Executive Summary



This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.
Summary
Title InsydeH2O UEFI software impacted by multiple vulnerabilities in SMM
Informations
Name VU#796611 First vendor Publication 2022-02-01
Vendor VU-CERT Last vendor Modification 2022-11-09
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Overall CVSS Score 8.2
Base Score 8.2 Environmental Score 8.2
impact SubScore 6 Temporal Score 8.2
Exploitabality Sub Score 1.5
 
Attack Vector Local Attack Complexity Low
Privileges Required High User Interaction None
Scope Changed Confidentiality Impact High
Integrity Impact High Availability Impact High
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:L/AC:L/Au:N/C:P/I:P/A:P)
Cvss Base Score 4.6 Attack Range Local
Cvss Impact Score 6.4 Attack Complexity Low
Cvss Expoit Score 3.9 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Overview

The InsydeH2O Hardware-2-Operating System (H2O) UEFI firmware contains multiple vulnerabilities related to memory management in System Management Mode (SMM).

Description

UEFI software provides an extensible interface between an operating system and platform firmware. UEFI software uses a highly privileged processor execution mode called System Management Mode (SMM) for handling system-wide functions like power management, system hardware control, or proprietary OEM-designed code. SMM's privileges, also referred to as "Ring -2," exceed the privileges of the operating system's kernel ("Ring-0"). For this reason, SMM is executed in a protected area of memory called the SMRAM. It is typically accessed via System Management Interrupt (SMI) Handlers using communication buffers, which are also known as "SMM Comm Buffers." The SMM also provides protection against SPI flash modifications and performs boot time verifications similar to those performed by SecureBoot.

UEFI software requires both openness (for hardware drivers, pluggable devices and Driver eXecution Environment (DXE) updates) as well as very tight security controls (for e.g., SMM Comm Buffer Security), making it a complex software that needs a thorough set of security controls that need validation throughout the software's lifecycle. UEFI also supports recent capabilities like Virtual Machine Manager (VMM) for virtualization and the increasing demand of virtual computing resources.

Insyde's H2O UEFI firmware contains several (23) memory management vulnerabilities that were disclosed by Binarly. While these vulnerabilities were discovered in Fujitsu and Bull Atos implementations of Insyde H2O software, the same software is also present in many other vendor implementations due to the complex UEFI supply chain. The vulnerabilities can be classified by the following UEFI vulnerability categories.

Vulnerability CategoryCount
SMM Privilege Escalation 10
SMM Memory Corruption 12
DXE Memory Corruption 1

Impact

The impacts of these vulnerabilities vary widely due to the nature of SMM capabilities. As an example, a local attacker with administrative privileges (or a remote attacker with administrative privileges) can exploit these vulnerabilities to elevate privileges above the operating system to execute arbitrary code in SMM mode. These attacks can be invoked from the operating system using the unverified or unsafe SMI Handlers, and in some cases these bugs can also be triggered in the UEFI early boot phases ( as well as sleep and recovery like ACPI) before the operating system is initialized.

In summary, a local attacker with administrative privileges (in some cases a remote attacker with administrative privileges) can use malicious software to perform any of the following:

  • Invalidate many hardware security features (SecureBoot, Intel BootGuard)
  • Install persistent software that cannot be easily erased
  • Create backdoors and back communications channels to exfiltrate sensitive data

Solution

Install the latest stable version of firmware provided by your PC vendor or your nearest reseller of your computing environments. See the links below to resources and updates provided by specific vendors.

If your operating system supports automatic or managed updates for firmware, such as Linux Vendor Firmware Service (LVFS), apply the related software security updates. Binarly has also provided a set of UEFI software detection rules called FwHunt rules to assist with identifying vulnerable software. LVFS applies these FwHunt rules to detect and support the fix of firmware updates that are impacted by this advisory.

Acknowledgements

The efiXplorer team of Binarly researched and reported these vulnerabilities to Insyde Software. Insyde Software worked closely with CERT/CC during the coordinated disclosure process for these vulnerabilities.

This document was written by Vijay Sarvepalli.

Original Source

Url : https://kb.cert.org/vuls/id/796611

CWE : Common Weakness Enumeration

% Id Name
59 % CWE-787 Out-of-bounds Write (CWE/SANS Top 25)
24 % CWE-119 Failure to Constrain Operations within the Bounds of a Memory Buffer
6 % CWE-770 Allocation of Resources Without Limits or Throttling
6 % CWE-476 NULL Pointer Dereference
6 % CWE-20 Improper Input Validation

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 7
Os 1
Os 1
Os 1
Os 1
Os 1
Os 1
Os 1
Os 1
Os 1
Os 1
Os 1
Os 1
Os 1

Alert History

If you want to see full details history, please login or register.
0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
Date Informations
2022-11-10 00:34:56
  • Multiple Updates
2022-11-09 21:35:09
  • Multiple Updates
2022-11-09 21:22:08
  • Multiple Updates
2022-10-05 02:19:01
  • Multiple Updates
2022-10-05 00:34:46
  • Multiple Updates
2022-10-05 00:22:03
  • Multiple Updates
2022-04-27 00:31:26
  • Multiple Updates
2022-04-26 21:30:30
  • Multiple Updates
2022-04-26 21:17:46
  • Multiple Updates
2022-03-30 00:29:32
  • Multiple Updates
2022-03-29 21:29:29
  • Multiple Updates
2022-03-29 21:17:42
  • Multiple Updates
2022-03-25 21:29:59
  • Multiple Updates
2022-03-25 17:29:33
  • Multiple Updates
2022-03-25 17:17:43
  • Multiple Updates
2022-03-22 00:29:16
  • Multiple Updates
2022-03-21 21:29:23
  • Multiple Updates
2022-03-21 21:17:43
  • Multiple Updates
2022-02-26 00:29:36
  • Multiple Updates
2022-02-25 21:29:45
  • Multiple Updates
2022-02-25 21:17:45
  • Multiple Updates
2022-02-15 00:29:59
  • Multiple Updates
2022-02-14 21:28:46
  • Multiple Updates
2022-02-14 21:17:15
  • Multiple Updates
2022-02-05 01:57:44
  • Multiple Updates
2022-02-05 00:31:05
  • Multiple Updates
2022-02-05 00:17:42
  • Multiple Updates
2022-02-04 21:31:12
  • Multiple Updates
2022-02-04 21:17:45
  • Multiple Updates
2022-02-02 01:58:29
  • Multiple Updates
2022-02-02 00:31:28
  • Multiple Updates
2022-02-02 00:17:54
  • Multiple Updates
2022-02-01 21:31:56
  • Multiple Updates
2022-02-01 21:17:46
  • First insertion