High Severity Vulernabilities Found in UEFI - ThreatWire (Patreon)

By Shannon Morse, ThreatWire

UEFI or the Unified Extensible Firmware Interface was found to have, depending on the vendor, as much as 23 different vulnerabilities considered high severity. These could be exploited either locally or in some cases, remotely to invalidate important hardware security features, install persistent malicious software or code, create backdoors, send commands to an attacker controlled server, exfiltrate sensitive data and more. Originally found by researchers at Binarly, the critical vulnerabilities do require some sort of privileged access, with physical access making them very easy to exploit.

These affect several different manufacturers including Fujitsu, HP, Lenovo, Dell, Microsoft, Intel, Juniper Networks, and more. All of the vulnerabilities have CVEs, but I won’t list those here because that would take forever.

UEFI is a part of a computer’s firmware which helps your computer get booted up into your operating system. If you’re using an x86 system, UEFI is stored in the flash memory chip for the motherboard. UEFI (and it’s predecessor / alternative the BIOS) start up when your computer starts up and you can access it to modify low level software and hardware changes including some security settings, boot order, and more.

The vulnerabilities exist within the Insyde Software’s InsydeH2O UEFI Firmware and could be exploited by an attacker to execute arbitrary code with SMM (or System Management Mode) permissions. That’s a problem since SMM handles things like hardware configuration, power management, thermals and more. The attacker could chain together several of the issues to bypass security features or install malware with persistence. The reason why so many OEMs were affected is because they use Insyde based firmware SDKs to develop their own firmware.

Insyde released firmware patches but each OEM needs to implement the patch release schedule themselves which unfortunately means that many devices will probably never receive patches because they are already EOL or nearing end of life and are no longer supported.