BRLY-DVA-2024-023

SMM memory corruption vulnerability in SMM module on Dell device (SMRAM write).

Public Disclosure Date: Apr 4, 2025

CVE ID

CVE-2024-32858

Vendors Affected

Dell

Products Affected

Alienware 13 R2+2 more

Summary

BINARLY REsearch team has discovered a SMM memory corruption vulnerability in a Dell device allowing a possible attacker to write fixed or predictable data to SMRAM. Exploiting this issue could lead to escalating privileges to SMM.

Potential Impact

An attacker can exploit this vulnerability to elevate privileges from ring 0 to ring -2, execute arbitrary code in System Management Mode - an environment more privileged than operating system (OS) and completely isolated from it. Running arbitrary code in SMM additionally bypasses SMM-based SPI flash protections against modifications, which can help an attacker to install a firmware backdoor/implant into BIOS. Such a malicious firmware code in BIOS could persist across operating system re-installs. Additionally, this vulnerability potentially could be used by malicious actors to bypass security mechanisms provided by UEFI firmware (for example, Secure Boot and some types of memory isolation for hypervisors).

Vulnerability Information

BINARLY internal vulnerability identifier: BRLY-DVA-2024-023
Dell PSIRT assigned CVE identifier: CVE-2024-32858/CVE-2024-32859
DSA identifier: DSA-2024-124
CVSS v3.1: 8.2 High AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

01Affected Dell firmware

02Vulnerability description

03Disclosure timeline

04Acknowledgements

Affected Dell firmware

Device name	Unpacked firmware SHA256	Firmware version	IBV	Module name	Module GUID	Module SHA256	Module kind
Alienware 13 R2	e6819bd24e063807336994f36e1b7cafbbec46c2679a365dde1b54b720a049e4	1.13.1	AMI	OememSmiBin	0a602c5b-05a0-40c4-9181-edcd891d0002	958a22e203308d5994047adf1e43638a59f337b4cdf34b007326a2b0f5f1569e	SmmModule
Alienware 15 R2 and 17 R3	003130dabf11c8b5df286d9584b3174faa9529cd6149513d13c7ce85d63d97b0	1.13.1	AMI	OememSmiBin	0a602c5b-05a0-40c4-9181-edcd891d0002	c20688cba3c5e6b56cd374285e6c0a1dd07cc614e48b005ec6582a3c28cafa7f	SmmModule
Inspiron 15 7557	4f29eb1cc76a1413fcbce0c4a97a4fc1e234d1eab62789271be95b411cf77f01	1.2.3	AMI	OememSmiBin	0a602c5b-05a0-40c4-9181-edcd891d0002	7e91e198cd8f016bc54703ba62edb0f50974a1f34ab01824f72908c3890c03f1	SmmModule

For supported affected platforms, Dell has addressed this vulnerability in DSA-2024-124. All other affected platforms have been determined to be End of Support Life.

Vulnerability description

Let's consider the vulnerability on the example of a module with SHA256 c20688cba3c5e6b56cd374285e6c0a1dd07cc614e48b005ec6582a3c28cafa7f. The pseudocode of the vulnerable function is presented below:

__int64 __fastcall SwSmiHandler(
        EFI_HANDLE DispatchHandle,
        const void *Context,
        UINTN *CommBuffer,
        UINTN *CommBufferSize)
{
  UINTN Index; // r9
  __int64 v5; // rbx
  _DWORD *ControllablePtr; // rdi
  _DWORD *Ptr; // r11
  __int16 v8; // ax
  __int64 v9; // rcx
  EFI_GUID VendorGuid; // [rsp+30h] [rbp-228h] BYREF
  UINTN DataSize; // [rsp+40h] [rbp-218h] BYREF
  unsigned int RbxValue; // [rsp+22Ch] [rbp-2Ch] BYREF
  _DWORD *DellGnvsPtr; // [rsp+270h] [rbp+18h] BYREF

