Summary
BINARLY efiXplorer team has discovered the ability of arbitrary code execution in DXE driver.
Vulnerability Information
- BINARLY internal vulnerability identifier: BRLY-2022-015
- Intel PSIRT assigned CVE identifier: CVE-2022-34345
- AMI PSIRT assigned CVE identifier: CVE-2022-2154
- CERT/CC assigned case number: VU#158026
- FwHunt rule: BRLY-2022-015
- CVSS v3.1: 7.2 High AV:P/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Affected Intel firmwares with confirmed impact by Binarly team
Device/Firmware | File Name | SHA256 (File PE32 section) | File GUID |
---|---|---|---|
Intel NUC M15 BCTGL357 v0072 (Latest) | AMITSE | 288769fcb374d9280735e259c579e2dc209491f4da43b085d6aabc2d6e6ee57d | b1da0adf-4f77-4070-a88e-bffe1c60529a |
Intel NUC M15 BCTGL357 v0072 (Latest) | - | 6a2e79de518eb92408ed6c21421b4119da50c2ad31ff7adbb26155c7a335c26d | a2df5376-c2ed-49c0-90ff-8b173b0fd066 |
Potential impact
An attacker with physical access can exploit this vulnerability to execute arbitrary code during DXE phase. A malicious code installed as a result of vulnerability exploitation in DXE driver could survive across an operating system (OS) boot process and runtime.
Vulnerability description
Consider the vulnerability on the example of the AMITSE
driver (file GUID: b1da0adf-4f77-4070-a88e-bffe1c60529a
).
The pseudocode for vulnerable function is shown below (function address: 0x16520
).
__int64 sub_16520()
{
// [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
GetPackageListHandle = gEsaVarPtr01;
Arg2 = 0;
Guid[0] = 0x70E1A818;
Guid[1] = 0x44490BE1;
Guid[2] = 0xF69ED4BF;
Guid[3] = 0xA8027F8C;
VendorGuid.Data1 = 0xA2DF5376;
*&VendorGuid.Data2 = 0x49C0C2ED;
*VendorGuid.Data4 = 0x178BFF90;
*&VendorGuid.Data4[4] = 0x66D00F3B;
if ( gEsaVarPtr01
|| (DataSize = 8,
gRT->GetVariable(L"EsaVarPtr01", &VendorGuid, 0, &DataSize, &gEsaVarPtr01),
(GetPackageListHandle = gEsaVarPtr01) != 0) )
{
Handle = GetPackageListHandle(Guid, &Arg2);
}
else
{
Handle = -1;
}
if ( Handle != -1 )
return gEfiHiiDatabaseProtocol->RemovePackageList(gEfiHiiDatabaseProtocol, Handle);
return Handle;
}
As we can see from the pseudocode, the address of GetPackageListHandle
function located in the NVRAM variable EsaVarPtr01
.
Thus, a potential attacker can create the NVRAM variable EsaVarPtr01
and specify the address of the GetPackageListHandle
function inside the data of the variable EsaVarPtr01
. Thus, an attacker can execute arbitrary code during DXE phase.
It should be noted that the value of the variable EsaVarPtr01
cannot be set at runtime, but it can be set by physically modifying the SPI flash memory.
Disclosure timeline
This bug is subject to a 90 day disclosure deadline. After 90 days elapsed or a patch has been made broadly available (whichever is earlier), the bug report will become visible to the public.
Disclosure Activity | Date |
---|---|
Intel PSIRT is notified | 2022-05-04 |
Intel PSIRT confirmed reported issue | 2022-07-28 |
Intel PSIRT assigned CVE number | 2022-07-28 |
BINARLY public disclosure date | 2022-08-10 |
Acknowledgements
BINARLY efiXplorer team