BRLY-DVA-2023-025

SMM memory corruption vulnerability in combined DXE/SMM driver on Fujitsu device (SMRAM write).

Public Disclosure Date: Jun 17, 2024

CVE ID

CVE-2024-25078

Vendors Affected

Insyde

Products Affected

STYLISTIC Q739+30 more

Summary

BINARLY efiXplorer team has discovered a SMM memory corruption vulnerability in a Fujitsu device allowing a possible attacker to write fixed or predictable data to SMRAM. Exploiting this issue could lead to escalating privileges to SMM.

Potential Impact

An attacker can exploit this vulnerability to elevate privileges from ring 0 to ring -2, execute arbitrary code in System Management Mode - an environment more privileged than operating system (OS) and completely isolated from it. Running arbitrary code in SMM additionally bypasses SMM-based SPI flash protections against modifications, which can help an attacker to install a firmware backdoor/implant into BIOS. Such a malicious firmware code in BIOS could persist across operating system re-installs. Additionally, this vulnerability potentially could be used by malicious actors to bypass security mechanisms provided by UEFI firmware (for example, Secure Boot and some types of memory isolation for hypervisors).

Vulnerability Information

BINARLY internal vulnerability identifier: BRLY-DVA-2023-025
Insyde PSIRT assigned CVE identifier: CVE-2024-25078
CVSS v3.1: 8.2 High AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

