Binarly Discovers 16 New, High-Impact Vulnerabilities in Firmware Affecting HP Enterprise Devices

Binarly’s REsearch team has led the coordinated disclosure of multiple vulnerabilities in Qualcomm reference code and ARM-based Lenovo devices powered by UEFI firmware. Multiple vendors are affected including Microsoft Surface devices, Samsung, HP, and many others.

Pasadena, California - January 9, 2023 - Binarly Inc., providers of the industry’s first AI-powered firmware protection platform, has led the coordinated disclosure and mitigation of multiple vulnerabilities in UEFI firmware on ARM devices, including Qualcomm Snapdragon chips.

The Qualcomm vulnerabilities, rated high-severity, were identified in the UEFI firmware reference code and impacts the entire ecosystem of ARM-based laptops and devices on Qualcomm Snapdragon chips. This is the first major vulnerability disclosure of its kind in the ARM device ecosystem, and highlights the potential for cross-platform attacks on both ARM and x86 devices.
Binarly’s research team has confirmed these vulnerabilities are exploitable on Lenovo ThinkPad and Microsoft Surface devices, including the recently released development device Microsoft Windows Dev Kit 2023 (code name “Project Volterra”).
A summary of the disclosed vulnerabilities, which carry high-risk and medium-risk severity ratings:

BRLY ID Type Vendor CVE ID CVSS score CWE
BRLY-2022-029
BRLY-2022-030
BRLY-2022-033
Stack overflow
via double
GetVariable in
DXE driver
Qualcomm
Qualcomm
Qualcomm
CVE-2022-40516
CVE-2022-40517
CVE-2022-40520
8.2 (HIGH)
8.2 (HIGH)
8.2 (HIGH)
CWE-121:
Stack-based Buffer Overflow
BRLY-2022-031
BRLY-2022-032
BRLY-2022-034
BRLY-2022-035
BRLY-2022-036
BRLY-2022-037
Stack memory
leak
vulnerability in
DXE driver
Qualcomm
Lenovo
Lenovo
Lenovo
Qualcomm
Lenovo
CVE-2022-40518
CVE-2022-4432
CVE-2022-4433
CVE-2022-4434
CVE-2022-40519
CVE-2022-4435
4.9 (MEDIUM)
6.0 (MEDIUM)
6.0 (MEDIUM)
6.0 (MEDIUM)
6.0 (MEDIUM)
6.0 (MEDIUM)
CWE-125:
Out-of-bounds Read
Three of the nine vulnerabilities -- CVE-2022-40516, CVE-2022-40517 and CVE-2022-40520 -- are rated high-risk and allow secure boot bypass and the ability for an attacker to gain persistence on a device by gaining sufficient privileges to write to the file system. This allows an attacker to cross an extra security boundary to simplify attacks on TrustZone. All three affect Qualcomm’s reference code and affect the entire ecosystem.
Four of the issues are specific to Lenovo and allow an attacker to gain read access to the privileged boot code through all of these vulnerabilities. Compared to the previous group of vulnerabilities with arbitrary code execution, these vulnerabilities only lead to privileged information disclosure.
“With this disclosure, we have opened Pandora's box of ARM devices with UEFI firmware vulnerabilities impacting enterprise vendors. As far as we know, this is the first major vulnerability disclosure related to UEFI firmware on ARM,” said Binarly chief executive officer Alex Matrosov.

“Vulnerabilities in reference code are usually one of the most impactful since they tend to affect the whole ecosystem and not just a single vendor. Due to the complexity of the UEFI firmware supply chain, these vulnerabilities often create additional impact,” Matrosov said, noting that UEFI's unified specification not only brings consistency to the firmware development process, but also to attack surfaces.

In a statement, Qualcomm expressed thanks to Binarly for assisting with the research and coordinated disclosure:
“Providing technologies that support robust security and privacy is a priority for Qualcomm Technologies. We commend security researcher Alex Matrosov of Binarly for using industry-standard coordinated disclosure practices, and we have worked with Lenovo to address the reported boot issues. Patches were made available in November 2022, and we encourage affected end users to apply security updates when they become available from their device makers.” – Qualcomm spokesperson
Binarly commends the PSIRT team at Qualcomm for their timely professionalism when responding to these vulnerability reports. It was impressive that it only took two months to release the fixes and secure the supply chain after Binarly reported reference code vulnerabilities in October 2022.
With such a broad impact to the entire UEFI ARM-based ecosystem, this is an unprecedented timeline we haven’t experienced before when working with other vendors.
Closer collaboration between the vendor and researcher can significantly reduce the disclosure timeline and assist industry in recovering from repeatable firmware security failures.

Technical details on these findings are now available on the Binarly blog.

About Binarly

Founded in 2021, Binarly brings decades of research experience identifying hardware and firmware security weaknesses and threats. Based in Pasadena, California, Binarly’s agentless, enterprise-class AI-powered firmware security platform helps protect from advanced threats below the operating system. The company’s technology solves firmware supply chain security problems by identifying vulnerabilities, malicious firmware modifications and providing firmware SBOM visibility without access to the source code. Binarly’s cloud-agnostic solutions give enterprise security teams actionable insights, and reduce the cost and time to respond to security incidents.

Media Contact

media@binarly.io

818.351.9637