Intel, Lenovo and more hit by major BIOS security flaws

UEFI firmware from the software company Insyde carries 23 flaws, many of which are critical and would allow malicious actors to persist in a target device, install malware, steal sensitive data, all while accessing the endpoint remotely, experts have warned.

The flaws were discovered by firmware protection company Binarly, which claims more than two dozen hardware manufacturers are affected, including top-end OEMs such as  Fujitsu, Intel, AMD, Lenovo, Dell, ASUS, HP, Siemens, Microsoft, and Acer.

UEFI (Unified Extensible Firmware Interface) is a software interface that serves as a bridge between the device’s firmware and the operating system. It handles the bootup, system diagnostics, as well as some system repair features.

 High severity flaws 

Of the 23 flaws that were discovered, the majority resides in the System Management Mode (SMM), whose privileges exceed those of the OS.

The 23 flaws are tracked as: CVE-2020-27339, CVE-2020-5953, CVE-2021-33625, CVE-2021-33626, CVE-2021-33627, CVE-2021-41837, CVE-2021-41838, CVE-2021-41839, CVE-2021-41840, CVE-2021-41841, CVE-2021-42059, CVE-2021-42060, CVE-2021-42113, CVE-2021-42554, CVE-2021-43323, CVE-2021-43522, CVE-2021-43615, CVE-2021-45969, CVE-2021-45970, CVE-2021-45971, CVE-2022-24030, CVE-2022-24031, CVE-2022-24069.

Of those, three (CVE-2021-45969, CVE-2021-45970, and CVE-2021-45971) have gotten a 9.8 out of 10 severity rating.

“The root cause of the problem was found in the reference code associated with InsydeH2O firmware framework code,” Binarly’s explained.

“All of the aforementioned vendors (over 25) were using Insyde-based firmware SDK to develop their pieces of (UEFI) firmware.” 

While Insyde released firmware patches to help address the issue, these now need to be accepted by the OEMs and released onto affected products, and that might take a while. What makes the issue that much more complicated is the fact that some of the devices affected have exceeded their end-of-life date and are no longer supported. 

Others may cross that threshold before OEMs come up with a fix. 

BleepingComputer notes that only Insyde, Fujitsu, and Intel have confirmed being affected by the flaws. Rockwell, Supermicro, and Toshiba have confirmed not being impacted. The remaining OEMs are still investigating the matter.

•  You might also want to check out our list of the best firewalls right now 

Via: BleepingComputer