01Affected Insyde-based Fujitsu firmware images

02Vulnerability description

03Disclosure timeline

04Acknowledgements

Affected Insyde-based Fujitsu firmware images

Device name	Unpacked firmware SHA256	Firmware version	IBV	Module name	Module GUID	Module SHA256	Module kind
STYLISTIC Q739	fc7721316290cc58a177d8fd530215652609528d5afc3eed9a29282a5e5509d6	2.18	Insyde	StorageSecurityCommandDxe	70d57d67-7f05-494d-a014-b75d7345b700	c93e4b4e5962d689a0e8c075f2ee5c21e6f3ae1a7438f65645ed16cac12d26c3	CombinedSmmDxe
LIFEBOOK A3510	9c9c6b24f4cafc078e00a46b4ee4ecb4f4eba5d8d04b8b77e41da6862ea9cbc0	1.13	Insyde	StorageSecurityCommandDxe	70d57d67-7f05-494d-a014-b75d7345b700	79deccfc57b4615ddbb7f6e6f4deb044a5419eeab731e84b66544be6ac5f6bd4	CombinedSmmDxe
STYLISTIC Q738	4f91b0aefd3cfd44d839c2a4bec6cb96e642d220df43542fe93bd79888ba3deb	1.18	Insyde	StorageSecurityCommandDxe	70d57d67-7f05-494d-a014-b75d7345b700	901eda690697d617b60e7fcae40857a99b04d056b7106200b7f08b74aaa5bcd3	CombinedSmmDxe
LIFEBOOK P728	0a1f9bb3f9fc27dfbce3ddd80538488113bc335ba549dadea33c3f99fd0c2e23	1.22	Insyde	StorageSecurityCommandDxe	70d57d67-7f05-494d-a014-b75d7345b700	901eda690697d617b60e7fcae40857a99b04d056b7106200b7f08b74aaa5bcd3	CombinedSmmDxe
LIFEBOOK U758	51c8f4b3ffb9c3b77c9bbb4eb6d0f873ef23d6bf51a1aa29e47e56cb45ebc1ff	1.27	Insyde	StorageSecurityCommandDxe	70d57d67-7f05-494d-a014-b75d7345b700	b6ca91f46a20784bdfb801db3399ee2c8ec545f724f19aa2828608c19501dd69	CombinedSmmDxe
LIFEBOOK U747 6th Gen	df6a8316a6ed5faa82b29e9adc536c8690c25bfa0d919b1cccd21f7acd5e145a	1.21	Insyde	StorageSecurityCommandDxe	70d57d67-7f05-494d-a014-b75d7345b700	901eda690697d617b60e7fcae40857a99b04d056b7106200b7f08b74aaa5bcd3	CombinedSmmDxe
LIFEBOOK U937	120c3697d39e682909ea5158936034db331070054478677e97ac47a35a8042a1	1.26	Insyde	StorageSecurityCommandDxe	70d57d67-7f05-494d-a014-b75d7345b700	901eda690697d617b60e7fcae40857a99b04d056b7106200b7f08b74aaa5bcd3	CombinedSmmDxe
LIFEBOOK T938	5cebe3bbe58f12cd8463ab158779fd234866577b3caa0986ba08d30db44fbb20	1.21	Insyde	StorageSecurityCommandDxe	70d57d67-7f05-494d-a014-b75d7345b700	901eda690697d617b60e7fcae40857a99b04d056b7106200b7f08b74aaa5bcd3	CombinedSmmDxe
LIFEBOOK P727	742561424f3c97f23758a71e66547e6b75197fc651fd42d0cac16b4916cd2946	1.26	Insyde	StorageSecurityCommandDxe	70d57d67-7f05-494d-a014-b75d7345b700	901eda690697d617b60e7fcae40857a99b04d056b7106200b7f08b74aaa5bcd3	CombinedSmmDxe
