Header bannerHeader banner
Advisory ID:
BRLY-2022-044

[BRLY-2022-044] SMM callout vulnerability in SMM driver on AMD-based Gigabyte devices.

April 3, 2023
Severity:
High
CVSS Score
7.5
Public Disclosure Date:
April 3, 2023
CVE ID:
CVE-2023-20558

Summary

The BINARLY efiXplorer team has discovered an SMM callout vulnerability on a Gigabyte device allowing a potential attacker to hijack execution flow of code running in the System Management Mode. Exploitation of this issue could lead to escalation of privileges to SMM.

Vendors Affected

Affected Products

GB-BER5-5500 (MRZL5MB-00_F11_BIOS)
,

Potential Impact

An attacker can exploit this vulnerability to elevate privileges from ring 0 to ring -2, resulting in the execution of arbitrary code in System Management Mode - an environment more privileged than operating system (OS) and completely isolated from it. Running arbitrary code in SMM additionally bypasses SMM-based SPI flash protections against modifications. This can help an attacker to install a firmware backdoor/implant into the BIOS. Such malicious firmware code in the BIOS could persist across operating system re-installs. Additionally, this vulnerability could potentially be used by threat actors to bypass security mechanisms provided by the UEFI firmware (for example, Secure Boot and some types of memory isolation for hypervisors).

Summary

The BINARLY efiXplorer team has discovered an SMM callout vulnerability on a Gigabyte device allowing a potential attacker to hijack execution flow of code running in the System Management Mode. Exploitation of this issue could lead to escalation of privileges to SMM.

Vulnerability Information

  • BINARLY internal vulnerability identifier: BRLY-2022-044
  • AMD PSIRT has assigned CVE identifier: CVE-2023-20558
  • CVSS v3.1 7.5 High AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

Affected Gigabyte firmware with confirmed impact by BINARLY team

Device/Firmware File Name SHA256 (File PE32 section) File GUID
GB-BER5-5500 (MRZL5MB-00_F11_BIOS) AmdCpmOemSmm 20e8a96c159f261a6afe17c3bcd159789a9829af8401890f1cb57863371fce17 b9b0f38d-1f27-4f46-9f44-42d694729882
GB-BER5H-5600 (MRZC5MB-00_F11_BIOS) AmdCpmOemSmm 20e8a96c159f261a6afe17c3bcd159789a9829af8401890f1cb57863371fce17 b9b0f38d-1f27-4f46-9f44-42d694729882

Potential impact

An attacker can exploit this vulnerability to elevate privileges from ring 0 to ring -2, resulting in the execution of arbitrary code in System Management Mode - an environment more privileged than operating system (OS) and completely isolated from it. Running arbitrary code in SMM additionally bypasses SMM-based SPI flash protections against modifications. This can help an attacker to install a firmware backdoor/implant into the BIOS. Such malicious firmware code in the BIOS could persist across operating system re-installs. Additionally, this vulnerability could potentially be used by threat actors to bypass security mechanisms provided by the UEFI firmware (for example, Secure Boot and some types of memory isolation for hypervisors).

Vulnerability description

The vulnerability exists in the SX and PowerButton SMI handlers located at offsets 0x1618 and 0x16C4.

The handlers is registered as follows:

gSmst->SmmLocateProtocol(&EFI_SMM_SX_DISPATCH2_PROTOCOL_GUID, 0i64, &EfiSmmSxDispatch2Protocol);
gSmst->SmmLocateProtocol(&EFI_SMM_POWER_BUTTON_DISPATCH2_PROTOCOL_GUID, 0i64, &EfiSmmPowerButtonDispatch2Protocol);
RegisterContext.Phase = SxEntry;
RegisterContext.Type = SxS3;
EfiSmmSxDispatch2Protocol->Register(EfiSmmSxDispatch2Protocol, SxSmiHandler, &RegisterContext, &DispatchHandle);
RegisterContext.Phase = SxEntry;
RegisterContext.Type = SxS4;
EfiSmmSxDispatch2Protocol->Register(
  EfiSmmSxDispatch2Protocol,
  PowerButtonSmiHandler,
  &RegisterContext,
  &DispatchHandle);
RegisterContext.Phase = SxEntry;
RegisterContext.Type = SxS5;
EfiSmmSxDispatch2Protocol->Register(
  EfiSmmSxDispatch2Protocol,
  PowerButtonSmiHandler,
  &RegisterContext,
  &DispatchHandle);
PbRegisterContext.Phase = PowerButtonExit;
EfiSmmPowerButtonDispatch2Protocol->Register(
  EfiSmmPowerButtonDispatch2Protocol,
  PowerButtonSmiHandler,
  &PbRegisterContext,
  &PbDispatchHandle);

