Major security vulnerability found in top server firmware

Security firm Binarly has discovered more than 20 vulnerabilities hiding in BIOS/UEFI software from a wide range of system vendors, including Intel, Microsoft, Lenovo, Dell, Fujitsu, HP, HPE, Siemens, and Bull Atos.

Binarly found the issues were associated with the use of InsydeH20, a framework code used to build motherboard unified extensible firmware interfaces (UEFI), the interface between a computer’s operating system and firmware.

All of the aforementioned vendors used Insyde’s firmware SDK for motherboard development. It is expected that similar types of vulnerabilities exist in other in-house and third-party BIOS-vendor products as well.

These vulnerabilities are particularly dangerous because UEFI/BIOS-based attacks can bypass firmware-based security mechanisms. These vulnerabilities include SMM allout or privilege escalation, SMM memory corruption, and DXE memory corruption.

The potential damage done by these vulnerabilities is severe because they can be used by attackers to bypass hardware–based security features such as secure boot, virtualization-based security (VBS), and trusted platform modules (TPM). The vulnerabilities are in the UEFI but allow malware to be installed on the system that can survive a hard-drive wipe and operating-system reinstallation.

Initially, Binarly disclosed 23 new vulnerabilities but then found five more specific to HP hardware. The vulnerabilities affect both desktop and server hardware, according to Binarly, which has reported them to enterprise vendors and to Insyde. Fixes are in the works.