LIFEBOOK T937	f6d59010a9d79bfbe25dede2eb5b8dd4303f9ff8dd1ec74c5384a4b488bf66b3	1.27	Insyde	StorageSecurityCommandDxe	70d57d67-7f05-494d-a014-b75d7345b700	901eda690697d617b60e7fcae40857a99b04d056b7106200b7f08b74aaa5bcd3	CombinedSmmDxe
LIFEBOOK U747	bd1e9d7f4fbcd6ce428a7626cfc156367dc4853606eab4a671bb56ff769eea34	1.31	Insyde	StorageSecurityCommandDxe	70d57d67-7f05-494d-a014-b75d7345b700	b6ca91f46a20784bdfb801db3399ee2c8ec545f724f19aa2828608c19501dd69	CombinedSmmDxe
LIFEBOOK S937	3a15b1495893966ac363c59b40d1e292f1d7baca7aedcd62dd4a520a3951e44a	1.21	Insyde	StorageSecurityCommandDxe	70d57d67-7f05-494d-a014-b75d7345b700	901eda690697d617b60e7fcae40857a99b04d056b7106200b7f08b74aaa5bcd3	CombinedSmmDxe
LIFEBOOK U939 (BLACK, RED)	a4a0d485c8bf3ab7f841543a4b4eb8d1a0fab3acd18a9364ac682cb3b354ee8a	2.20	Insyde	StorageSecurityCommandDxe	70d57d67-7f05-494d-a014-b75d7345b700	c93e4b4e5962d689a0e8c075f2ee5c21e6f3ae1a7438f65645ed16cac12d26c3	CombinedSmmDxe
CELSIUS H7510	105afe7aa90d14ecf48c61d1b60ca2657bac0d15d5cafc64aee3051db8c869db	1.13	Insyde	StorageSecurityCommandDxe	70d57d67-7f05-494d-a014-b75d7345b700	79deccfc57b4615ddbb7f6e6f4deb044a5419eeab731e84b66544be6ac5f6bd4	CombinedSmmDxe
CELSIUS H770	af200fcf1fa19a065c86c2ee1808d67a1de3dba3e566f388925f441ad1c25a0b	1.26	Insyde	StorageSecurityCommandDxe	70d57d67-7f05-494d-a014-b75d7345b700	901eda690697d617b60e7fcae40857a99b04d056b7106200b7f08b74aaa5bcd3	CombinedSmmDxe
LIFEBOOK E547	ec6a61357892d9ad6cecf6565947fe36215b87ee0907aa396fc57ca4c3967e37	1.22	Insyde	StorageSecurityCommandDxe	70d57d67-7f05-494d-a014-b75d7345b700	901eda690697d617b60e7fcae40857a99b04d056b7106200b7f08b74aaa5bcd3	CombinedSmmDxe
STYLISTIC V727	b6cd4a6459cb5c5598e83b4000d25decef379657e067520d0db545af0bbd6dfe	1.26	Insyde	StorageSecurityCommandDxe	70d57d67-7f05-494d-a014-b75d7345b700	901eda690697d617b60e7fcae40857a99b04d056b7106200b7f08b74aaa5bcd3	CombinedSmmDxe
LIFEBOOK U939X (BLACK, RED)	f32195a473344f1f61ca942966bb90bab48204d9c159fdd26e0463bbcb2b6b4f	2.23	Insyde	StorageSecurityCommandDxe	70d57d67-7f05-494d-a014-b75d7345b700	c93e4b4e5962d689a0e8c075f2ee5c21e6f3ae1a7438f65645ed16cac12d26c3	CombinedSmmDxe
LIFEBOOK E458	3fdade3dad6e8b360b167bfab6809668e978201bdecf669981f0b2cf94b75153	1.24	Insyde	StorageSecurityCommandDxe	70d57d67-7f05-494d-a014-b75d7345b700	901eda690697d617b60e7fcae40857a99b04d056b7106200b7f08b74aaa5bcd3	CombinedSmmDxe
LIFEBOOK T939	2031ebddf840f721a6054142a1b26d39fb66f6ea1f07c7848eaab17e46c2b4a1	2.17	Insyde	StorageSecurityCommandDxe	70d57d67-7f05-494d-a014-b75d7345b700	c93e4b4e5962d689a0e8c075f2ee5c21e6f3ae1a7438f65645ed16cac12d26c3	CombinedSmmDxe
