Researchers have discovered 23 “high-impact vulnerabilities” affecting any vendors that adopted Independent BIOS Developers (IBV) code into their Unified Extensible Firmware Interface (UEFI) firmware.
Binarly explained the vulnerabilities in a blog post this week, confirming that “all these vulnerabilities are found in several of the major enterprise vendor ecosystems” including Fujitsu, Siemens, Dell, HP, HPE, Lenovo, Microsoft, Intel and Bull Atos. CERT/CC confirmed that Fujitsu, Insyde and Intel were affected but left the others tagged as “unknown,” urging anyone affected to update to the latest stable version of firmware.
According to the blog, the majority of the vulnerabilities disclosed lead to code execution with SMM privileges and had severity ratings of between 7.5 – 8.2.
“The root cause of the problem was found in the reference code associated with InsydeH2O firmware framework code. All of the aforementioned vendors were using Insyde-based firmware SDK to develop their pieces of firmware,” Binarly wrote.
“We had a short discussion with Fujitsu PSIRT and came to the conclusion that we should report all those issues to CERT/CC to lead an industry-wide disclosure. This is how the VU#796611 was created and how Binarly collaboration with CERT/CC began in September 2021.”
They commended Fujitsu, Intel and others for responding quickly and solving the vulnerabilities. UEFI