The arbitrary code execution in DXE driver.
BINARLY efiXplorer team has discovered the ability of arbitrary code execution in DXE driver.
Image preview
Potential Impact
An attacker with physical access can exploit this vulnerability to execute arbitrary code during DXE phase. A malicious code installed as a result of vulnerability exploitation in DXE driver could survive across an operating system (OS) boot process and runtime.
Image preview
Vulnerability Information
- BINARLY internal vulnerability identifier: BRLY-2022-015
- Intel PSIRT assigned CVE identifier: CVE-2022-34345
- AMI PSIRT assigned CVE identifier: CVE-2022-2154
- CERT/CC assigned case number: VU#158026
- FwHunt rule: BRLY-2022-015
- CVSS v3.1: 7.2 High AV:P/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Image preview
Affected Intel firmware images
| Device/Firmware | File Name | SHA256 (File PE32 section) | File GUID |
|---|---|---|---|
Intel NUC M15 BCTGL357 v0072 (Latest) | AMITSE | 288769fcb374d9280735e259c579e2dc209491f4da43b085d6aabc2d6e6ee57d | b1da0adf-4f77-4070-a88e-bffe1c60529a |
Intel NUC M15 BCTGL357 v0072 (Latest) | - | 6a2e79de518eb92408ed6c21421b4119da50c2ad31ff7adbb26155c7a335c26d | a2df5376-c2ed-49c0-90ff-8b173b0fd066 |
Image preview
Vulnerability description
Consider the vulnerability on the example of the AMITSE driver (file GUID: b1da0adf-4f77-4070-a88e-bffe1c60529a).
The pseudocode for vulnerable function is shown below (function address: 0x16520).
__int64 sub_16520()
{
// [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
GetPackageListHandle = gEsaVarPtr01;
Arg2 = 0;
Guid[0] = 0x70E1A818;
Guid[1] = 0x44490BE1;
Guid[2] = 0xF69ED4BF;
Guid[3] = 0xA8027F8C;
VendorGuid.Data1 = 0xA2DF5376;
*&VendorGuid.Data2 = 0x49C0C2ED;
*VendorGuid.Data4 = 0x178BFF90;
*&VendorGuid.Data4[4] = 0x66D00F3B;
if ( gEsaVarPtr01
|| (DataSize = 8,
gRT->GetVariable(L"EsaVarPtr01", &VendorGuid, 0, &DataSize, &gEsaVarPtr01),
(GetPackageListHandle = gEsaVarPtr01) != 0) )
{
Handle = GetPackageListHandle(Guid, &Arg2);
}
else
{
Handle = -1;
}
if ( Handle != -1 )
return gEfiHiiDatabaseProtocol->RemovePackageList(gEfiHiiDatabaseProtocol, Handle);
return Handle;
}
As we can see from the pseudocode, the address of GetPackageListHandle function located in the NVRAM variable EsaVarPtr01.
Thus, a potential attacker can create the NVRAM variable EsaVarPtr01 and specify the address of the GetPackageListHandle function inside the data of the variable EsaVarPtr01. Thus, an attacker can execute arbitrary code during DXE phase.
It should be noted that the value of the variable EsaVarPtr01 cannot be set at runtime, but it can be set by physically modifying the SPI flash memory.
Image preview
Disclosure timeline
This bug is subject to a 90 day disclosure deadline. After 90 days elapsed or a patch has been made broadly available (whichever is earlier), the bug report will become visible to the public.
| Disclosure Activity | Date |
|---|---|
Intel PSIRT is notified | 2022-05-04 |
Intel PSIRT confirmed reported issue | 2022-07-28 |
Intel PSIRT assigned CVE number | 2022-07-28 |
BINARLY public disclosure date | 2022-08-10 |
Image preview
Acknowledgements
Image preview
See if you are impacted now with our Firmware Vulnerability Scanner
Find Vulnerabilities, Generate SBOMs & CBOMs