LIFEBOOK U749	034e8072b13718fdd5975b90ff8af0ed83a3ed75cb57d5f0e551d8594225d7c6	2.27	Insyde	StorageSecurityCommandDxe	70d57d67-7f05-494d-a014-b75d7345b700	c93e4b4e5962d689a0e8c075f2ee5c21e6f3ae1a7438f65645ed16cac12d26c3	CombinedSmmDxe
LIFEBOOK E559	d1bcd6291c4de1033fd46330d73c5dfe8a9a988a36d548ff00aed75ab075d6c4	2.22	Insyde	StorageSecurityCommandDxe	70d57d67-7f05-494d-a014-b75d7345b700	c93e4b4e5962d689a0e8c075f2ee5c21e6f3ae1a7438f65645ed16cac12d26c3	CombinedSmmDxe
LIFEBOOK E449	7794a7d2beb3573a4267c3bfd6180f395042d1eecd3e56cfb0f59ffa3201fa65	1.12	Insyde	StorageSecurityCommandDxe	70d57d67-7f05-494d-a014-b75d7345b700	901eda690697d617b60e7fcae40857a99b04d056b7106200b7f08b74aaa5bcd3	CombinedSmmDxe
LIFEBOOK U728	70be8159c33280abd6a47b3e4c54e73853d35bf1f30396fad3569f0b32a72885	1.28	Insyde	StorageSecurityCommandDxe	70d57d67-7f05-494d-a014-b75d7345b700	901eda690697d617b60e7fcae40857a99b04d056b7106200b7f08b74aaa5bcd3	CombinedSmmDxe
LIFEBOOK E557 vPro	5a0f060b8fe3eb88b05707e486dc4b01d5365df4a37a59ccff61bdf2727b44f7	1.26	Insyde	StorageSecurityCommandDxe	70d57d67-7f05-494d-a014-b75d7345b700	901eda690697d617b60e7fcae40857a99b04d056b7106200b7f08b74aaa5bcd3	CombinedSmmDxe
LIFEBOOK A3511	4eb7a6577974e0a7527bb762906602387b2f2e10d530cb3e9a664a624ac22b8a	1.11	Insyde	StorageSecurityCommandDxe	70d57d67-7f05-494d-a014-b75d7345b700	6de60437bd9dba4327515e5362aa9957adf0d578ef30050ea1ec261d526419c6	CombinedSmmDxe
LIFEBOOK S938	80add3e6396559f8819af060c6e29826c877e386948a09d4412202c9607bcb65	1.22	Insyde	StorageSecurityCommandDxe	70d57d67-7f05-494d-a014-b75d7345b700	901eda690697d617b60e7fcae40857a99b04d056b7106200b7f08b74aaa5bcd3	CombinedSmmDxe
LIFEBOOK U727	a1f89866b257767599ee7ac9e5983e1661689d25f2b8da0646553bd3f5c5c14b	1.32	Insyde	StorageSecurityCommandDxe	70d57d67-7f05-494d-a014-b75d7345b700	901eda690697d617b60e7fcae40857a99b04d056b7106200b7f08b74aaa5bcd3	CombinedSmmDxe
LIFEBOOK U938	edc048167fa29fc64738219dbcdb243264e95f1c42f391a0454ad2c66f0a9ee5	1.29	Insyde	StorageSecurityCommandDxe	70d57d67-7f05-494d-a014-b75d7345b700	901eda690697d617b60e7fcae40857a99b04d056b7106200b7f08b74aaa5bcd3	CombinedSmmDxe
LIFEBOOK E548	55689016cfe7ea6221d1849648db43c6ceb4962bb4f6853e72d76b50915e7d14	1.25	Insyde	StorageSecurityCommandDxe	70d57d67-7f05-494d-a014-b75d7345b700	901eda690697d617b60e7fcae40857a99b04d056b7106200b7f08b74aaa5bcd3	CombinedSmmDxe

