Researchers from Binarly, a company that deals with the protection of firmware, discovered the existence of critical vulnerabilities in InsydeH2O, a framework used by multiple companies such as Fujitsu, Siemens, Dell, HP, HPE, Lenovo, Microsoft, Intel and Bull Atos to rimplement the UEFI of your devices.

The UEFI (Unified Extensible Firmware Interface) is an interface between a device’s firmware and the operating system that manages the boot process, diagnostics, and repair functions. In total the Binarly researchers found 23 flaws in InsydeH2O code, most in System Management Mode (SMM) which deals with functions such as energy management and hardware control.

The privileges of SMM are higher than those of the operating system kernel, so any security problem affecting SMM can have serious repercussions for the vulnerable device. More specifically, a local or remote attacker with administrative privileges capable of exploiting such flaws can do many things, including invalidate many hardware features (SecureBoot, Intel Boot Guard, etc.), install malware that cannot be deleted reinstalling the operating system and create backdoor through which to steal sensitive data.

Leaks are traced with the following CVE codes: CVE-2020-27339, CVE-2020-5953, CVE-2021-33625, CVE-2021-33626, CVE-2021-33627, CVE-2021-41837, CVE-2021- 41838, CVE-2021-41839, CVE-2021-41840, CVE-2021-41841, CVE-2021-42059, CVE-2021-42060, CVE-2021-42113, CVE-2021-42554, CVE-2021-43323, CVE-2021-43522, CVE-2021-43615, CVE-2021-45969, CVE-2021-45970, CVE-2021-45971, CVE-2022-24030, CVE-2022-24031, CVE-2022-24069.

Three of these SMM-related flaws (CVE-2021-45969, CVE-2021-45970 and CVE-2021-45971) are critical and accompanied by a score of 9.8 out of 10. Ten of the vulnerabilities discovered could be exploited to achieve greater privileges, twelve leaks corrupt the memory in SMM and one the memory in the InsydeH2O Driver eXecution Environment (DXE).

“The root cause of the problem was found in the reference code associated with the InsydeH2O firmware framework code,” explains the Binarly report. ‘All of the aforementioned vendors (over 25) used the Insyde-based SDK to develop their (UEFI) firmware parts,’ explain the researchers.

Insyde Software has released updates to fix all identified security issues, but to reach end users these updates must be implemented in firmware by OEMs, which is what it will take some time potentially exposing the products involved to attack.