Header bannerHeader banner
Advisory ID:
BRLY-DVA-2023-025

[BRLY-DVA-2023-025] SMM memory corruption vulnerability in combined DXE/SMM driver on Fujitsu device (SMRAM write)

July 2, 2024
Severity:
Low
CVSS Score
3.2
Public Disclosure Date:
June 19, 2024

Summary

Binarly REsearch Team has discovered a SMM memory corruption vulnerability in a Fujitsu device allowing a possible attacker to write fixed or predictable data to SMRAM. Exploiting this issue could lead to escalating privileges to SMM.
Vendors Affected Icon

Vendors Affected

Lenovo
Phoenix
Affected Products icon

Affected Products

Yoga Slim 7 Pro

Potential Impact

An attacker with local privileged access can exploit this vulnerability to read the contents of the physical memory and use this information to exploit other vulnerabilities in DXE. A malicious code installed as a result of the vulnerability exploitation in a DXE driver could survive across an operating system (OS) boot process and runtime or modify NVRAM area on SPI flash storage (to gain persistence on target platform). Additionally, this vulnerability potentially could be used by threat actors to bypass OS security mechanisms (modify privileged memory or runtime variables), influence on the OS boot process, and in some cases would allow an attacker to hook or modify EFI Runtime services.

This vulnerability was detected by the Deep Vulnerability Analysis (DVA) component from Binarly Platform

Summary

Binarly REsearch Team has discovered a SMM memory corruption vulnerability in a Fujitsu device allowing a possible attacker to write fixed or predictable data to SMRAM. Exploiting this issue could lead to escalating privileges to SMM.

Vulnerability Information

  • BINARLY internal vulnerability identifier: BRLY-DVA-2023-025
  • Insyde PSIRT assigned CVE identifier: CVE-2024-25078
  • CVSS v3.1: 8.2 High AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Affected Insyde-based Fujitsu firmware images with confirmed impact by Binarly REsearch Team

Potential impact

An attacker can exploit this vulnerability to elevate privileges from ring 0 to ring -2, execute arbitrary code in System Management Mode - an environment more privileged than operating system (OS) and completely isolated from it. Running arbitrary code in SMM additionally bypasses SMM-based SPI flash protections against modifications, which can help an attacker to install a firmware backdoor/implant into BIOS. Such a malicious firmware code in BIOS could persist across operating system re-installs. Additionally, this vulnerability potentially could be used by malicious actors to bypass security mechanisms provided by UEFI firmware (for example, Secure Boot and some types of memory isolation for hypervisors).

Vulnerability description

Let's consider the vulnerability on the example of a module with SHA256 c93e4b4e5962d689a0e8c075f2ee5c21e6f3ae1a7438f65645ed16cac12d26c3. The pseudocode of the vulnerable ChildSwSmiHandler function (with the HandlerType: EFI_ATA_PASS_THRU_PROTOCOL_GUID) is presented below:

EFI_STATUS __fastcall ChildSwSmiHandler(
        EFI_HANDLE DispatchHandle,
        const void *Context,
        _QWORD *CommBuffer,
        UINTN *CommBufferSize)
{
  __int64 v4; // r13
  __int64 NestedPtr; // rsi
  __int64 Status; // rbx
  __int64 Ptr; // rdi
  bool Res; // al
  UINTN v10; // rdi
  unsigned __int8 v11; // r12
  __int64 v12; // rax
  EFI_STORAGE_SECURITY_SEND_DATA *p_SendData; // r14
  __int64 i; // rax
  __int64 v15; // rbx
  EFI_STORAGE_SECURITY_COMMAND_PROTOCOL *EfiStorageSecurityCommandProtocol; // [rsp+30h] [rbp-10h] BYREF
  void *Buffer; // [rsp+90h] [rbp+50h] BYREF
  UINTN BufferSize; // [rsp+98h] [rbp+58h] BYREF