Vulnerability description

Let's consider the vulnerability on the example of a module with SHA256 c93e4b4e5962d689a0e8c075f2ee5c21e6f3ae1a7438f65645ed16cac12d26c3. The pseudocode of the vulnerable ChildSwSmiHandler function (with the HandlerType: EFI_ATA_PASS_THRU_PROTOCOL_GUID) is presented below:

EFI_STATUS __fastcall ChildSwSmiHandler(
        EFI_HANDLE DispatchHandle,
        const void *Context,
        _QWORD *CommBuffer,
        UINTN *CommBufferSize)
{
  __int64 v4; // r13
  __int64 NestedPtr; // rsi
  __int64 Status; // rbx
  __int64 Ptr; // rdi
  bool Res; // al
  UINTN v10; // rdi
  unsigned __int8 v11; // r12
  __int64 v12; // rax
  EFI_STORAGE_SECURITY_SEND_DATA *p_SendData; // r14
  __int64 i; // rax
  __int64 v15; // rbx
  EFI_STORAGE_SECURITY_COMMAND_PROTOCOL *EfiStorageSecurityCommandProtocol; // [rsp+30h] [rbp-10h] BYREF
  void *Buffer; // [rsp+90h] [rbp+50h] BYREF
  UINTN BufferSize; // [rsp+98h] [rbp+58h] BYREF

  BufferSize = 0;
  v4 = 0;
  Buffer = 0;
  if ( gUnknownProtocol == CommBuffer && *CommBufferSize == 31 && CommBuffer )
  {
    NestedPtr = CommBuffer[2];
    gGlobalPtr1 = *(NestedPtr - 16);
    gGlobalPtr2 = *(NestedPtr - 8);
    if ( *CommBuffer == 1 )
    {
      Status = Command1(*(NestedPtr + 16), 1, NestedPtr);
      goto _Exit;
    }
    if ( *CommBuffer != 2 )
    {
      if ( *CommBuffer == 3 )
      {
        Ptr = Deref1(NestedPtr);
        Res = Compare(NestedPtr, Ptr);
        Status = Buffer;
        while ( !Res )
        {
          if ( *(Ptr + 16) )
          {
            Status = gSmst_0->SmmUninstallProtocolInterface(
                       *(Ptr - 136),
                       &EFI_STORAGE_SECURITY_COMMAND_PROTOCOL_GUID,
                       (Ptr - 88));
            if ( Status >= 0 )
            {
              Status = gSmst_0->SmmUninstallProtocolInterface(*(Ptr - 136), &EFI_DEVICE_PATH_PROTOCOL_GUID, *(Ptr - 56));
              if ( Status >= 0 )
                *(Ptr + 16) = 0; // unchecked write (SMRAM corruption)
            }
          }
          Ptr = Deref2(NestedPtr, Ptr);
          Res = Compare(NestedPtr, Ptr);
        }
      }
      else
      {
        Status = EFI_UNSUPPORTED;
      }
      goto _Exit;
    }
    ...
_Exit:
    CommBuffer[1] = Status;
  }
  return EFI_SUCCESS;
}

The pseudocode for the Deref1 function is shown below:

__int64 __fastcall Deref1(__int64 Address)
{
  return *Address;
}

As we can see from the pseudocode above, command 3 branch (if ( *CommBuffer == 3 )) contains an unchecked write operation to a nested pointer derived from the CommBuffer structure, which is specified by a user. So that the user can write fixed value 0x00 to a controllable address in SMRAM, which could lead to arbitrary code execution and privileges escalation to SMM.

