News has emerged of 23 new vulnerabilities that are particularly nefarious because the UEFI/BIOS-based attacks bypass security mechanisms and persist after drive formats and system re-installations, and attackers can exploit the vulnerabilities remotely. Security experts at Binarly have discovered 23 high-impact vulnerabilities hiding in BIOS/UEFI software from a multitude of system vendors, including Intel, Microsoft, Lenovo, Dell, Fujitsu, HP, HPE, Siemens, and Bull Atos (via Bleeping Computer). These vulnerabilities include SMM Callout or Privilege Escalation, SMM Memory Corruption, and DXE Memory corruption.
Last week found news emerged of the MoonBounce malware that hides in your BIOS chip, but Binarly’s disclosure indicates a wide range of UEFI vulnerabilities that can be used as a springboard to install malware, or even new infected firmware images.
The impact of these vulnerabilities is severe because they can be used by attackers to bypass security features such as Secure Boot, Virtualization-Based Security (VBS), and even Trusted Platform Modules (TPM). The vulnerabilities exist in the UEFI but also allow malware to be installed on the system and will survive operating system reinstallations, making the malware nearly undetectable and indestructible.
Binarly found the issue causing all these vulnerabilities were associated with InsydeH20, a firmware framework code used to build motherboard BIOS’s/UEFI’s. All the appropriate vendors were using Insyde’s firmware SDK for motherboard development.
The investigation began when Binarly discovered several repeatable anomalies on twenty different enterprise machines, from Fujitsu and its Lifebook laptops. However, once Binarly delved deeper into the problem, it discovered that a lot more OEMs were also having the same problems.
After discovering the issues, Binarly immediately reported the problems to the CERT/CC, a Vulnerability Notes Database that provides detail about software vulnerabilities. Together, both the CERT/CC and Binarly were able to contact all 25 impacted vendors.
If you’re worried about infection, there will be a way you can check and see if your computer is infected with these exploits. Binarly developed a piece of software called FwHunt that can detect vulnerable code patterns. But for now, the rules remain hidden and will be revealed through GitHub once the vulnerability advisory becomes public.
As for a real fix, we don’t have a set date on official firmware patches. However, Binarly notes that using the VINCE platform for communicating with multiple vendors/parties allows them to reduce the security fix timeline down to 5 months. That means we can expect official firmware updates to happen around the second half of 2022.