  BufferSize = 0;
  v4 = 0;
  Buffer = 0;
  if ( gUnknownProtocol == CommBuffer && *CommBufferSize == 31 && CommBuffer )
  {
    NestedPtr = CommBuffer[2];
    gGlobalPtr1 = *(NestedPtr - 16);
    gGlobalPtr2 = *(NestedPtr - 8);
    if ( *CommBuffer == 1 )
    {
      Status = Command1(*(NestedPtr + 16), 1, NestedPtr);
      goto _Exit;
    }
    if ( *CommBuffer != 2 )
    {
      if ( *CommBuffer == 3 )
      {
        Ptr = Deref1(NestedPtr);
        Res = Compare(NestedPtr, Ptr);
        Status = Buffer;
        while ( !Res )
        {
          if ( *(Ptr + 16) )
          {
            Status = gSmst_0->SmmUninstallProtocolInterface(
                       *(Ptr - 136),
                       &EFI_STORAGE_SECURITY_COMMAND_PROTOCOL_GUID,
                       (Ptr - 88));
            if ( Status >= 0 )
            {
              Status = gSmst_0->SmmUninstallProtocolInterface(*(Ptr - 136), &EFI_DEVICE_PATH_PROTOCOL_GUID, *(Ptr - 56));
              if ( Status >= 0 )
                *(Ptr + 16) = 0; // unchecked write (SMRAM corruption)
            }
          }
          Ptr = Deref2(NestedPtr, Ptr);
          Res = Compare(NestedPtr, Ptr);
        }
      }
      else
      {
        Status = EFI_UNSUPPORTED;
      }
      goto _Exit;
    }
    ...
_Exit:
    CommBuffer[1] = Status;
  }
  return EFI_SUCCESS;
}

The pseudocode for the Deref1 function is shown below:

__int64 __fastcall Deref1(__int64 Address)
{
  return *Address;
}

As we can see from the pseudocode above, command 3 branch (if ( *CommBuffer == 3 )) contains an unchecked write operation to a nested pointer derived from the CommBuffer structure, which is specified by a user. So that the user can write fixed value 0x00 to a controllable address in SMRAM, which could lead to arbitrary code execution and privileges escalation to SMM.

In order to fix this vulnerability, it is necessary to check all nested pointers for overlapping with SMRAM before attempting to write to buffer pointed by it.

Disclosure timeline

This bug is subject to a 90 day disclosure deadline. After 90 days elapsed or a patch has been made broadly available (whichever is earlier), the bug report will become visible to the public.

