Researchers on Tuesday reported they found 23 high-impact vulnerabilities in the Unified Extensible Firmware Interface (UEFI) of more than 25 manufacturers, many of them leading device makers such as Fujitsu, Siemens, Dell, HP, HPE, Lenovo, Microsoft, Intel, and Bull Atos.
In a blog post, Binarly researchers said the majority of the UEFI firmware vulnerabilities disclosed had CVSS scores between 7.5 and 8.2 and could lead to code execution with system management mode (SMM) privileges. The root cause of the issue was discovered in the reference code associated with InsydeH2O firmware framework code.
The Binarly researchers said attackers can use these critical firmware vulnerabilities to bypass security features or gain long-term persistence, like the recently discovered MoonBounce. Hackers can also install malware that survives operating system re-installations and lets them bypass endpoint security products, secure boot and virtualization-based security isolation.
Any vulnerabilities that let an attacker manipulate or alter a system’s BIOS can have potentially devastating consequences, said Mike Parkin, an engineer at Vulcan Cyber, who added that fortunately, the attack described here by Binarly requires privileged access to execute. Parkin said this isn’t uncommon with BIOS attacks in that they require some level of privilege or physical access to implement.
“But that doesn’t mean we can ignore them,” Parkin said. “For a threat actor, the value of embedding malicious code in the BIOS makes the effort worthwhile. The issue will be identifying all the systems that are affected by these vulnerabilities and rolling out the updates once they are available from the vendor. System BIOS updates are often more involved and time-consuming than a simple system patch, which makes finding and fixing them all somewhat challenging.”
Bud Broomhead, CEO at Viakoo, said similar to recent open-source vulnerabilities (Log4j, PwnKit), vulnerabilities that exist within the UEFI layer from Insyde are difficult to quickly patch at scale because multiple manufacturers will each need to produce and distribute a patch to the end user. Broomhead said it’s then up to the end user how quickly (if ever) the patch gets installed.
“The severity scores are only one part of how dangerous these vulnerabilities are,” Broomhead said. “Because they are present at the UEFI layer, other forms of patching (e.g. updating the operating system) will not work, providing the threat actors direct ability to inject malware into the OS until the UEFI code itself is patched.”
John Hammond, senior security researcher at Huntress, said Binarly's analysis uncovered almost two dozen vulnerabilities, with the majority earning a high-severity score and leading to code execution. Based off the numbered rating alone, Hammond said "that’s very close to the worst it can get."
“Considering that dread and scare factor, though, BIOS and firmware compromises aren't commonly seen because the attacks must often be done locally — the threat actor typically needs the physical firmware, or needs to already have access in some way,” Hammond said. “What makes firmware attacks so sinister is the lure of practically undetected persistence. Exploiting low-level vulnerabilities like these, attackers can install an implant to maintain access that isn't readily discovered when the device is on and functioning. Regardless of the impact or accessibility of these vulnerabilities, it’s great to see these disclosed responsibly and vendors notified so they can remediate and fix these issues.”