As many as 23 new high severity security vulnerabilities have been disclosed in different implementations of Unified Extensible Firmware Interface (UEFI) firmware used by numerous vendors, including Bull Atos, Fujitsu, HP, Juniper Networks, Lenovo, among others.
The vulnerabilities reside in Insyde Software’s InsydeH2O UEFI firmware, according to enterprise firmware security company Binarly, with a majority of the anomalies diagnosed in the System Management Mode (SMM).
UEFI describes a software specification which provides a standard programming interface that connects a computer’s firmware with its operating system during booting. In x86 systems, the UEFI firmware is usually stored in the flash memory chip of the motherboard.
“By exploiting these vulnerabilities, attackers can successfully install malware that survives operating system re-installations and allows the bypass of endpoint security solutions (EDR/AV), Secure Boot, and Virtualization-Based Security isolation,” the researchers said.
Successful exploitation of the flaws (CVSS scores: 7. 5 – 8. 2) could allow a malicious actor to run arbitrary code with SMM permissions, a special-purpose execution mode in x86-based processors that handles power management, hardware configuration, thermal monitoring, and other functions.
“SMM code executes in the highest privilege level and is invisible to the OS, which makes it an attractive target for malicious activity,” Microsoft notes in its documentation, adding the SMM attack vector could be abused by a piece of nefarious code to trick another code with higher privileges into performing unauthorized activities.
Worse, these weaknesses can be linked together to bypass security measures and install malware in ways that persist on operating systems re-installations. This allows for long-term persistence of compromised systems. MoonBounce’s case shows this. While creating a communication channel to stealthily exfiltrate sensitive information.
Insyde has released firmware patches that address these shortcomings as part of the coordinated disclosure process. It could be a while before these fixes are implemented in all OEMs.