  Index = *CommBuffer;
  v5 = 0;
  VendorGuid.Data2 = 0x5A0;
  VendorGuid.Data3 = 0x40C4;
  VendorGuid.Data1 = 0xA602C5B;
  VendorGuid.Data4[0] = 0x91;
  VendorGuid.Data4[1] = 0x81;
  VendorGuid.Data4[2] = 0xED;
  VendorGuid.Data4[3] = 0xCD;
  VendorGuid.Data4[4] = 0x89;
  VendorGuid.Data4[5] = 0x1D;
  VendorGuid.Data4[6] = 0;
  VendorGuid.Data4[7] = 3;
  gEfiSmmCpuProtocol->ReadSaveState(gEfiSmmCpuProtocol, 4, EFI_SMM_SAVE_STATE_REGISTER_RBX, Index, &RbxValue);
  ControllablePtr = RbxValue;
  DataSize = 4;
  gRT_0->GetVariable(L"DELL_GNVS_PTR", &VendorGuid, 0, &DataSize, &DellGnvsPtr);
  Ptr = DellGnvsPtr;
  if ( *DellGnvsPtr == 'TESQ' )
  {
    ControllablePtr = DellGnvsPtr + 2;
    *DellGnvsPtr = 0;                           // unchecked write (SMRAM corruption)
    Ptr = DellGnvsPtr;
  }
  if ( *Ptr == 'DESQ' )
  {
    ControllablePtr = Ptr + 2;
    *Ptr = 0;                                   // unchecked write (SMRAM corruption)
  }
  v8 = *gFuncTable;
  if ( *gFuncTable != 255 )
  {
    v9 = 0;
    while ( v8 != *ControllablePtr || *&gFuncTable[v9 + 2] != *(ControllablePtr + 1) )
    {
      ++v5;
      v9 = 12 * v5;
      v8 = *&gFuncTable[12 * v5];
      if ( v8 == 255 )
        return 0;
    }
    // multiple unchecked writes (SMRAM corruption) in functions from gFuncTable
    (*&gFuncTable[12 * v5 + 4])(ControllablePtr);
  }
  return 0;
}

The GetVariable call initializes DellGnvsPtr with the value stored in the DELL_GNVS_PTR NVRAM variable. Since the DELL_GNVS_PTR NVRAM variable is controlled by an attacker, they can perform an arbitrary write operation here:

*DellGnvsPtr = 0;                           // unchecked write (SMRAM corruption)
...
*Ptr = 0;                                   // unchecked write (SMRAM corruption)

It must be noted that these write can be reached only if DellGnvsPtr points to the signatures DESQ or TESQ, thus limiting the memory locations that can be corrupted by an attacker. However, an attacker can overwrite these signatures during the first run of the SMI handler (by pointing to the code with signatures), then obtain a more powerful write primitive in one of the functions from the gFuncTable. For example in the first function from the gFuncTable:

char __fastcall sub_6A9C(__int64 Ptr)
{
  // [COLLAPSED LOCAL DECLARATIONS. PRESS NUMPAD "+" TO EXPAND]

  v2 = *(Ptr + 4);
  v3 = *(Ptr + 2) == 1;
  DataSize = 3072;
  v4 = 14;
  if ( v3 )
    v4 = 0;
  if ( *(Ptr + 2) == 2 )
    v4 = 0;
  if ( v2 < v4 )
  {
    // ...
    // SMRAM write
    *(Ptr + 24) = v10 >> v8;
    *(Ptr + 28) = *(&off_D50 + v6 + 24);
    LODWORD(v5) = *(&off_D50 + v6 + 28);
    *(Ptr + 20) = 0;
    *(Ptr + 32) = v5;
  }
  else
  {
    LOBYTE(v5) = sub_5DC8(Ptr);
    if ( !v5 )
LABEL_7:
      *(Ptr + 20) = -1; // SMRAM write
  }
  return v5;
}

In order to fix this vulnerability, all user-controllable offsets and pointers should be checked with SmmIsBufferOutsideSmmValid() or analogues before any write attempt.

Disclosure timeline

This bug is subject to a 90 day disclosure deadline. After 90 days elapsed or a patch has been made broadly available (whichever is earlier), the bug report will become visible to the public.

Disclosure Activity	Date
Dell PSIRT is notified	2024-06-18
Dell PSIRT is confirmed issue	2024-08-21
BINARLY public disclosure date	2025-04-04

