Overview
The InsydeH2O Hardware-2-Operating System (H2O) UEFI firmware contains multiple vulnerabilities related to memory management in System Management Mode (SMM).
Description
UEFI software provides an extensible interface between an operating system and platform firmware. UEFI software uses a highly privileged processor execution mode called System Management Mode (SMM) for handling system-wide functions like power management, system hardware control, or proprietary OEM-designed code. SMM's privileges, also referred to as "Ring -2," exceed the privileges of the operating system's kernel ("Ring-0"). For this reason, SMM is executed in a protected area of memory called the SMRAM. It is typically accessed via System Management Interrupt (SMI) Handlers using communication buffers, which are also known as "SMM Comm Buffers." The SMM also provides protection against SPI flash modifications and performs boot time verifications similar to those performed by SecureBoot.
UEFI software requires both openness (for hardware drivers, pluggable devices and Driver eXecution Environment (DXE) updates) as well as very tight security controls (for e.g., SMM Comm Buffer Security), making it a complex software that needs a thorough set of security controls that need validation throughout the software's lifecycle. UEFI also supports recent capabilities like Virtual Machine Manager (VMM) for virtualization and the increasing demand of virtual computing resources.
Insyde's H2O UEFI firmware contains several (23) memory management vulnerabilities that were disclosed by Binarly. While these vulnerabilities were discovered in Fujitsu and Bull Atos implementations of Insyde H2O software, the same software is also present in many other vendor implementations due to the complex UEFI supply chain. The vulnerabilities can be classified by the following UEFI vulnerability categories.
| Vulnerability Category | Count |
| SMM Privilege Escalation | 10 |
| SMM Memory Corruption | 12 |
| DXE Memory Corruption | 1 |
Impact
The impacts of these vulnerabilities vary widely due to the nature of SMM capabilities. As an example, a local attacker with administrative privileges (or a remote attacker with administrative privileges) can exploit these vulnerabilities to elevate privileges above the operating system to execute arbitrary code in SMM mode. These attacks can be invoked from the operating system using the unverified or unsafe SMI Handlers, and in some cases these bugs can also be triggered in the UEFI early boot phases ( as well as sleep and recovery like ACPI) before the operating system is initialized.
In summary, a local attacker with administrative privileges (in some cases a remote attacker with administrative privileges) can use malicious software to perform any of the following:
- Invalidate many hardware security features (SecureBoot, Intel BootGuard)
- Install persistent software that cannot be easily erased
- Create backdoors and back communications channels to exfiltrate sensitive data
Solution
Install the latest stable version of firmware provided by your PC vendor or your nearest reseller of your computing environments. See the links below to resources and updates provided by specific vendors.
If your operating system supports automatic or managed updates for firmware, such as Linux Vendor Firmware Service (LVFS), apply the related software security updates. Binarly has also provided a set of UEFI software detection rules called FwHunt rules to assist with identifying vulnerable software. LVFS applies these FwHunt rules to detect and support the fix of firmware updates that are impacted by this advisory.
Acknowledgements
The efiXplorer team of Binarly researched and reported these vulnerabilities to Insyde Software. Insyde Software worked closely with CERT/CC during the coordinated disclosure process for these vulnerabilities.
This document was written by Vijay Sarvepalli.
Vendor Information
References
- https://www.insyde.com/security-pledge
- https://github.com/binarly-io/Vulnerability-REsearch/tree/main/Insyde
- https://github.com/binarly-io/Research_Publications/blob/main/OSFC_2021/The%20firmware%20supply-chain%20security%20is%20broken!%20Can%20we%20fix%20it%3F.pdf
- https://www.microsoft.com/security/blog/2020/11/12/system-management-mode-deep-dive-how-smm-isolation-hardens-the-platform/
- https://www.intel.com/content/www/us/en/developer/articles/technical/intel-sdm.html
Other Information
| CVE IDs: | CVE-2021-45969 CVE-2021-41838 CVE-2021-41840 CVE-2020-5953 CVE-2022-24069 CVE-2021-33626 CVE-2021-41841 CVE-2021-45970 CVE-2020-27339 CVE-2021-41837 CVE-2021-33627 CVE-2021-33625 CVE-2021-42554 CVE-2021-45971 CVE-2021-43522 CVE-2021-43323 CVE-2022-24031 CVE-2021-43615 CVE-2022-24030 CVE-2021-42113 CVE-2021-42060 CVE-2021-42059 CVE-2021-41839 |
| Date Public: | 2022-02-01 |
| Date First Published: | 2022-02-01 |
| Date Last Updated: | 2022-02-04 23:02 UTC |
| Document Revision: | 7 |