Security vulnerabilities allow firmware implantation that survives operating system updates and bypasses UEFI Secure Boot, Intel Boot Guard, and virtualization-based security.
Pasadena, California – March 8, 2022 - Firmware security specialists Binarly announces the discovery and coordinated disclosure of 16 new high-severity vulnerabilities in various implementations of UEFI firmware affecting multiple HP enterprise devices including laptops, desktops, point-of-sale systems, and edge computing nodes.
These vulnerabilities (CVSS 7.5 - 8.8 high-severity rating) were found in HP UEFI firmware, and some of the issues affect AMD reference code (BRLY-2021-004 / CVE-2021-39298).
Using Binarly’s in-house code similarity technology on the whole firmware corpus, a detection triggered on a piece of firmware belonging to a Dell device (vulnerability originally found on HP devices), which led to the conclusion that the vulnerability exists in some piece of reference code. Additional investigation connects this code to AMD's firmware driver (AgesaSmmSaveMemoryConfig), which is widely spread across the entire computing ecosystem.
Binarly reported new findings to CERT/CC to simplify multi-vendor disclosures on all these vulnerabilities.
The company is constantly collaborating with HP and CERT/CC teams to understand the scope of the vulnerabilities and reduce the impact on enterprise infrastructure deployments globally.
In February this year, Binarly reported 23 critical firmware security flaws affecting the entire enterprise device ecosystem. (See full media coverage at SecurityWeek, and ZDNet).
The Binarly discoveries follow the publication of a new joint draft report issued by the leadership of the U.S. Department of Homeland Security (DHS) and Department of Commerce that identified firmware security as a major threat facing U.S. software supply chains.
“Attackers can subvert OS and hypervisor visibility and bypass most security systems, hide, and persist in networks and devices for extended periods of time while conducting attack operations, and inflict irrevocable damage,” the two U.S. agencies said.
Many device manufacturers and firmware development companies underestimate the impact of third-party risks from already known vulnerabilities. Binary Telemetry data shows that even known and fixed vulnerabilities for one vendor can still be not patched for months for other vendors.
“Security is always a top priority for HP, and we value the work that Binarly is doing and thank them for responsibly reporting to HP. Please follow our Security Bulletins for updates. We encourage our customers to always keep their systems up to date.”, said HP PSIRT.
The HP disclosure information is available at:
https://support.hp.com/us-en/document/ish_5661066-5661090-16
https://support.hp.com/us-en/document/ish_5817864-5817896-16
A breakdown of the vulnerabilities and their impact:
| CVE ID | BINARLY ID | Description | CVSS Score |
|---|---|---|---|
| CVE-2021-39297 | BRLY-2021-003 | DXE stack buffer overflow (arbitrary code execution) | 7.7 High |
| CVE-2021-39298 | BRLY-2021-004 | SMM callout (privilege escalation) | 8.8 High |
| CVE-2021-39299 | BRLY-2021-005 | DXE stack buffer overflow (arbitrary code execution) | 8.2 High |
| CVE-2021-39300 | BRLY-2021-006 | DXE stack overflow vulnerability (arbitrary code execution) | 8.2 High |
| CVE-2021-39301 | BRLY-2021-007 | DXE stack overflow (arbitrary code execution) | 7.7 High |
| CVE-2022-23924 | BRLY-2021-032 | SMM heap buffer overflow (arbitrary code execution) | 8.2 High |
| CVE-2022-23925 | BRLY-2021-033 | SMM memory corruption (arbitrary code execution) | 8.2 High |
| CVE-2022-23926 | BRLY-2021-034 | SMM memory corruption (arbitrary code execution) | 8.2 High |
| CVE-2022-23927 | BRLY-2021-035 | SMM memory corruption (arbitrary code execution) | 8.2 High |
| CVE-2022-23928 | BRLY-2021-036 | SMM memory corruption (arbitrary code execution) | 8.2 High |
| CVE-2022-23929 | BRLY-2021-037 | SMM memory corruption (arbitrary code execution) | 8.2 High |
| CVE-2022-23930 | BRLY-2021-038 | SMM memory corruption (arbitrary code execution) | 8.2 High |
| CVE-2022-23931 | BRLY-2021-039 | SMM memory corruption (arbitrary code execution) | 8.2 High |
| CVE-2022-23932 | BRLY-2021-040 | SMM callout (privilege escalation) | 8.2 High |
| CVE-2022-23933 | BRLY-2021-041 | SMM callout (privilege escalation) | 8.2 High |
| CVE-2022-23934 | BRLY-2021-042 | SMM memory corruption (arbitrary code execution) | 8.2 High |
The variety of devices impacted range from laptops and desktops to retail point-of-sale systems. By exploiting the vulnerabilities disclosed, attackers can leverage them to perform privileged code execution in firmware, below the operating system, and potentially deliver persistent malicious code that survives operating system re-installations and allows the bypass of endpoint security solutions (EDR/AV), Secure Boot and Virtualization-Based Security isolation.
said Alex Matrosov, Founder and CEO at Binarly.
Additional Information:
Read detailed discoveries descriptions in Binarly Vulnerability Advisories https://www.binarly.io/advisories
Read additional details in Binarly blog:
About Binarly
Founded in 2021, Binarly brings decades of research experience identifying hardware and firmware security weaknesses and threats. Based in Pasadena, California, Binarly’s agentless, enterprise-class AI-powered firmware security platform helps protect from advanced threats below the operating system. The company’s technology solves firmware supply chain security problems by identifying vulnerabilities, malicious firmware modifications and providing firmware SBOM visibility without access to the source code. Binarly’s cloud-agnostic solutions give enterprise security teams actionable insights, and reduce the cost and time to respond to security incidents.
Media Contact
818.351.9637