23 UEFI Flaws

The cybersecurity analysts have recently identified 23 critical UEFI vulnerabilities impacting millions of several well-renowned vendors, and here we have mentioned all the major ones below:-

  • HP
  • Lenovo
  • Fujitsu
  • Microsoft
  • Intel
  • Dell
  • Bull
  • Siemens

These flaws concern the products of more than 25 suppliers, and due to these critical vulnerabilities, millions of devices were affected and here are the types of devices that are impacted:-

  • Laptops
  • Servers
  • Routers
  • Network equipment
  • ICS
  • Several Peripherals

In this case, most of the vulnerabilities were found in the System Management Mode (SMM) code, and it is responsible for system-wide functions like power and hardware management.

Any security issues in this space can have extremely serious consequences since SMM privileges exceed even the privileges of the OS kernel. 

In short, as a result, a threat actor with administrator rights will be able to perform the following actions remotely:-

To steal confidential data, can create backdoors and hidden communication channels.

Install software that will be fixed in the system.

Disable hardware security features (SecureBoot, Intel BootGuard).

Flaws Detected

Here we have mentioned all the 23 critical security vulnerabilities below:-

  1. CVE-2020-5953
  2. CVE-2021-41839
  3. CVE-2021-41841
  4. CVE-2021-41840
  5. CVE-2020-27339
  6. CVE-2021-42060
  7. CVE-2021-42113
  8. CVE-2021-43522
  9. CVE-2022-24069
  10. CVE-2021-43615
  11. CVE-2021-41837
  12. CVE-2021-41838
  13. CVE-2021-33627
  14. CVE-2021-45971
  15. CVE-2021-33626
  16. CVE-2021-45970
  17. CVE-2021-45969
  18. CVE-2022-24030
  19. CVE-2021-42554
  20. CVE-2021-33625
  21. CVE-2022-24031
  22. CVE-2021-43323
  23. CVE-2021-42059

Among all these critical vulnerabilities, the most dangerous ones are the below ones which scored 9.8 out of 10 on the CVSS vulnerability rating scale:-

  • CVE-2021-45969
  • CVE-2021-45970
  • CVE-2021-45971

Vulnerability Category

All the critical vulnerabilities discovered by the experts come under the following category:-

  • SMM Privilege Escalation
  • SMM Memory Corruption
  • DXE Memory Corruption

Among these bugs, 10 bugs are related to privilege escalation in SMM, 12 bugs are related to memory corruption in SMM, and 1 flaw is related to the memory corruption in DXE.

Impact

Here’s what the cybersecurity analysts at Binarly stated:-

“The active exploitation of all the discovered vulnerabilities can’t be detected by firmware integrity monitoring systems due to limitations of the Trusted Platform Module (TPM) measurement. The remote device health attestation solutions will not detect the affected systems due to the design limitations invisibility of the firmware runtime.”

Moreover, the American CERT clearinghouse has confirmed that there are three vendors who have products affected by InsydeH2O firmware flaws, and here they are:- 

  • Fujitsu
  • Insyde Software Corporation
  • Intel (CVE-2020-5953 only)

While the developers from the Insyde Software for InsydeH2O have already published the patches to resolve the vulnerabilities found.

However, the most key factor is that all these patches must be accepted by OEMs first before rolling them out for all the affected products, and this whole process will take a bit long time.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Gurubaran is a Security Consultant, Security Editor & Co-Founder of Cyber Security News & GBHackers On Security.