TheStreet and Mainstreet.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.