Absolute Security

Absolute Response to ESET Research

On September 27, 2018, ESET published a report which identified a sophisticated exploit that relies on an Intel chipset vulnerability that was fixed in 2008. This attack also attempted to utilize a modified version of the old Computrace/LoJack agent. ESET reports the later stages of this attack uses a known malware, based on a 2008 version of LoJack software which was extensively reported on by Arbor networks earlier this year.

This issue does not impact our current Absolute platform or agents. The Absolute product organization has engaged with ESET and the security community to work together to ensure no customers or partners are exposed. As we continue our due diligence around the claims made within the ESET report, we’ll update our Frequently Asked Questions accordingly.

If you have additional questions or concerns, reach out to us at [email protected].

What Can You Do Today?

It is important to remember that according to the ESET research, this issue does not impact current Absolute platform, agents or Intel chipsets manufactured within the past decade.

Unfortunately, decade-old software and hardware vulnerabilities can be easily exploited by modern attackers. As always, good endpoint hygiene best practices are the best course of action to protect your organization. These steps include ensuring hardware and firmware are current, leveraging anti-malware, and confirming other endpoint protection agents are always present and healthy.

Absolute provides the best protection from scenarios such as this by helping you scan for and respond quickly to vulnerabilities and ensure your endpoint protection is always activated and in good working order. We can also help by providing rich detail into the endpoints in your organization. We can quickly conduct a scan of your managed devices to confirm these issues did not and will not impact your organization.

Frequently Asked Questions

What if I want to confirm that I have not been exposed?

If you have any concerns, want to talk to a member of our team or want to report a suspicious issue, we recommend that you report issues directly to Absolute and we will investigate immediately. If you have questions or concerns, please reach out directly to Absolute.

We are committed to the integrity of our software and technology, and take any disclosures very seriously. We will continue to investigate the research presented by ESET, and address any of our customers, partners or stakeholders promptly.

If you have devices with “modern chipsets with Platform Controller Hub (starting from Intel Series 5 chipsets onwards),” you are likely not vulnerable to the exploits described in ESET’s report. However, if you are using any devices older than 2008, BIOS WE has to be set to 0 and the BIOS DLE is set to 1. This is typically the default configuration for systems. Post PCH chips (those after 2008) have different pathways to prevent enable or disable the appropriate BIOS commands.

The exploit also relies on a modified rpcnetp.exe which should be quarantined by modern AV products.

We’ll continue to share additional details and other potential remediation techniques as they are available.

How can I identify PCs that have a corrupted or missing VPN agent, and have it automatically remediated?

Our technology is designed to upgrade our customers to the latest version when activated. The recent issues highlight a reverse engineered agent, which would not be a legitimate version of Absolute’s software. We also follow a number of best practices to ensure the integrity of our technology, including signing our files and working with AV companies to whitelist our current agents.

As part of a continuous security process, Absolute periodically updates our agents. The primary concerns highlighted in the recent ESET report relate to the verification of our agent and was addressed in January 2015 with the release of RPCNET agent 944, which is code signed and performs a server authentication.

Customers should take steps to ensure that devices are using agent 944 or later, as well as implementing any firmware updates if published from their PC vendor. Customers can view their current agent version in the Asset report under the column ‘Agent Version’.

What happens if someone wants to report a vulnerability?

We have a published page on our website where external users can submit potential vulnerabilities for review and we have a vetting process to review those issues reported. If discovered to be vulnerabilities, we attribute the discovery to the individual(s) or group(s) that reported it, or work with them to submit a vulnerability submission through MITRE, at their request. It’s our job to make sure that we identify, fix and communicate vulnerabilities as quickly as possible when they are discovered.

Last Updated: January 4, 2019

©2021 Absolute Software Corporation. All rights reserved. ABSOLUTE, the ABSOLUTE logo, and ABSOLUTE RESILIENCE are registered trademarks of Absolute Software Corporation in the United States and/or other countries. Other names or logos mentioned herein may be the trademarks of Absolute or their respective owners. The absence of the symbols ™️ and ® in proximity to each trademark, or at all, herein is not a disclaimer of ownership of the related trademark.

Financial Services