Binarly Discloses Multiple Firmware Vulnerabilities in Qualcomm and Lenovo ARM-based Devices
Binarly’s REsearch team has led the coordinated disclosure of multiple vulnerabilities in Qualcomm reference code and ARM-based Lenovo devices powered by UEFI firmware. Multiple vendors are affected including Microsoft Surface devices, Samsung, HP, and many others.
Pasadena, California - January 9, 2023 - Binarly Inc., providers of the industry’s first AI-powered firmware protection platform, has led the coordinated disclosure and mitigation of multiple vulnerabilities in UEFI firmware on ARM devices, including Qualcomm Snapdragon chips.
|Stack overflow via double GetVariable in DXE driver
| 8.2 (HIGH)
Stack-based Buffer Overflow
|Stack memory leak vulnerability in DXE driver
| 4.9 (MEDIUM)
“Vulnerabilities in reference code are usually one of the most impactful since they tend to affect the whole ecosystem and not just a single vendor. Due to the complexity of the UEFI firmware supply chain, these vulnerabilities often create additional impact,” Matrosov said, noting that UEFI's unified specification not only brings consistency to the firmware development process, but also to attack surfaces.
Technical details on these findings are now available on the Binarly blog.
Lenovo advisory: https://support.lenovo.com/us/en/product_security/LEN-103709
Founded in 2021, Binarly brings decades of research experience identifying hardware and firmware security weaknesses and threats. Based in Pasadena, California, Binarly’s agentless, enterprise-class AI-powered firmware security platform helps protect from advanced threats below the operating system. The company’s technology solves firmware supply chain security problems by identifying vulnerabilities, malicious firmware modifications and providing firmware SBOM visibility without access to the source code. Binarly’s cloud-agnostic solutions give enterprise security teams actionable insights, and reduce the cost and time to respond to security incidents.