In order to fix this vulnerability, it is necessary to check all nested pointers for overlapping with SMRAM before attempting to write to buffer pointed by it.

Disclosure timeline

This bug is subject to a 90 day disclosure deadline. After 90 days elapsed or a patch has been made broadly available (whichever is earlier), the bug report will become visible to the public.

Disclosure Activity	Date (YYYY-mm-dd)
Fujitsu PSIRT is notified	2023-12-22
Fujitsu PSIRT informed Insyde	2024-01-22
Insyde PSIRT is confirmed issue	2024-01-24
Insyde PSIRT provide patch release	2024-05-13
BINARLY public disclosure date	2024-06-17

Acknowledgements

BINARLY efiXplorer team

See if you are impacted now with our Firmware Vulnerability Scanner

Find Vulnerabilities, Generate SBOMs & CBOMs

Scan Now

Potential Impact

Device name

Unpacked firmware SHA256

Firmware version

IBV

Module name

Module GUID

Module SHA256

Module kind

STYLISTIC Q739

fc7721316290cc58a177d8fd530215652609528d5afc3eed9a29282a5e5509d6

2.18

Insyde

StorageSecurityCommandDxe

70d57d67-7f05-494d-a014-b75d7345b700

c93e4b4e5962d689a0e8c075f2ee5c21e6f3ae1a7438f65645ed16cac12d26c3

CombinedSmmDxe

LIFEBOOK A3510

9c9c6b24f4cafc078e00a46b4ee4ecb4f4eba5d8d04b8b77e41da6862ea9cbc0

1.13

Insyde

StorageSecurityCommandDxe

70d57d67-7f05-494d-a014-b75d7345b700

79deccfc57b4615ddbb7f6e6f4deb044a5419eeab731e84b66544be6ac5f6bd4

CombinedSmmDxe

STYLISTIC Q738

4f91b0aefd3cfd44d839c2a4bec6cb96e642d220df43542fe93bd79888ba3deb

1.18

Insyde

StorageSecurityCommandDxe

70d57d67-7f05-494d-a014-b75d7345b700

901eda690697d617b60e7fcae40857a99b04d056b7106200b7f08b74aaa5bcd3

CombinedSmmDxe

LIFEBOOK P728

0a1f9bb3f9fc27dfbce3ddd80538488113bc335ba549dadea33c3f99fd0c2e23

1.22

Insyde

StorageSecurityCommandDxe

70d57d67-7f05-494d-a014-b75d7345b700

901eda690697d617b60e7fcae40857a99b04d056b7106200b7f08b74aaa5bcd3

CombinedSmmDxe

LIFEBOOK U758

51c8f4b3ffb9c3b77c9bbb4eb6d0f873ef23d6bf51a1aa29e47e56cb45ebc1ff

1.27

Insyde

StorageSecurityCommandDxe

70d57d67-7f05-494d-a014-b75d7345b700

b6ca91f46a20784bdfb801db3399ee2c8ec545f724f19aa2828608c19501dd69

CombinedSmmDxe

LIFEBOOK U747 6th Gen

df6a8316a6ed5faa82b29e9adc536c8690c25bfa0d919b1cccd21f7acd5e145a

1.21

Insyde

StorageSecurityCommandDxe

70d57d67-7f05-494d-a014-b75d7345b700

901eda690697d617b60e7fcae40857a99b04d056b7106200b7f08b74aaa5bcd3

CombinedSmmDxe

LIFEBOOK U937

120c3697d39e682909ea5158936034db331070054478677e97ac47a35a8042a1

1.26

Insyde

StorageSecurityCommandDxe

70d57d67-7f05-494d-a014-b75d7345b700

901eda690697d617b60e7fcae40857a99b04d056b7106200b7f08b74aaa5bcd3

CombinedSmmDxe

LIFEBOOK T938

5cebe3bbe58f12cd8463ab158779fd234866577b3caa0986ba08d30db44fbb20

1.21

Insyde

StorageSecurityCommandDxe

70d57d67-7f05-494d-a014-b75d7345b700

901eda690697d617b60e7fcae40857a99b04d056b7106200b7f08b74aaa5bcd3

CombinedSmmDxe

LIFEBOOK P727

742561424f3c97f23758a71e66547e6b75197fc651fd42d0cac16b4916cd2946

1.26

Insyde

StorageSecurityCommandDxe

70d57d67-7f05-494d-a014-b75d7345b700

901eda690697d617b60e7fcae40857a99b04d056b7106200b7f08b74aaa5bcd3

CombinedSmmDxe

LIFEBOOK T937

f6d59010a9d79bfbe25dede2eb5b8dd4303f9ff8dd1ec74c5384a4b488bf66b3

1.27

Insyde

StorageSecurityCommandDxe

70d57d67-7f05-494d-a014-b75d7345b700

901eda690697d617b60e7fcae40857a99b04d056b7106200b7f08b74aaa5bcd3

CombinedSmmDxe

LIFEBOOK U747

bd1e9d7f4fbcd6ce428a7626cfc156367dc4853606eab4a671bb56ff769eea34

1.31

Insyde

StorageSecurityCommandDxe

70d57d67-7f05-494d-a014-b75d7345b700

b6ca91f46a20784bdfb801db3399ee2c8ec545f724f19aa2828608c19501dd69

CombinedSmmDxe

LIFEBOOK S937

3a15b1495893966ac363c59b40d1e292f1d7baca7aedcd62dd4a520a3951e44a

1.21

Insyde

StorageSecurityCommandDxe

70d57d67-7f05-494d-a014-b75d7345b700

901eda690697d617b60e7fcae40857a99b04d056b7106200b7f08b74aaa5bcd3

CombinedSmmDxe

LIFEBOOK U939 (BLACK, RED)

a4a0d485c8bf3ab7f841543a4b4eb8d1a0fab3acd18a9364ac682cb3b354ee8a

2.20

Insyde

StorageSecurityCommandDxe

70d57d67-7f05-494d-a014-b75d7345b700

c93e4b4e5962d689a0e8c075f2ee5c21e6f3ae1a7438f65645ed16cac12d26c3

CombinedSmmDxe

CELSIUS H7510

105afe7aa90d14ecf48c61d1b60ca2657bac0d15d5cafc64aee3051db8c869db

1.13

Insyde

StorageSecurityCommandDxe

70d57d67-7f05-494d-a014-b75d7345b700

79deccfc57b4615ddbb7f6e6f4deb044a5419eeab731e84b66544be6ac5f6bd4

CombinedSmmDxe

CELSIUS H770

af200fcf1fa19a065c86c2ee1808d67a1de3dba3e566f388925f441ad1c25a0b

1.26

Insyde

StorageSecurityCommandDxe

70d57d67-7f05-494d-a014-b75d7345b700

901eda690697d617b60e7fcae40857a99b04d056b7106200b7f08b74aaa5bcd3

CombinedSmmDxe

LIFEBOOK E547

ec6a61357892d9ad6cecf6565947fe36215b87ee0907aa396fc57ca4c3967e37

1.22

Insyde

StorageSecurityCommandDxe

70d57d67-7f05-494d-a014-b75d7345b700

901eda690697d617b60e7fcae40857a99b04d056b7106200b7f08b74aaa5bcd3

CombinedSmmDxe

STYLISTIC V727

b6cd4a6459cb5c5598e83b4000d25decef379657e067520d0db545af0bbd6dfe

1.26

Insyde

StorageSecurityCommandDxe

70d57d67-7f05-494d-a014-b75d7345b700

901eda690697d617b60e7fcae40857a99b04d056b7106200b7f08b74aaa5bcd3

CombinedSmmDxe

LIFEBOOK U939X (BLACK, RED)

