Binarly researchers have found nearly two dozen vulnerabilities in InsydeH2O UEFI firmware, which affects over 25 vendors worldwide.
Some of the vulnerabilities are given a severity score of 9.8/10 and said to have let attackers set backdoors, steal data, and more. Though Insyde has released updates to fix the noted firmware problems, it’s the duty of the vendors to patch their existing products using it, to safeguard the end-users.
Firmware Level Issue in Insyde
Unified Extensible Firmware Interface (UEFI) is an interface between a hardware’s firmware and the system’s OS and works on booting process, repairs and system diagnostics. And InsydeH2O’s UEFI firmware, which is said to be used by tens of vendors out there, is having 23 vulnerabilities!
As discovered by the researchers at Binarly, the InsydeH2O UEFI firmware is infested with 23 vulnerabilities, mainly in its System Management Mode (SMM). The SMM provides system-wide functions like hardware control and power management.
And since it’s having more privileges than the OS kernel, any bugs found in it can lead to severe impact. And it’s happening! As per Binarly team, the 23 vulnerabilities found in it will affect more than 25 vendors, namely Fujitsu, Intel, AMD, Lenovo, Dell, ASUS, HP, Siemens, Microsoft, and Acer.
Researchers have listed all the vulnerabilities in their blog and noted that three out of them – CVE-2021-45969, CVE-2021-45970, and CVE-2021-45971 are given a severity score of 9.8 out of 10, thus critical.
Researchers said that a threat actor exploiting them can perform the following functions;
- Install persistent software that cannot be easily erased,
- Invalidate many hardware security features (SecureBoot, Intel BootGuard),
- Create backdoors and back communications channels to steal sensitive data.
As they’re critical, Insyde Software has released patches to fix all th identified firmware vulnerabilities and pushed the responsibility to OEMs (vendors) to fix them in the respective products, to secure the end-users. Also, there’s a free tool to scan your systems for checking the affected status.