UEFI firmware used by popular computer manufacturers such as HP, Asus, Dell, Lenovo, Microsoft and Acer, among others, has been found to have 23 critical vulnerabilities that could provide remote or local attacker administration access to the impacted system.
The flaws were found by researchers at firmware protection company Binarly in InsydeH20’s UEFI firmware. Most of the issues reside in the software’s System Management Mode (SMM), responsible for functions like hardware control and power management.
Out of the 23 discovered vulnerabilities, ten can be used for privilege escalation, 12 are memory corruption flaws in the SMM, and one is a memory corruption vulnerability in the UEFI’s Driver eXecution Environment (DXE).
Undercutting the software, through software
UEFI or Unified Extensible Firmware Interface is an interface between a hardware device’s (in this case the computer) firmware and the operating system currently installed. This interface handles things like the booting process, repairs any misfunctioning features and keeps an eye on system diagnostics.
Since the SMM”s privileges exceed the OS kernel’s, security vulnerabilities here can give an attacker direct access to the machine, which means severe consequences for the targetted device.
Binarly’s disclosure report has listed the following 23 vulnerabilities:
Out of the aforementioned utilities, three are rated critically severe with a score of 9.9 out of 10, namely CVE-2021-45969, CVE-2021-45970, and CVE-2021-45971, all residing in the SMM. Local or remote attackers with admin privileges exploiting the SMM can do the following:
- Invalidate hardware security features such as SecureBoot and Intel BootGuard.
- Create backdoors and back communication channels to steal data.
- Install hard-to-remove persistent software.
Binarly notes that the root cause behind so many flaws in the reference code is associated with the firmware’s framework code. At the time of writing, the US-CERT Coordination Center has confirmed three vendors whose products are affected:
- Intel (only CVE-2020-5935)
- Insyde Software Corporation
Insyde has released updates patching all of these vulnerabilities. However, OEMs need to adapt these updates to their hardware before pushing them out to impacted users.
Additionally, Binarly has also published FwHunt rules on Github to help users scan their systems for the flaws mentioned above. Currently, only Insyde, Fujitsu and Intel are reported as impacted, with other manufacturers presently investigating. Rockwell, Supermicro and Toshiba were reported as safe.