f32195a473344f1f61ca942966bb90bab48204d9c159fdd26e0463bbcb2b6b4f

2.23

Insyde

StorageSecurityCommandDxe

70d57d67-7f05-494d-a014-b75d7345b700

c93e4b4e5962d689a0e8c075f2ee5c21e6f3ae1a7438f65645ed16cac12d26c3

CombinedSmmDxe

LIFEBOOK E458

3fdade3dad6e8b360b167bfab6809668e978201bdecf669981f0b2cf94b75153

1.24

Insyde

StorageSecurityCommandDxe

70d57d67-7f05-494d-a014-b75d7345b700

901eda690697d617b60e7fcae40857a99b04d056b7106200b7f08b74aaa5bcd3

CombinedSmmDxe

LIFEBOOK T939

2031ebddf840f721a6054142a1b26d39fb66f6ea1f07c7848eaab17e46c2b4a1

2.17

Insyde

StorageSecurityCommandDxe

70d57d67-7f05-494d-a014-b75d7345b700

c93e4b4e5962d689a0e8c075f2ee5c21e6f3ae1a7438f65645ed16cac12d26c3

CombinedSmmDxe

LIFEBOOK U749

034e8072b13718fdd5975b90ff8af0ed83a3ed75cb57d5f0e551d8594225d7c6

2.27

Insyde

StorageSecurityCommandDxe

70d57d67-7f05-494d-a014-b75d7345b700

c93e4b4e5962d689a0e8c075f2ee5c21e6f3ae1a7438f65645ed16cac12d26c3

CombinedSmmDxe

LIFEBOOK E559

d1bcd6291c4de1033fd46330d73c5dfe8a9a988a36d548ff00aed75ab075d6c4

2.22

Insyde

StorageSecurityCommandDxe

70d57d67-7f05-494d-a014-b75d7345b700

c93e4b4e5962d689a0e8c075f2ee5c21e6f3ae1a7438f65645ed16cac12d26c3

CombinedSmmDxe

LIFEBOOK E449

7794a7d2beb3573a4267c3bfd6180f395042d1eecd3e56cfb0f59ffa3201fa65

1.12

Insyde

StorageSecurityCommandDxe

70d57d67-7f05-494d-a014-b75d7345b700

901eda690697d617b60e7fcae40857a99b04d056b7106200b7f08b74aaa5bcd3

CombinedSmmDxe

LIFEBOOK U728

70be8159c33280abd6a47b3e4c54e73853d35bf1f30396fad3569f0b32a72885

1.28

Insyde

StorageSecurityCommandDxe

70d57d67-7f05-494d-a014-b75d7345b700

901eda690697d617b60e7fcae40857a99b04d056b7106200b7f08b74aaa5bcd3

CombinedSmmDxe

LIFEBOOK E557 vPro

5a0f060b8fe3eb88b05707e486dc4b01d5365df4a37a59ccff61bdf2727b44f7

1.26

Insyde

StorageSecurityCommandDxe

70d57d67-7f05-494d-a014-b75d7345b700

901eda690697d617b60e7fcae40857a99b04d056b7106200b7f08b74aaa5bcd3

CombinedSmmDxe

LIFEBOOK A3511

4eb7a6577974e0a7527bb762906602387b2f2e10d530cb3e9a664a624ac22b8a

1.11

Insyde

StorageSecurityCommandDxe

70d57d67-7f05-494d-a014-b75d7345b700

6de60437bd9dba4327515e5362aa9957adf0d578ef30050ea1ec261d526419c6

CombinedSmmDxe

LIFEBOOK S938

80add3e6396559f8819af060c6e29826c877e386948a09d4412202c9607bcb65

1.22

Insyde

StorageSecurityCommandDxe

70d57d67-7f05-494d-a014-b75d7345b700

901eda690697d617b60e7fcae40857a99b04d056b7106200b7f08b74aaa5bcd3

CombinedSmmDxe

LIFEBOOK U727

a1f89866b257767599ee7ac9e5983e1661689d25f2b8da0646553bd3f5c5c14b

1.32

Insyde

StorageSecurityCommandDxe

70d57d67-7f05-494d-a014-b75d7345b700

901eda690697d617b60e7fcae40857a99b04d056b7106200b7f08b74aaa5bcd3

CombinedSmmDxe

LIFEBOOK U938

edc048167fa29fc64738219dbcdb243264e95f1c42f391a0454ad2c66f0a9ee5

1.29

Insyde

StorageSecurityCommandDxe

