The cybersecurity analysts have recently identified 23 critical UEFI vulnerabilities impacting millions of several well-renowned vendors, and here we have mentioned all the major ones below:-
- HP
- Lenovo
- Fujitsu
- Microsoft
- Intel
- Dell
- Bull
- Siemens
These flaws concern the products of more than 25 suppliers, and due to these critical vulnerabilities, millions of devices were affected and here are the types of devices that are impacted:-
- Laptops
- Servers
- Routers
- Network equipment
- ICS
- Several Peripherals
In this case, most of the vulnerabilities were found in the System Management Mode (SMM) code, and it is responsible for system-wide functions like power and hardware management.
Any security issues in this space can have extremely serious consequences since SMM privileges exceed even the privileges of the OS kernel.
In short, as a result, a threat actor with administrator rights will be able to perform the following actions remotely:-
To steal confidential data, can create backdoors and hidden communication channels.
Install software that will be fixed in the system.
Disable hardware security features (SecureBoot, Intel BootGuard).
Flaws Detected
Here we have mentioned all the 23 critical security vulnerabilities below:-
- CVE-2020-5953
- CVE-2021-41839
- CVE-2021-41841
- CVE-2021-41840
- CVE-2020-27339
- CVE-2021-42060
- CVE-2021-42113
- CVE-2021-43522
- CVE-2022-24069
- CVE-2021-43615
- CVE-2021-41837
- CVE-2021-41838
- CVE-2021-33627
- CVE-2021-45971
- CVE-2021-33626
- CVE-2021-45970
- CVE-2021-45969
- CVE-2022-24030
- CVE-2021-42554
- CVE-2021-33625
- CVE-2022-24031
- CVE-2021-43323
- CVE-2021-42059
Among all these critical vulnerabilities, the most dangerous ones are the below ones which scored 9.8 out of 10 on the CVSS vulnerability rating scale:-
- CVE-2021-45969
- CVE-2021-45970
- CVE-2021-45971
Vulnerability Category
All the critical vulnerabilities discovered by the experts come under the following category:-
- SMM Privilege Escalation
- SMM Memory Corruption
- DXE Memory Corruption
Among these bugs, 10 bugs are related to privilege escalation in SMM, 12 bugs are related to memory corruption in SMM, and 1 flaw is related to the memory corruption in DXE.
Impact
Here’s what the cybersecurity analysts at Binarly stated:-
“The active exploitation of all the discovered vulnerabilities can’t be detected by firmware integrity monitoring systems due to limitations of the Trusted Platform Module (TPM) measurement. The remote device health attestation solutions will not detect the affected systems due to the design limitations invisibility of the firmware runtime.”
Moreover, the American CERT clearinghouse has confirmed that there are three vendors who have products affected by InsydeH2O firmware flaws, and here they are:-
- Fujitsu
- Insyde Software Corporation
- Intel (CVE-2020-5953 only)
While the developers from the Insyde Software for InsydeH2O have already published the patches to resolve the vulnerabilities found.
However, the most key factor is that all these patches must be accepted by OEMs first before rolling them out for all the affected products, and this whole process will take a bit long time.
You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.