Device name Unpacked firmware SHA256 Firmware version IBV Module name Module GUID Module SHA256 Module kind
STYLISTIC Q739 fc7721316290cc58a177d8fd530215652609528d5afc3eed9a29282a5e5509d6 2.18 Insyde StorageSecurityCommandDxe 70d57d67-7f05-494d-a014-b75d7345b700 c93e4b4e5962d689a0e8c075f2ee5c21e6f3ae1a7438f65645ed16cac12d26c3 CombinedSmmDxe
LIFEBOOK A3510 9c9c6b24f4cafc078e00a46b4ee4ecb4f4eba5d8d04b8b77e41da6862ea9cbc0 1.13 Insyde StorageSecurityCommandDxe 70d57d67-7f05-494d-a014-b75d7345b700 79deccfc57b4615ddbb7f6e6f4deb044a5419eeab731e84b66544be6ac5f6bd4 CombinedSmmDxe
STYLISTIC Q738 4f91b0aefd3cfd44d839c2a4bec6cb96e642d220df43542fe93bd79888ba3deb 1.18 Insyde StorageSecurityCommandDxe 70d57d67-7f05-494d-a014-b75d7345b700 901eda690697d617b60e7fcae40857a99b04d056b7106200b7f08b74aaa5bcd3 CombinedSmmDxe
LIFEBOOK P728 0a1f9bb3f9fc27dfbce3ddd80538488113bc335ba549dadea33c3f99fd0c2e23 1.22 Insyde StorageSecurityCommandDxe 70d57d67-7f05-494d-a014-b75d7345b700 901eda690697d617b60e7fcae40857a99b04d056b7106200b7f08b74aaa5bcd3 CombinedSmmDxe
LIFEBOOK U758 51c8f4b3ffb9c3b77c9bbb4eb6d0f873ef23d6bf51a1aa29e47e56cb45ebc1ff 1.27 Insyde StorageSecurityCommandDxe 70d57d67-7f05-494d-a014-b75d7345b700 b6ca91f46a20784bdfb801db3399ee2c8ec545f724f19aa2828608c19501dd69 CombinedSmmDxe
LIFEBOOK U747 6th Gen df6a8316a6ed5faa82b29e9adc536c8690c25bfa0d919b1cccd21f7acd5e145a 1.21 Insyde StorageSecurityCommandDxe 70d57d67-7f05-494d-a014-b75d7345b700 901eda690697d617b60e7fcae40857a99b04d056b7106200b7f08b74aaa5bcd3 CombinedSmmDxe
LIFEBOOK U937 120c3697d39e682909ea5158936034db331070054478677e97ac47a35a8042a1 1.26 Insyde StorageSecurityCommandDxe 70d57d67-7f05-494d-a014-b75d7345b700 901eda690697d617b60e7fcae40857a99b04d056b7106200b7f08b74aaa5bcd3 CombinedSmmDxe
LIFEBOOK T938 5cebe3bbe58f12cd8463ab158779fd234866577b3caa0986ba08d30db44fbb20 1.21 Insyde StorageSecurityCommandDxe 70d57d67-7f05-494d-a014-b75d7345b700 901eda690697d617b60e7fcae40857a99b04d056b7106200b7f08b74aaa5bcd3 CombinedSmmDxe
LIFEBOOK P727 742561424f3c97f23758a71e66547e6b75197fc651fd42d0cac16b4916cd2946 1.26 Insyde StorageSecurityCommandDxe 70d57d67-7f05-494d-a014-b75d7345b700 901eda690697d617b60e7fcae40857a99b04d056b7106200b7f08b74aaa5bcd3 CombinedSmmDxe
LIFEBOOK T937 f6d59010a9d79bfbe25dede2eb5b8dd4303f9ff8dd1ec74c5384a4b488bf66b3 1.27 Insyde StorageSecurityCommandDxe 70d57d67-7f05-494d-a014-b75d7345b700 901eda690697d617b60e7fcae40857a99b04d056b7106200b7f08b74aaa5bcd3 CombinedSmmDxe
LIFEBOOK U747 bd1e9d7f4fbcd6ce428a7626cfc156367dc4853606eab4a671bb56ff769eea34 1.31 Insyde StorageSecurityCommandDxe 70d57d67-7f05-494d-a014-b75d7345b700 b6ca91f46a20784bdfb801db3399ee2c8ec545f724f19aa2828608c19501dd69 CombinedSmmDxe
LIFEBOOK S937 3a15b1495893966ac363c59b40d1e292f1d7baca7aedcd62dd4a520a3951e44a 1.21 Insyde StorageSecurityCommandDxe 70d57d67-7f05-494d-a014-b75d7345b700 901eda690697d617b60e7fcae40857a99b04d056b7106200b7f08b74aaa5bcd3 CombinedSmmDxe
LIFEBOOK U939 (BLACK, RED) a4a0d485c8bf3ab7f841543a4b4eb8d1a0fab3acd18a9364ac682cb3b354ee8a 2.2 Insyde StorageSecurityCommandDxe 70d57d67-7f05-494d-a014-b75d7345b700 c93e4b4e5962d689a0e8c075f2ee5c21e6f3ae1a7438f65645ed16cac12d26c3 CombinedSmmDxe
CELSIUS H7510 105afe7aa90d14ecf48c61d1b60ca2657bac0d15d5cafc64aee3051db8c869db 1.13 Insyde StorageSecurityCommandDxe 70d57d67-7f05-494d-a014-b75d7345b700 79deccfc57b4615ddbb7f6e6f4deb044a5419eeab731e84b66544be6ac5f6bd4 CombinedSmmDxe
CELSIUS H770 af200fcf1fa19a065c86c2ee1808d67a1de3dba3e566f388925f441ad1c25a0b 1.26 Insyde StorageSecurityCommandDxe 70d57d67-7f05-494d-a014-b75d7345b700 901eda690697d617b60e7fcae40857a99b04d056b7106200b7f08b74aaa5bcd3 CombinedSmmDxe
LIFEBOOK E547 ec6a61357892d9ad6cecf6565947fe36215b87ee0907aa396fc57ca4c3967e37 1.22 Insyde StorageSecurityCommandDxe 70d57d67-7f05-494d-a014-b75d7345b700 901eda690697d617b60e7fcae40857a99b04d056b7106200b7f08b74aaa5bcd3 CombinedSmmDxe