70d57d67-7f05-494d-a014-b75d7345b700

901eda690697d617b60e7fcae40857a99b04d056b7106200b7f08b74aaa5bcd3

CombinedSmmDxe

LIFEBOOK E548

55689016cfe7ea6221d1849648db43c6ceb4962bb4f6853e72d76b50915e7d14

1.25

Insyde

StorageSecurityCommandDxe

70d57d67-7f05-494d-a014-b75d7345b700

901eda690697d617b60e7fcae40857a99b04d056b7106200b7f08b74aaa5bcd3

CombinedSmmDxe

EFI_STATUS __fastcall ChildSwSmiHandler( EFI_HANDLE DispatchHandle, const void *Context, _QWORD *CommBuffer, UINTN *CommBufferSize) { __int64 v4; // r13 __int64 NestedPtr; // rsi __int64 Status; // rbx __int64 Ptr; // rdi bool Res; // al UINTN v10; // rdi unsigned __int8 v11; // r12 __int64 v12; // rax EFI_STORAGE_SECURITY_SEND_DATA *p_SendData; // r14 __int64 i; // rax __int64 v15; // rbx EFI_STORAGE_SECURITY_COMMAND_PROTOCOL *EfiStorageSecurityCommandProtocol; // [rsp+30h] [rbp-10h] BYREF void *Buffer; // [rsp+90h] [rbp+50h] BYREF UINTN BufferSize; // [rsp+98h] [rbp+58h] BYREF BufferSize = 0; v4 = 0; Buffer = 0; if ( gUnknownProtocol == CommBuffer && *CommBufferSize == 31 && CommBuffer ) { NestedPtr = CommBuffer[2]; gGlobalPtr1 = *(NestedPtr - 16); gGlobalPtr2 = *(NestedPtr - 8); if ( *CommBuffer == 1 ) { Status = Command1(*(NestedPtr + 16), 1, NestedPtr); goto _Exit; } if ( *CommBuffer != 2 ) { if ( *CommBuffer == 3 ) { Ptr = Deref1(NestedPtr); Res = Compare(NestedPtr, Ptr); Status = Buffer; while ( !Res ) { if ( *(Ptr + 16) ) { Status = gSmst_0->SmmUninstallProtocolInterface( *(Ptr - 136), &EFI_STORAGE_SECURITY_COMMAND_PROTOCOL_GUID, (Ptr - 88)); if ( Status >= 0 ) { Status = gSmst_0->SmmUninstallProtocolInterface(*(Ptr - 136), &EFI_DEVICE_PATH_PROTOCOL_GUID, *(Ptr - 56)); if ( Status >= 0 ) *(Ptr + 16) = 0; // unchecked write (SMRAM corruption) } } Ptr = Deref2(NestedPtr, Ptr); Res = Compare(NestedPtr, Ptr); } } else { Status = EFI_UNSUPPORTED; } goto _Exit; } ... _Exit: CommBuffer[1] = Status; } return EFI_SUCCESS; }

Disclosure Activity

Date (YYYY-mm-dd)

Fujitsu PSIRT is notified

2023-12-22

Fujitsu PSIRT informed Insyde

2024-01-22

Insyde PSIRT is confirmed issue

2024-01-24

Insyde PSIRT provide patch release

2024-05-13

BINARLY public disclosure date

2024-06-17

Potential Impact

Image preview

Vulnerability Information

Image preview

Affected Insyde-based Fujitsu firmware images

Image preview

Vulnerability description

Image preview

Disclosure timeline

Image preview

Acknowledgements

Image preview

See if you are impacted now with our Firmware Vulnerability Scanner

Potential Impact

Image preview

Vulnerability Information

Image preview

Affected Insyde-based Fujitsu firmware images

Image preview

Vulnerability description

Image preview

Disclosure timeline

Image preview

Acknowledgements

Image preview

See if you are impacted now with our Firmware Vulnerability Scanner