Behind the screens: An overview of hidden attack surfaces in powerful BMC chip infrastructure.

The Binarly REsearch team disclosed three high-severity vulnerabilities to AMD in December 2022, with confirmed industry-wide downstream impact. It’s normal for vulnerabilities in reference code to live in the supply chain for long periods of time, even after the fixes are released. In these cases, the silicon vendor did not assign the CVEs to the internal discoveries and released silent fixes to some vendors. Binarly’s researchers discovered these CVE-2023-20558/BRLY-2022-044 and CVE-2023-20559/BRLY-2022-042 independently and disclosed them to AMD’s security response team. A fourth vulnerability, BRLY-2022-045 (8.5 High), is still unfixed due to the complexity of the issue and its impact. AMD expects to release a patch later this year.

In my recent blog post on the BlackLotus UEFI bootkit, we discussed how big a problem the firmware supply chain poses to Microsoft Windows bootloaders, showing how the BatonDrop (CVE-2022-21894) vulnerability can bypass both device attestation and secure boot.

In today's disclosure we opened Pandora's box of ARM devices with UEFI firmware vulnerabilities impacting enterprise vendors. As far as we know, this is the first major vulnerability disclosure related to UEFI firmware on ARM. The big part of vulnerabilities disclosed today related to Qualcomm’s reference code for Snapdragon chips. The vulnerabilities in reference code are usually one of the most impactful since they tend to affect the whole ecosystem and not just a single vendor. Due to the complexity of the UEFI firmware supply chain, these vulnerabilities often create additional impact. UEFI's unified specification not only brings consistency to the firmware development process, but also to the attack surface. This consistency creates cross-platform attacks, so many attack vectors from the x86 ecosystem will also be available on ARM, though exploitation specifics will differ.

Binarly released a new version of efiXplorer v5.2 [Xmas Edition] today, with support for the new IDA SDK v8.2 and the addition of multiple code analysis improvements.

In a previous blog covering one of Binarly’s presentations at the Black Hat 2022 conference, we discussed in detail our research on attacks that disable Windows Management Instrumentation (WMI) and blind an entire class of endpoint security solutions. We introduced a template for attacks, dubbed ‘one-bit change attack’, on objects residing inside the WMI service address space. We also demonstrated another way to disable WMI by isolating the WMI service from the rest of the operating system through a sandboxing attack.

Only two months have passed since our Black Hat talk where we spoke about a bunch of discovered vulnerabilities. Our presentation at Black Hat revealed 12 serious vulnerabilities affecting enterprise devices industry-wide. The Binarly security research team continues to find evidence of repeatable failures in the firmware development ecosystem, exposing critical vulnerabilities that impact the entire industry rather than just a single vendor.

We promised to release the new version of efiXplorer with ARM-based firmware support last week at the inaugural LABScon event. This is one of the most important releases since the project began in February of 2020. In the beginning, efiXplorer focused primarily on x86-based firmware analysis, but after seeing the growth of ARM-based servers and laptops, we are now adding support for ARM.

The Binarly security research team continues to find evidence of repeatable failures in the firmware development ecosystem, exposing critical vulnerabilities related to the ecosystem that impact the entire industry rather than just a single vendor.

The Binarly security research team has had a busy year finding, documenting and helping to fix high-impact vulnerabilities affecting multiple enterprise vendors. In this blog, we provide an in-depth look at some of the vulnerabilities we discussed at the Black Hat 2022 conference affecting HP EliteBook devices.

The Binarly team is constantly researching ways to automate our proprietary deep code inspection technology to improve the discovery of different classes of bugs within system firmware. The Binarly efiXplorer team has decades of experience in program analysis and automation, enabling us to develop unique binary analysis techniques and technologies internally.

The increasingly large number of firmware vulnerabilities gives attackers a lot of options for persistence and the means to bypass traditional endpoint solutions. At least two recently discovered firmware implants -- MoonBounce and CosmicStrand -- have persisted for more than seven years by using basic firmware bootkit techniques. In general, the UEFI system firmware grows in complexity every year and constantly introduces new attack surfaces.

A month ago, Binarly’s security research team managed the coordinated disclosure of 16 high impact vulnerabilities in HP devices and 23 additional security defects impacting major enterprise vendors. In less than a year, Binarly disclosed 42 high severity vulnerabilities haunting the UEFI firmware ecosystem, all serious enough to cause arbitrary code execution in System Management Mode (SMM).

Today, Binarly’s security research lab announced the discovery and coordinated disclosure of 16 high-severity vulnerabilities in various implementations of UEFI firmware affecting multiple enterprise products from HP, including laptops, desktops, point-of-sale systems, and edge computing nodes.

In our previous blog “The Firmware Supply Chain Security is broken Can we fix it”, we delved deep into the challenges of the firmware ecosystem by introducing the supply chain "race condition" paradigm.