STYLISTIC V727 b6cd4a6459cb5c5598e83b4000d25decef379657e067520d0db545af0bbd6dfe 1.26 Insyde StorageSecurityCommandDxe 70d57d67-7f05-494d-a014-b75d7345b700 901eda690697d617b60e7fcae40857a99b04d056b7106200b7f08b74aaa5bcd3 CombinedSmmDxe
LIFEBOOK U939X (BLACK, RED) f32195a473344f1f61ca942966bb90bab48204d9c159fdd26e0463bbcb2b6b4f 2.23 Insyde StorageSecurityCommandDxe 70d57d67-7f05-494d-a014-b75d7345b700 c93e4b4e5962d689a0e8c075f2ee5c21e6f3ae1a7438f65645ed16cac12d26c3 CombinedSmmDxe
LIFEBOOK E458 3fdade3dad6e8b360b167bfab6809668e978201bdecf669981f0b2cf94b75153 1.24 Insyde StorageSecurityCommandDxe 70d57d67-7f05-494d-a014-b75d7345b700 901eda690697d617b60e7fcae40857a99b04d056b7106200b7f08b74aaa5bcd3 CombinedSmmDxe
LIFEBOOK T939 2031ebddf840f721a6054142a1b26d39fb66f6ea1f07c7848eaab17e46c2b4a1 2.17 Insyde StorageSecurityCommandDxe 70d57d67-7f05-494d-a014-b75d7345b700 c93e4b4e5962d689a0e8c075f2ee5c21e6f3ae1a7438f65645ed16cac12d26c3 CombinedSmmDxe
LIFEBOOK U749 034e8072b13718fdd5975b90ff8af0ed83a3ed75cb57d5f0e551d8594225d7c6 2.27 Insyde StorageSecurityCommandDxe 70d57d67-7f05-494d-a014-b75d7345b700 c93e4b4e5962d689a0e8c075f2ee5c21e6f3ae1a7438f65645ed16cac12d26c3 CombinedSmmDxe
LIFEBOOK E559 d1bcd6291c4de1033fd46330d73c5dfe8a9a988a36d548ff00aed75ab075d6c4 2.22 Insyde StorageSecurityCommandDxe 70d57d67-7f05-494d-a014-b75d7345b700 c93e4b4e5962d689a0e8c075f2ee5c21e6f3ae1a7438f65645ed16cac12d26c3 CombinedSmmDxe
LIFEBOOK E449 7794a7d2beb3573a4267c3bfd6180f395042d1eecd3e56cfb0f59ffa3201fa65 1.12 Insyde StorageSecurityCommandDxe 70d57d67-7f05-494d-a014-b75d7345b700 901eda690697d617b60e7fcae40857a99b04d056b7106200b7f08b74aaa5bcd3 CombinedSmmDxe
LIFEBOOK U728 70be8159c33280abd6a47b3e4c54e73853d35bf1f30396fad3569f0b32a72885 1.28 Insyde StorageSecurityCommandDxe 70d57d67-7f05-494d-a014-b75d7345b700 901eda690697d617b60e7fcae40857a99b04d056b7106200b7f08b74aaa5bcd3 CombinedSmmDxe
LIFEBOOK E557 vPro 5a0f060b8fe3eb88b05707e486dc4b01d5365df4a37a59ccff61bdf2727b44f7 1.26 Insyde StorageSecurityCommandDxe 70d57d67-7f05-494d-a014-b75d7345b700 901eda690697d617b60e7fcae40857a99b04d056b7106200b7f08b74aaa5bcd3 CombinedSmmDxe
LIFEBOOK A3511 4eb7a6577974e0a7527bb762906602387b2f2e10d530cb3e9a664a624ac22b8a 1.11 Insyde StorageSecurityCommandDxe 70d57d67-7f05-494d-a014-b75d7345b700 6de60437bd9dba4327515e5362aa9957adf0d578ef30050ea1ec261d526419c6 CombinedSmmDxe
LIFEBOOK S938 80add3e6396559f8819af060c6e29826c877e386948a09d4412202c9607bcb65 1.22 Insyde StorageSecurityCommandDxe 70d57d67-7f05-494d-a014-b75d7345b700 901eda690697d617b60e7fcae40857a99b04d056b7106200b7f08b74aaa5bcd3 CombinedSmmDxe
LIFEBOOK U727 a1f89866b257767599ee7ac9e5983e1661689d25f2b8da0646553bd3f5c5c14b 1.32 Insyde StorageSecurityCommandDxe 70d57d67-7f05-494d-a014-b75d7345b700 901eda690697d617b60e7fcae40857a99b04d056b7106200b7f08b74aaa5bcd3 CombinedSmmDxe
LIFEBOOK U938 edc048167fa29fc64738219dbcdb243264e95f1c42f391a0454ad2c66f0a9ee5 1.29 Insyde StorageSecurityCommandDxe 70d57d67-7f05-494d-a014-b75d7345b700 901eda690697d617b60e7fcae40857a99b04d056b7106200b7f08b74aaa5bcd3 CombinedSmmDxe
LIFEBOOK E548 55689016cfe7ea6221d1849648db43c6ceb4962bb4f6853e72d76b50915e7d14 1.25 Insyde StorageSecurityCommandDxe 70d57d67-7f05-494d-a014-b75d7345b700 901eda690697d617b60e7fcae40857a99b04d056b7106200b7f08b74aaa5bcd3 CombinedSmmDxe
Disclosure Activity Date (YYYY-mm-dd)
Fujitsu PSIRT is notified 2023-12-22
Fujitsu PSIRT informed Insyde 2024-01-22
Insyde PSIRT confirmed issue 2024-01-24
Insyde PSIRT provide patch release 2024-05-13
Binarly Public Disclosure Date 2024-06-17

Acknowledgements

Binarly REsearch Team

Tags
Fujitsu
Vulnerability
FWHunt
See if you are impacted now with our Firmware Vulnerability Scanner