Binarly researchers uncovered severe flaws in InsydeH2O’s UEFI firmware. It is employed by various computer manufacturers, including Intel, Fujitsu, AMD, Dell, Siemens, ASUS, HP, Microsoft, Lenovo, and Acer. The UEFI (Unified Extensible Firmware Interface) software interfaces between a device’s firmware and the OS, handling booting, diagnostics, and repair operations.
Overall, Binarly discovered 23 issues in the InsydeH2O UEFI firmware, most of which were in the software’s System Management Mode (SMM), which handles system-wide operations, including power management and hardware control. Because SMM has more rights than the OS kernel, any security flaws in this area can have severe ramifications for the vulnerable system.
A local or remote attacker with administrator capabilities may, for example, use SMM flaws to do the following tasks:
- Invalidate many hardware security features (SecureBoot, Intel BootGuard)
- Create backdoors and back communications channels to steal sensitive data
- Install persistent software that cannot be easily erased
The 23 flaws are categorized as: CVE-2020-27339, CVE-2020-5953, CVE-2021-33625, CVE-2021-33626, CVE-2021-33627, CVE-2021-41837, CVE-2021-41838, CVE-2021-41839, CVE-2021-41840, CVE-2021-41841, CVE-2021-42059, CVE-2021-42060, CVE-2021-42113, CVE-2021-42554, CVE-2021-43323, CVE-2021-43522, CVE-2021-43615, CVE-2021-45969, CVE-2021-45970, CVE-2021-45971, CVE-2022-24030, CVE-2022-24031, CVE-2022-24069.
CVE-2021-45969, CVE-2021-45970, and CVE-2021-45971 in the SMM are all classified as critical, having a score of 9.8 of 10. Ten of the detected vulnerabilities might lead to privilege escalation, twelve memory corruption errors in SMM, and one memory corruption flaw in InsydeH2O’s Driver eXecution Environment (DXE).
According to Binarly’s disclosure report, the underlying cause of the problem was discovered in the reference code linked with the InsydeH2O firmware framework code. “All of the aforementioned vendors (over 25) were using Insyde-based firmware SDK to develop their pieces of (UEFI) firmware,” the company notes.
At this time, the US CERT Coordination Center has identified three companies whose products are compromised by the InsydeH2O firmware security flaws: Fujitsu, Insyde Software Corporation, and Intel (only CVE-2020-5953).