Firmware Implant Survives Operating System Updates and Bypasses UEFI Secure Boot and Virtualization-Based Security
Pasadena, CA – February 1, 2022 - Binarly, the enterprise firmware security specialists, today announced the discovery and coordinated disclosure of 23 new high severity vulnerabilities in various implementations of UEFI firmware affecting millions of enterprise devices worldwide.
These vulnerabilities (CVSS 7.5 - 8.2 high-severity rating) were found within Insyde Software’s InsydeH2O UEFI firmware on a variety of customer platforms and it is expected that similar types of vulnerabilities exist in other in-house and third-party BIOS vendor solutions.
Binarly reported the critical firmware vulnerabilities to enterprise vendors and most of these disclosures are industry-wide. With this announcement, Binarly highlights InsydeH2O UEFI firmware, used by many leading enterprise vendors including Lenovo, HP, HPE, Fujitsu, Juniper Networks, Atos, among others.
The variety of devices impacted range from laptops to enterprise servers, network appliances, routers, industrial control systems and edge computing devices. By exploiting these vulnerabilities, attackers can successfully install malware that survives operating system re-installations and allows the bypass of endpoint security solutions (EDR/AV), Secure Boot and Virtualization-Based Security isolation.
According to the National Institute of Standards and Technology (NIST), the National Vulnerability Database has shown an exponential increase in the number of reported firmware vulnerabilities since 2018.
“We value the work that Binarly is doing to help make firmware more secure and appreciate their professionalism while working with us to report these issues in a timely manner,” said Tim Lewis, CTO and Head of Insyde Software’s Office of Security and Trust. “Their AI-powered approach to identifying threats is proving to be a valuable tool to help provide stronger firmware security,” added Lewis.
Most of the reported vulnerabilities were discovered automatically by the Binarly SaaS Platform and subsequently reviewed by the Binarly team to provide a comprehensive advisory report to the impacted vendors.
“Initially, we discovered all of these vulnerabilities in a single vendor device. However, later we discovered a few other enterprise vendors were also affected by the same issues,” said Alex Matrosov, Founder and CEO at Binarly. “Our ‘a-ha’ moment came when we realized it was a reference codebase. Our deeper analysis of the code revealed that it is affecting the InsydeH2O UEFI firmware and we are grateful for Insyde’s professional response to reduce the time of disclosure.”
Over the last few months, Binarly worked closely with CERT/CC and Insyde teams to confirm the vulnerabilities, provide additional technical details, evaluate the associated risk, and work through the responsible disclosure process. Insyde Software, who has patched all of the issues, notified customers promptly and today issued their own press release regarding these CVEs.
The Insyde press release and additional disclosure information is available at https://www.insyde.com/security-pledge.
“The main challenge for such massive vulnerability disclosures is cooperation between vendor and researcher, when time is a negative factor against the device customers. We reduced the time of response between multiple vendors during the disclosure process by working directly with CERT/CC, and our collaboration with Insyde helped to release security fixes to the industry on time,” said Alex Matrosov, Founder and CEO at Binarly.
Binarly has also worked closely with the Linux Vendor Firmware Service (LVFS) to discover other vendors and scale detections further to identify affected hardware models by running the FwHunt rules against the existing archive of public firmware. This allowed us to efficiently alert the relevant PSIRT teams and CERT/CC with detailed information about affected hardware.
"Using the FwHunt rules provided by Binarly, the LVFS can scan gigabytes of existing firmware looking for vendors and models affected by specific CVEs. Running the same rules on new firmware we can ensure that new vendors joining the LVFS are notified of unpatched supply-chain issues, and also can ensure that existing vendors do not accidentally ship firmware which accidentally reverts the security fixes. I'm really happy we can work with Binarly, and can continue to protect the firmware supply chain." Richard Hughes, LVFS Maintainer, Red Hat.
At the OffensiveCon Berlin security conference on February 4th, the Binarly team will present the research "UEFI Firmware Vulnerabilities: Past, Present and Future" where additional technical details regarding the vulnerability discoveries will be disclosed.
Read detailed discoveries descriptions in Binarly Vulnerability Research Advisories
Read additional details in Binarly blog “An In Depth Look at the 23 High Impact Vulnerabilities”
Founded in 2021, Binarly brings decades of research experience identifying hardware and firmware security weaknesses and threats. Based in Pasadena, California, Binarly’s agentless, enterprise-class AI-powered firmware security platform helps protect from advanced threats below the operating system. The company’s technology solves firmware supply chain security problems by identifying vulnerabilities, malicious firmware modifications and providing firmware SBOM visibility without access to the source code. Binarly’s cloud-agnostic solutions give enterprise security teams actionable insights, and reduce the cost and time to respond to security incidents.