Why it matters: Security researchers have found that the same set of firmware vulnerabilities they discovered in Fujitsu Lifebook systems actually affect many more devices from multiple vendors. The flaws are severe as they allow attackers to bypass hardware security features as well as traditional endpoint security solutions.
Researchers at enterprise security firm Binarly have discovered no less than 23 high-impact vulnerabilities in the BIOS/UEFI firmware used by several computer vendors like Intel, AMD, Lenovo, Dell, HP, Asus, Microsoft, Fujitsu, Juniper Networks, Acer, Bull Atos, and Siemens.
Specifically, the vulnerabilities affect InsydeH2O-based UEFI firmware and many of them are present in the System Management Mode (SMM), which is responsible for providing system-wide power management and hardware control features. Most of the flaws are of the SMM Memory Corruption variety, as well as SMM Callout (Privilege Escalation) and DXE Memory Corruption.
Image: Binary’s FwHunt detection tool for the UEFI vulnerabilities
The flaws have been evaluated as severe due to the fact that they allow attackers higher privileges than those of the OS kernel in affected systems. In other words, malware can be written to take advantage of these vulnerabilities that will easily survive operating system re-installation and evade traditional endpoint security solutions like antivirus software and managed Endpoint Detection and Response (EDR).
Furthermore, they allow local and remote attacks that can bypass or invalidate hardware security features like Secure Boot, Intel BootGuard, and Virtualization-Based Security. Malware that exploits the 23 vulnerabilities is essentially invisible to the operating system and also to firmware integrity monitoring systems because of the limitations of the Trusted Platform Module (TPM).
The good news is that Insyde has released firmware patches, and Binarly as well as the CERT/CC were able to contact all 25 vendors that are impacted by the issues they discovered. Official firmware patches are expected to roll out in the coming months, but they will most likely arrive in the second half of this year.