Pasadena, California - January 9, 2023 - Binarly Inc., providers of the industry’s first AI-powered firmware protection platform, has led the coordinated disclosure and mitigation of multiple vulnerabilities in UEFI firmware on ARM devices, including Qualcomm Snapdragon chips.
The Qualcomm vulnerabilities, rated high-severity, were identified in the UEFI firmware reference code and impacts the entire ecosystem of ARM-based laptops and devices on Qualcomm Snapdragon chips. This is the first major vulnerability disclosure of its kind in the ARM device ecosystem, and highlights the potential for cross-platform attacks on both ARM and x86 devices.
Binarly’s research team has confirmed these vulnerabilities are exploitable on Lenovo ThinkPad and Microsoft Surface devices, including the recently released development device Microsoft Windows Dev Kit 2023 (code name “Project Volterra”).
A summary of the disclosed vulnerabilities, which carry high-risk and medium-risk severity ratings:
BRLY IDTypeVendorCVE IDCVSS scoreCWEBRLY-2022-029BRLY-2022-030BRLY-2022-033Stack overflow via double GetVariable in DXE driverQualcomm Qualcomm QualcommCVE-2022-40516CVE-2022-40517CVE-2022-405208.2 (HIGH) 8.2 (HIGH) 8.2 (HIGH)CWE-121: Stack-based Buffer OverflowBRLY-2022-031BRLY-2022-032BRLY-2022-034BRLY-2022-035BRLY-2022-036BRLY-2022-037Stack memory leak vulnerability in DXE driverQualcomm Lenovo Lenovo Lenovo Qualcomm LenovoCVE-2022-40518CVE-2022-4432CVE-2022-4433CVE-2022-4434CVE-2022-40519CVE-2022-44354.9 (MEDIUM) 6.0 (MEDIUM) 6.0 (MEDIUM) 6.0 (MEDIUM) 6.0 (MEDIUM) 6.0 (MEDIUM)CWE-125: Out-of-bounds Read
Three of the nine vulnerabilities -- CVE-2022-40516, CVE-2022-40517 and CVE-2022-40520 -- are rated high-risk and allow secure boot bypass and the ability for an attacker to gain persistence on a device by gaining sufficient privileges to write to the file system. This allows an attacker to cross an extra security boundary to simplify attacks on TrustZone. All three affect Qualcomm’s reference code and affect the entire ecosystem.
Four of the issues are specific to Lenovo and allow an attacker to gain read access to the privileged boot code through all of these vulnerabilities. Compared to the previous group of vulnerabilities with arbitrary code execution, these vulnerabilities only lead to privileged information disclosure.
“With this disclosure, we have opened Pandora's box of ARM devices with UEFI firmware vulnerabilities impacting enterprise vendors. As far as we know, this is the first major vulnerability disclosure related to UEFI firmware on ARM,” said Binarly chief executive officer Alex Matrosov.
“Vulnerabilities in reference code are usually one of the most impactful since they tend to affect the whole ecosystem and not just a single vendor. Due to the complexity of the UEFI firmware supply chain, these vulnerabilities often create additional impact,” Matrosov said, noting that UEFI's unified specification not only brings consistency to the firmware development process, but also to attack surfaces.
In a statement, Qualcomm expressed thanks to Binarly for assisting with the research and coordinated disclosure:
“Providing technologies that support robust security and privacy is a priority for Qualcomm Technologies. We commend security researcher Alex Matrosov of Binarly for using industry-standard coordinated disclosure practices, and we have worked with Lenovo to address the reported boot issues. Patches were made available in November 2022, and we encourage affected end users to apply security updates when they become available from their device makers.” – Qualcomm spokesperson
Binarly commends the PSIRT team at Qualcomm for their timely professionalism when responding to these vulnerability reports. It was impressive that it only took two months to release the fixes and secure the supply chain after Binarly reported reference code vulnerabilities in October 2022.
With such a broad impact to the entire UEFI ARM-based ecosystem, this is an unprecedented timeline we haven’t experienced before when working with other vendors.
Closer collaboration between the vendor and researcher can significantly reduce the disclosure timeline and assist industry in recovering from repeatable firmware security failures.
Technical details on these findings are now available on the Binarly blog.
Qualcomm advisory: https://docs.qualcomm.com/product/publicresources/securitybulletin/january-2023-bulletin.html
Lenovo advisory: https://support.lenovo.com/us/en/product_security/LEN-103709
About Binarly
Founded in 2021, Binarly brings decades of research experience identifying hardware and firmware security weaknesses and threats. Based in Pasadena, California, Binarly’s agentless, enterprise-class AI-powered firmware security platform helps protect from advanced threats below the operating system. The company’s technology solves firmware supply chain security problems by identifying vulnerabilities, malicious firmware modifications and providing firmware SBOM visibility without access to the source code. Binarly’s cloud-agnostic solutions give enterprise security teams actionable insights, and reduce the cost and time to respond to security incidents.
Media Contact