SxSmiHandler and SxAndPowerButtonSmiHandler callbacks contains many function calls from the interface, which has been located as follows:

// AMD_CPM_TABLE_SMM_PROTOCOL_GUID = af6efacf-7a13-45a3-b1a5-aafc061c4b79
result = gBS->LocateProtocol(&AMD_CPM_TABLE_SMM_PROTOCOL_GUID, 0, &gAmdCpmTableSmmProtocol);

Let's look at all the problem areas (marked with "callout" comment) using the SxSmiHandler function as an example:

(*(gAmdCpmTableSmmProtocol + 90))(gAmdCpmTableSmmProtocol, 0x218, 0); // callout
(*(gAmdCpmTableSmmProtocol + 90))(gAmdCpmTableSmmProtocol, 0x21F, 0); // callout
res = (*(gAmdCpmTableSmmProtocol + 11))(0xFED8156C); // callout
(*(gAmdCpmTableSmmProtocol + 15))(0xFED8156C, res & 0xFFBFFFFF); // callout
result = gSmst->SmmLocateProtocol(&EFI_SMM_VARIABLE_PROTOCOL_GUID, 0, &EfiSmmVariableProtocol);
if ( result >= 0 )
{
  DataSize = 136;
  result = EfiSmmVariableProtocol->SmmGetVariable(L"AMD_PBS_SETUP", &gGuid, 0, &DataSize, Data);
  Status = result;
  if ( result >= 0 )
  {
    if ( Data[54] == 1 )
    {
      res = (*(gAmdCpmTableSmmProtocol + 11))(0xFED803E4); // callout
      // in case of SxAndPowerButtonSmiHandler last argument is different: res & 0xFFFFFFFC
      (*(gAmdCpmTableSmmProtocol + 15))(0xFED803E4, res & 0xFFFFFFFC | 1); // callout
    }
    return Status;
  }
}

The AMD_CPM_TABLE_SMM_PROTOCOL_GUID (af6efacf-7a13-45a3-b1a5-aafc061c4b79) protocol installation routine shown below (code from AmdCpmInitSmm module):

EfiSmmBase2Protocol->InSmm(EfiSmmBase2Protocol, &InSmram);
if ( !InSmram )
  return res;
Status = gSmst->SmmAllocatePool(EfiRuntimeServicesData, 0x410, &Buffer);
if ( Status >= 0 )
{
  Status = gBS->LocateProtocol(&AMD_CPM_TABLE_PROTOCOL_GUID, 0, &Interface);
  if ( Status >= 0 )
  {
    *Buffer = *Interface;
    *(Buffer + 1) = *(Interface + 1);
    InterfaceBuffer = Buffer;
    *(Buffer + 0x71) = sub_13A0;
    InterfaceBuffer[0x72] = &loc_13A8;
    InterfaceBuffer[0x78] = sub_14E4;
    InterfaceBuffer[0x79] = sub_14B4;
    sub_2DE4(Buffer);
    sub_3A00(Buffer);
    sub_5FC0(Buffer);
    Handle[0] = 0;
    return gBS->InstallProtocolInterface(Handle, &AMD_CPM_TABLE_SMM_PROTOCOL_GUID, EFI_NATIVE_INTERFACE, Buffer);
...

As we can see, the interface address (located with gBS->LocateProtocol()) is located inside SMRAM (since Buffer allocated with gSmst->SmmAllocatePool() function), but installed with gBS->InstallProtocolInterface() service.

The vulnerability cannot be exploited from the operating system. But an attacker capable of executing code in DXE could control af6efacf-7a13-45a3-b1a5-aafc061c4b79 protocol interface address.

In order to safely use the functions from this protocol interface within the SMI handler, this protocol must be installed with EFI_SMM_SYSTEM_TABLE2::SmmInstallProtocolInterface() and located with EFI_SMM_SYSTEM_TABLE2::SmmLocateProtocol().

Disclosure timeline

This vulnerability is subject to a 90 day disclosure deadline. After 90 days elapsed or a patch has been made broadly available (whichever is earlier), the vulnerability report will be made publicly available.

Disclosure Activity Date (YYYY-MM-dd)
AMD PSIRT is notified 2022-12-22
AMD PSIRT confirmed reported issue 2023-01-13
AMD PSIRT assigned CVE number 2023-01-24
AMD public disclosure date 2023-03-24
BINARLY public disclosure date 2023-04-03

Acknowledgements

BINARLY efiXplorer team

Tags
No items found.
FWHunt
See if you are impacted now with our Firmware Vulnerability Scanner