Acknowledgements

BINARLY REsearch team

See if you are impacted now with our Firmware Vulnerability Scanner

Find Vulnerabilities, Generate SBOMs & CBOMs

Scan Now

Potential Impact

Device name

Unpacked firmware SHA256

Firmware version

IBV

Module name

Module GUID

Module SHA256

Module kind

Alienware 13 R2

e6819bd24e063807336994f36e1b7cafbbec46c2679a365dde1b54b720a049e4

1.13.1

AMI

OememSmiBin

0a602c5b-05a0-40c4-9181-edcd891d0002

958a22e203308d5994047adf1e43638a59f337b4cdf34b007326a2b0f5f1569e

SmmModule

Alienware 15 R2 and 17 R3

003130dabf11c8b5df286d9584b3174faa9529cd6149513d13c7ce85d63d97b0

1.13.1

AMI

OememSmiBin

0a602c5b-05a0-40c4-9181-edcd891d0002

c20688cba3c5e6b56cd374285e6c0a1dd07cc614e48b005ec6582a3c28cafa7f

SmmModule

Inspiron 15 7557

4f29eb1cc76a1413fcbce0c4a97a4fc1e234d1eab62789271be95b411cf77f01

1.2.3

AMI

OememSmiBin

0a602c5b-05a0-40c4-9181-edcd891d0002

7e91e198cd8f016bc54703ba62edb0f50974a1f34ab01824f72908c3890c03f1

SmmModule

__int64 __fastcall SwSmiHandler( EFI_HANDLE DispatchHandle, const void *Context, UINTN *CommBuffer, UINTN *CommBufferSize) { UINTN Index; // r9 __int64 v5; // rbx _DWORD *ControllablePtr; // rdi _DWORD *Ptr; // r11 __int16 v8; // ax __int64 v9; // rcx EFI_GUID VendorGuid; // [rsp+30h] [rbp-228h] BYREF UINTN DataSize; // [rsp+40h] [rbp-218h] BYREF unsigned int RbxValue; // [rsp+22Ch] [rbp-2Ch] BYREF _DWORD *DellGnvsPtr; // [rsp+270h] [rbp+18h] BYREF Index = *CommBuffer; v5 = 0; VendorGuid.Data2 = 0x5A0; VendorGuid.Data3 = 0x40C4; VendorGuid.Data1 = 0xA602C5B; VendorGuid.Data4[0] = 0x91; VendorGuid.Data4[1] = 0x81; VendorGuid.Data4[2] = 0xED; VendorGuid.Data4[3] = 0xCD; VendorGuid.Data4[4] = 0x89; VendorGuid.Data4[5] = 0x1D; VendorGuid.Data4[6] = 0; VendorGuid.Data4[7] = 3; gEfiSmmCpuProtocol->ReadSaveState(gEfiSmmCpuProtocol, 4, EFI_SMM_SAVE_STATE_REGISTER_RBX, Index, &RbxValue); ControllablePtr = RbxValue; DataSize = 4; gRT_0->GetVariable(L"DELL_GNVS_PTR", &VendorGuid, 0, &DataSize, &DellGnvsPtr); Ptr = DellGnvsPtr; if ( *DellGnvsPtr == 'TESQ' ) { ControllablePtr = DellGnvsPtr + 2; *DellGnvsPtr = 0; // unchecked write (SMRAM corruption) Ptr = DellGnvsPtr; } if ( *Ptr == 'DESQ' ) { ControllablePtr = Ptr + 2; *Ptr = 0; // unchecked write (SMRAM corruption) } v8 = *gFuncTable; if ( *gFuncTable != 255 ) { v9 = 0; while ( v8 != *ControllablePtr || *&gFuncTable[v9 + 2] != *(ControllablePtr + 1) ) { ++v5; v9 = 12 * v5; v8 = *&gFuncTable[12 * v5]; if ( v8 == 255 ) return 0; } // multiple unchecked writes (SMRAM corruption) in functions from gFuncTable (*&gFuncTable[12 * v5 + 4])(ControllablePtr); } return 0; }

char __fastcall sub_6A9C(__int64 Ptr) { // [COLLAPSED LOCAL DECLARATIONS. PRESS NUMPAD "+" TO EXPAND] v2 = *(Ptr + 4); v3 = *(Ptr + 2) == 1; DataSize = 3072; v4 = 14; if ( v3 ) v4 = 0; if ( *(Ptr + 2) == 2 ) v4 = 0; if ( v2 < v4 ) { // ... // SMRAM write *(Ptr + 24) = v10 >> v8; *(Ptr + 28) = *(&off_D50 + v6 + 24); LODWORD(v5) = *(&off_D50 + v6 + 28); *(Ptr + 20) = 0; *(Ptr + 32) = v5; } else { LOBYTE(v5) = sub_5DC8(Ptr); if ( !v5 ) LABEL_7: *(Ptr + 20) = -1; // SMRAM write } return v5; }

Disclosure Activity

Date

Dell PSIRT is notified

2024-06-18

Dell PSIRT is confirmed issue

2024-08-21

BINARLY public disclosure date

2025-04-04

Potential Impact

Image preview

Vulnerability Information

Image preview

Affected Dell firmware

Image preview

Vulnerability description

Image preview

Disclosure timeline

Image preview

Acknowledgements

Image preview

See if you are impacted now with our Firmware Vulnerability Scanner

Potential Impact

Image preview

Vulnerability Information

Image preview

Affected Dell firmware

Image preview

Vulnerability description

Image preview

Disclosure timeline

Image preview

Acknowledgements

Image preview

See if you are impacted now with our Firmware Vulnerability Scanner