Experts found 23 flaws in UEFI firmware potentially impact millions of devices

Experts found 23 flaws in UEFI firmware potentially impact millions of devices

Researchers discovered tens of vulnerabilities in UEFI firmware code used by the major device manufacturers.

Researchers at firmware security company Binarly have discovered 23 vulnerabilities in UEFI firmware code used by the major device makers. The vulnerabilities could impact millions of enterprise devices, including laptops, servers, routers, and industrial control systems (ICS). All these vulnerabilities affects several vendors, including Fujitsu, Siemens, Dell, HP, HPE, Lenovo, Microsoft, Intel and Bull Atos.

Insyde UEFI firmware flaws

The flaws reside in the InsydeH2O UEFI firmware provided by Insyde Software and used by the impacted vendors. The analysis of the disassembly code revealed that the majority of these flaws were exploitable vulnerabilities in the System Management Mode (SMM).

“The root cause of the problem was found in the reference code associated with InsydeH2O firmware framework code. All of the aforementioned vendors were using Insyde-based firmware SDK to develop their pieces of firmware.” reads the analysis published by Binarly.

Most of the vulnerabilities could lead to code execution with SMM privileges. An attacker can chain these issues to bypass security features or establish persistence.

“By exploiting these vulnerabilities, attackers can successfully install malware that survives operating system re-installations and allows the bypass of endpoint security solutions (EDR/AV), Secure Boot and Virtualization-Based Security isolation.” continues the post.

An attacker with privileged user access to the targeted system can exploit the vulnerabilities to implant persistent malware.

The researchers pointed out that the active exploitation of all the above issue cannot be detected by firmware integrity monitoring systems due to limitations of the Trusted Platform Module (TPM) measurement.

Binarly worked with CERT/CC and the Linux Vendor Firmware Service (LVFS) to notify Fujitsu and other impacted vendors.

Despited Insyde has addressed the vulnerabilities, it will likely take some time before the security patches will be installed in the firmware of the impacted vendors.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, EUFI firmware)




Leave a Reply

Your email address will not be published.