High-to Critical-Impact Vulnerabilities in UEFI Firmware, Affecting Several Major Vendors

Summary Researchers recently disclosed 23 high-to-critical-impact vulnerabilities in the UEFI firmware from InsydeH2O used by multiple computer vendors such as Fujitsu, Intel, AMD, Lenovo, Dell, ASUS, HP, Siemens, Microsoft, and Acer.   Most of these vulnerabilities reside in the System Management Mode (SMM) which provides system-wide functions such as power management and hardware control. Researchers stated that “the root cause of the problem was found in the reference code associated with InsydeH2O firmware framework code.”   Please view the original blog for a full list of these 23 vulnerabilities, most of which have a High rating, with CVSS scores ranging from 7.5 to 8.2.   Of the 23, three are assessed as Critical, with a CVSS score of 9.8: CVE-2021-45969 , CVE-2021-45970 , and CVE-2021-45971 .   These vulnerabilities can potentially impact the supply chains for each of these companies, impacting any organization using products implementing this BIOS firmware, right down to the end-user.   The report does not indicate if these vulnerabilities have been exploited in the wild. Analysis Potential Impact   Successful exploitation of the majority of these vulnerabilities could lead to code execution with SMM privileges.   Ten of the discovered vulnerabilities could be exploited for privilege escalation, twelve memory corruption flaws in SMM, and one memory corruption vulnerability in InsydeH2O's Driver eXecution Environment (DXE).   In addition, these vulnerabilities could critically impact affected organizations. Successful exploitation of SMM privilege escalation or code execution vulnerabilities could allow an attacker to break confidential computing in cloud environments.   Of note, SMM’s privileges exceed those of the OS kernel, so any security issues in this space can have severe consequences for the vulnerable system, potentially allowing an attacker to invalidate many hardware security features, install persistent software, and create backdoors and communications channels to exfiltrate sensitive data.   Recommendations Insyde Software has released firmware updates to fix all identified security vulnerabilities and published detailed bulletins to assign severity and description for every flaw.   However, each original equipment manufacturer (OEMs) needs to adopt these security updates and push them to their respective affected products.   Please note that the blog states specifically that “The active exploitation of all the discovered vulnerabilities can’t be detected by firmware integrity monitoring systems due to limitations of the Trusted Platform Module (TPM) measurement. The remote device health attestation solutions will not detect the affected systems due to the design limitations in visibility of the firmware runtime.”   The entire remediation process will take a considerable amount of time for the security updates to reach end-users. References https://www.binarly.io/posts/An_In_Depth_Look_at_the_23_High_Impact_Vulnerabilities/index.html https://nvd.nist.gov/vuln/detail/CVE-2021-45969 https://nvd.nist.gov/vuln/detail/CVE-2021-45970 https://nvd.nist.gov/vuln/detail/CVE-2021-45971 https://www.insyde.com/press_news/press-releases/insyde%C2%AE-software-credits-binarly%E2%80%99s-ai-powered-firmware-threat-detection https://www.insyde.com/security-pledge https://www.insyde.com/press_news/press-releases/insyde%25C2%25AE-software-credits-binarly%25E2%2580%2599s-ai-powered-firmware-threat-detection