Pasadena, California – March 8, 2022 - Firmware security specialists Binarly announces the discovery and coordinated disclosure of 16 new high-severity vulnerabilities in various implementations of UEFI firmware affecting multiple HP enterprise devices including laptops, desktops, point-of-sale systems, and edge computing nodes.
These vulnerabilities (CVSS 7.5 - 8.8 high-severity rating) were found in HP UEFI firmware, and some of the issues affect AMD reference code (BRLY-2021-004 / CVE-2021-39298).
Using Binarly’s in-house code similarity technology on the whole firmware corpus, a detection triggered on a piece of firmware belonging to a Dell device (vulnerability originally found on HP devices), which led to the conclusion that the vulnerability exists in some piece of reference code. Additional investigation connects this code to AMD's firmware driver (AgesaSmmSaveMemoryConfig), which is widely spread across the entire computing ecosystem.
Binarly reported new findings to CERT/CC to simplify multi-vendor disclosures on all these vulnerabilities.
The company is constantly collaborating with HP and CERT/CC teams to understand the scope of the vulnerabilities and reduce the impact on enterprise infrastructure deployments globally.
In February this year, Binarly reported 23 critical firmware security flaws affecting the entire enterprise device ecosystem. (See full media coverage at SecurityWeek, and ZDNet).
The Binarly discoveries follow the publication of a new joint draft report issued by the leadership of the U.S. Department of Homeland Security (DHS) and Department of Commerce that identified firmware security as a major threat facing U.S. software supply chains.
“Securing the firmware layer is often overlooked, but it is a single point of failure in devices and is one of the stealthiest methods in which an attacker can compromise devices at scale,”
according to the U.S. government report.
“Attackers can subvert OS and hypervisor visibility and bypass most security systems, hide, and persist in networks and devices for extended periods of time while conducting attack operations, and inflict irrevocable damage,” the two U.S. agencies said.
Many device manufacturers and firmware development companies underestimate the impact of third-party risks from already known vulnerabilities. Binary Telemetry data shows that even known and fixed vulnerabilities for one vendor can still be not patched for months for other vendors.
“Security is always a top priority for HP, and we value the work that Binarly is doing and thank them for responsibly reporting to HP. Please follow our Security Bulletins for updates. We encourage our customers to always keep their systems up to date.”, said HP PSIRT.
The HP disclosure information is available at:
https://support.hp.com/us-en/document/ish_5661066-5661090-16
https://support.hp.com/us-en/document/ish_5817864-5817896-16
A breakdown of the vulnerabilities and their impact:
CVE IDBINARLY IDDescriptionCVSS ScoreCVE-2021-39297BRLY-2021-003DXE stack buffer overflow (arbitrary code execution)7.7 HighCVE-2021-39298BRLY-2021-004SMM callout (privilege escalation)8.8 HighCVE-2021-39299BRLY-2021-005DXE stack buffer overflow (arbitrary code execution)8.2 HighCVE-2021-39300BRLY-2021-006DXE stack overflow vulnerability (arbitrary code execution)8.2 HighCVE-2021-39301BRLY-2021-007DXE stack overflow (arbitrary code execution)7.7 HighCVE-2022-23924BRLY-2021-032SMM heap buffer overflow (arbitrary code execution)8.2 HighCVE-2022-23925BRLY-2021-033SMM memory corruption (arbitrary code execution)8.2 HighCVE-2022-23926BRLY-2021-034SMM memory corruption (arbitrary code execution)8.2 HighCVE-2022-23927BRLY-2021-035SMM memory corruption (arbitrary code execution)8.2 HighCVE-2022-23928BRLY-2021-036SMM memory corruption (arbitrary code execution)8.2 HighCVE-2022-23929BRLY-2021-037SMM memory corruption (arbitrary code execution)8.2 HighCVE-2022-23930BRLY-2021-038SMM memory corruption (arbitrary code execution)8.2 HighCVE-2022-23931BRLY-2021-039SMM memory corruption (arbitrary code execution)8.2 HighCVE-2022-23932BRLY-2021-040SMM callout (privilege escalation)8.2 HighCVE-2022-23933BRLY-2021-041SMM callout (privilege escalation)8.2 HighCVE-2022-23934BRLY-2021-042SMM memory corruption (arbitrary code execution)8.2 High
The variety of devices impacted range from laptops and desktops to retail point-of-sale systems. By exploiting the vulnerabilities disclosed, attackers can leverage them to perform privileged code execution in firmware, below the operating system, and potentially deliver persistent malicious code that survives operating system re-installations and allows the bypass of endpoint security solutions (EDR/AV), Secure Boot and Virtualization-Based Security isolation.
“Binarly believes that the lack of a knowledge base of common firmware exploitation techniques and primitives related to UEFI firmware makes these failures repeatable for the entire industry. We are working hard to fill this gap by providing comprehensive technical details in our advisories. This knowledge base is crucial for developing effective mitigations and defense technologies for device security.”,
said Alex Matrosov, Founder and CEO at Binarly.
Additional Information:
Read detailed discoveries descriptions in Binarly Vulnerability Advisories https://www.binarly.io/advisories
Read additional details in Binarly blog:
About Binarly
Founded in 2021, Binarly brings decades of research experience identifying hardware and firmware security weaknesses and threats. Based in Pasadena, California, Binarly’s agentless, enterprise-class AI-powered firmware security platform helps protect from advanced threats below the operating system. The company’s technology solves firmware supply chain security problems by identifying vulnerabilities, malicious firmware modifications and providing firmware SBOM visibility without access to the source code. Binarly’s cloud-agnostic solutions give enterprise security teams actionable insights, and reduce the cost and time to respond to security incidents.
Media Contact