Security Firm Warns These Major UEFI BIOS Security Flaws Affect Millions Of Devices
These vulnerabilities were traced back to Insyde Software’s InsydeH2O UEFI firmware framework code. Over 25 vendors have been using this framework code as part of an Insyde-based firmware SDK to develop firmware. The list of vendors includes Fujitsu, Siemens, Dell, HP, HPE, Lenovo, Microsoft, Intel, and Bull Atos.
As a result, attackers who exploit these vulnerabilities to achieve SMM privilege escalation could bypass boot security features and implant persistent malware. We recently reported on one such persistent malware dubbed MoonBounce. MoonBounce is a rootkit that can be embedded where firmware resides on flash memory, enabling the malware to survive an OS reinstall, a drive format, or even a drive replacement.
Given the severe threat of SMM privilege escalation and the possibility for persistent malware, which is difficult both to detect and remove, these vulnerabilities have high severity ratings. They all have scores of 7.5 or 8.2 in the Common Vulnerability Scoring System (CVSS) Version 2.0, but three of them are listed in the National Vulnerability Database (NVD) as critical vulnerabilities with scores of 9.8 in CVSS Version 3.x.
Fortunately, the Binarly team privately disclosed these vulnerabilities back in September of 2021, and Insyde Software has already released firmware updates that patch all 23 of the vulnerabilities. That said, it will take some time for the affected vendors to adopt these updates and push them out in security updates for end-users, and some products may never receive these updates.
Binarly has released FwHunt rules for detecting the vulnerabilities on GitHub, and you can read more about the vulnerabilities in Binarly’s in-depth post.