Critical UEFI Vulnerabilities Threaten Devices from 25 Manufacturers

Binarly analysts have discovered 23 critical UEFI vulnerabilities from InsydeH2O, which is used by many major vendors, including HP, Lenovo, Fujitsu, Microsoft, Intel, Dell, Bull (Atos) and Siemens.

Together, the researchers say these bugs could affect millions of devices, including laptops, servers, routers, network equipment, ICS, and various peripherals. In total, the problems concern the products of more than 25 suppliers.

Most of the vulnerabilities were found in System Management Mode (SMM) code, which is responsible for system-wide functions such as power and hardware management.

Since SMM privileges exceed even the privileges of the OS kernel, any security issues in this space can have extremely serious consequences. In particular, a local or remote attacker with administrator rights will be able to perform the following actions:

  • disable hardware security features (SecureBoot, Intel BootGuard);
  • install software that will be firmly fixed in the system;
  • create backdoors and hidden communication channels to steal confidential data.

The most dangerous of all bugs found are CVE-2021-45969, CVE-2021-45970, and CVE-2021-45971, which scored 9.8 out of 10 on the CVSS vulnerability rating scale. Additional 10 vulnerabilities could be exploited for privilege escalation, 12 related to memory corruption in SMM, and another vulnerabilities related to memory corruption in the InsydeH2O Driver Execution Environment (DXE).

Active exploitation of all discovered vulnerabilities may not be detected by firmware integrity monitoring systems due to Trusted Platform Module (TPM) limitations. Solutions for remote attestation of device health will also not detect vulnerable systems due to design limitations.the experts warn.

At the moment, the American CERT has confirmed the presence of vulnerabilities in the products of three product vendors: Fujitsu, Insyde Software Corporation and Intel (only bug CVE-2020-5953).

Let me remind you that we also wrote that Microsoft warns of dangerous vulnerability in Surface Pro 3 devices.

InsydeH2O developers from Insyde Software have already released patches that fix all the bugs found, and have also published security bulletins, where each problem is analysed in detail. Unfortunately, these updates must first be accepted by OEMs before being rolled out to affected products. This whole process will take a lot of time, that is, patches will reach end users for a long time.

You may also be interested in reading that due to Razer Synapse vulnerability, connecting a mouse to a Windows machine gives system privileges.

By Vladimir Krasnogolovy

Vladimir is a technical specialist who loves giving qualified advices and tips on GridinSoft's products. He's available 24/7 to assist you in any question regarding internet security.

Leave a comment

Your email address will not be published. Required fields are marked *