UEFI firmware vulnerabilities affect tech vendors including Intel and Fujitsu
Millions of enterprise devices could be impacted
Researchers at firmware security firm Binarly have discovered nearly two dozen vulnerabilities in the InsydeH2O UEFI firmware, which several major enterprise vendor ecosystems use.
The 23 high-severity bugs found could affect millions of enterprise devices, such as servers, routers, laptops, network devices, edge computing devices and industrial control systems (ICS).
'The root cause of the problem was found in the reference code associated with InsydeH2O firmware framework code,' the researchers said.
Vendors confirmed to be affected by the bugs include Fujitsu, Siemens, Dell, HP, HPE, Lenovo, Microsoft, Intel and Bull Atos, although more than 25 vendors use the framework code as part of an Insyde-based firmware SDK to create firmware.
Fujitsu, Insyde, and Intel have been proven to be impacted, according to the CERT Coordination Centre , while other vendors are tagged as 'unknown'.
The Unified Extensible Firmware Interface (UEFI) is important software that resides inside a flash memory chip, soldered to a computer's motherboard. It is the first software to execute when a system boots up, allowing it to access and control all hardware components as well as various parts of the machine's operating system.
Because UEFI lives inside a memory chip, malware injected into it can survive reboots, formats and OS reinstalls, enabling threat actors to maintain their presence on compromised machines.
Most of the 23 security bugs are related to firmware's System Management Mode (SMM), which is responsible for providing system-wide power management and hardware control functions.
Attackers could use the flaws to elevate their privileges and execute arbitrary code or install persistent malware that cannot be easily erased. They could also bypass hardware security features like SecureBoot and Intel BootGuard, and create backdoor communication channels to exfiltrate data.
The 23 flaws are tracked as: CVE-2022-24030, CVE-2022-24031, CVE-2022-24069, CVE-2020-27339, CVE-2021-33625, CVE-2021-33626, CVE-2021-33627, CVE-2021-41837, CVE-2021-41838, CVE-2021-41839, CVE-2021-41840, CVE-2021-41841, CVE-2021-42059, CVE-2021-42060, CVE-2021-42113, CVE-2021-42554, CVE-2021-43323, CVE-2021-43522, CVE-2021-43615, CVE-2021-45969, CVE-2021-45970, CVE-2021-45971, and CVE-2020-5953.
Of them, CVE-2021-45969, CVE-2021-45970, and CVE-2021-45971 in the SMM are rated as 'critical' with a CVSS severity score of 9.8 out of 10.
Twelve bugs are of the SMM memory corruption variety, while 10 are SMM callout (privilege escalation) flaws. One is a memory corruption flaw in InsydeH2O's Driver eXecution Environment (DXE).
The vulnerabilities were first detected in Fujitsu devices, but further investigation revealed that they were part of a larger problem affecting Insyde-based firmware. Reseachers reported the bugs to Fujitsu in September.
UEFI provider Insyde Software has already released patches and advisories, although it will likely take some time for the fixes to reach vulnerable devices.
"We are extremely thankful for Binarly's work in discovering the items outlined in today's published security disclosures," said Tim Lewis, CTO at Insyde Software.
Binarly has also released FwHunt rules for detecting the bugs on GitHub.
UEFI firmware attacks are usually difficult to conduct as attackers either need physical access to the target device or to compromise targets through complex supply chain attacks.
In 2020, Kaspersky researchers claimed to have identified a strain of UEFI-based malware was developed by Chinese-speaking hackers to target diplomatic entities in Asia, Africa, and Europe. The malicious code was discovered in two systems belonging to diplomatic officials in Asia.
Kaspersky said a firmware scanner it added to its antivirus products in 2019 helped to uncover the 2020 campaign, which it named MosaicRegressor: only the second known case of UEFI malware.
The first case, reported by ESET researchers in 2018, was allegedly carried out by Russian state-backed hacking group Fancy Bears.