The security company Binarly has released a new whitepaper related to the vulnerabilities they found on the UEFI firmware. According to the whitepaper, the companies who adopted Insyde’s InsydeH2O firmware framework code are all affected by the vulnerability. Those companies are Fujitsu, Siemens, Dell, HP, HPE, Lenovo, Microsoft, Intel, and Bull Atos.
CVSS scores are “High”
There are 23 high-severity flaws related to the InsydeH2O firmware framework, according to Binarly. It is possible to install malware that can survive a complete reinstallation of the operating system by using those flaws which have CVSS scores between 7.5 and 8.2. It also allows bypassing the endpoint security solutions, Secure Boot, and virtualization-based isolations.
UEFI is the software that replaced BIOS in modern systems. It sits between the operating system and the firmware, providing the most important settings related to hardware, in a visually advanced interface. UEFI is not installed on any type of hard drive or SSD; it has its dedicated chip embedded in the motherboard. This is why any kind of compromise to the UEFI will survive operating system reinstallations, or even replacing storage drives.
Three types of vulnerabilities
The whitepaper shows that there are 3 different vulnerability types in their current findings: SMM callout (privilege escalation), SMM memory corruption, and DXE memory corruption. Those have all different CVE IDs which you can see all of them below:
Malicious actors who can exploit those flaws can run arbitrary code with SSM permissions stealthy to deploy the second stage which enables persistent and non-persistent malware installation. At this point, the attacker can install a variety of levels of firmware, which can be either a modified module or a standalone driver.
The company behind those flawed UEFIs, Insyde, has released firmware patches to fix the vulnerabilities. However, it might take a long time for those fixes to arrive at vulnerable devices.