At least 23 new security vulnerabilities were discovered in various implementations of UEFI (Unified Extensible Firmware Interface) firmware implemented by multiple vendors, such as HP, Lenovo, Juniper Networks, and Fujitsu.
The flaws are located in Insyde Software’s InsydeH2O UEFI firmware, with most of the flaws stemming from the SMM mode (system management). It is noteworthy that in x86 systems, the UEFI firmware is typically found in the flash memory chip of the motherboard.
Unified Extensible Firmware Interface (UEFI) is a technology that connects a computer’s firmware to its operating system. The purpose of UEFI is to eventually replace the legacy BIOS. The technology is installed during manufacturing. It is also the first program running when a computer is started.
UEFI Firmware Vulnerabilities
The vulnerabilities include CVE-2021-41837, CVE-2021-41838, CVE-2021-33627, CVE-2021-33626, CVE-2021-41839, CVE-2021-41841, among others. The full list is available in Insyde’s technical advisory, which also provides patch information and more technical details.
According to Binarly, the company that disclosed the issues, “The active exploitation of all the discovered vulnerabilities can’t be detected by firmware integrity monitoring systems due to limitations of the Trusted Platform Module (TPM) measurement. The remote device health attestation solutions will not detect the affected systems due to the design limitations in visibility of the firmware runtime.”
It is noteworthy that an attacker with privileged user access to the targeted system can exploit the vulnerabilities to install advanced persistent malware. Furthermore, the attacker can circumvent endpoint security solutions, Secure Boot, and virtualization-based security.
The flaws were originally unearthed in Fujitsu devices. However, further analysis showed that the issue was more large-scale, impacting Insyde-based firmware. Fujitsu was contacted in September last year, while Binarly cooperated with CERT/CC and the Linux Vendor Firmware Service (LVFS) to identify and notify other impacted vendors.
In October 2020, security researchers discovered a new UEFI attack, where a compromised UEFI firmware image contained a malicious implant. Part of a malware framework called MosaicRegressor, the attack compromised victims with ties to North Korea between 2017 and 2019.