More than 20 vulnerabilities have been found affecting unified extensible firmware interfaces (UEFI) software, allowing attackers to bypass hardware security mechanisms. Credit: Atakan / Getty Images Security firm Binarly has discovered more than 20 vulnerabilities hiding in BIOS/UEFI software from a wide range of system vendors, including Intel, Microsoft, Lenovo, Dell, Fujitsu, HP, HPE, Siemens, and Bull Atos. Binarly found the issues were associated with the use of InsydeH20, a framework code used to build motherboard unified extensible firmware interfaces (UEFI), the interface between a computer’s operating system and firmware. All of the aforementioned vendors used Insyde’s firmware SDK for motherboard development. It is expected that similar types of vulnerabilities exist in other in-house and third-party BIOS-vendor products as well. These vulnerabilities are particularly dangerous because UEFI/BIOS-based attacks can bypass firmware-based security mechanisms. These vulnerabilities include SMM allout or privilege escalation, SMM memory corruption, and DXE memory corruption. The potential damage done by these vulnerabilities is severe because they can be used by attackers to bypass hardware–based security features such as secure boot, virtualization-based security (VBS), and trusted platform modules (TPM). The vulnerabilities are in the UEFI but allow malware to be installed on the system that can survive a hard-drive wipe and operating-system reinstallation. Initially, Binarly disclosed 23 new vulnerabilities but then found five more specific to HP hardware. The vulnerabilities affect both desktop and server hardware, according to Binarly, which has reported them to enterprise vendors and to Insyde. Fixes are in the works. Binarly said it has worked closely with CERT/CC and Insyde teams over the last few months to confirm the vulnerabilities, provide additional technical details, evaluate the associated risk, and work through the responsible disclosure process. Insyde has patched all of the vulnerabilities, but firmware rollouts tend to be slow because firmware is just not updated as frequently as software. Binarly notes that the VINCE platform developed by the CERT/CC team for vulnerability disclosure has been tested in a real environment to significantly reduce the time from the initial disclosure to the security fix down to five months. The usual single-vendor disclosure process takes more than six months—a long time to leave a serious vulnerability unpatched. Binarly has also partnered with the Linux Vendor Firmware Service (LVFS) to discover other vendors and scale detections further to identify affected hardware models using its firmware vulnerability detection tool, called FwHunt. To check if your computer is infected with these vulnerabilities, download FwHunt from GitHub. Related content news High-bandwidth memory nearly sold out until 2026 While it might be tempting to blame Nvidia for the shortage of HBM, it’s not alone in driving high-performance computing and demand for the memory HPC requires. By Andy Patrizio May 13, 2024 3 mins CPUs and Processors High-Performance Computing Data Center news CHIPS Act to fund $285 million for semiconductor digital twins Plans call for building an institute to develop digital twins for semiconductor manufacturing and share resources among chip developers. By Andy Patrizio May 10, 2024 3 mins CPUs and Processors Data Center news HPE launches storage system for HPC and AI clusters The HPE Cray Storage Systems C500 is tuned to avoid I/O bottlenecks and offers a lower entry price than Cray systems designed for top supercomputers. By Andy Patrizio May 07, 2024 3 mins Supercomputers Enterprise Storage Data Center news Lenovo ships all-AMD AI systems New systems are designed to support generative AI and on-prem Azure. By Andy Patrizio Apr 30, 2024 3 mins CPUs and Processors Data Center PODCASTS VIDEOS RESOURCES EVENTS NEWSLETTERS Newsletter Promo Module Test Description for newsletter promo module. Please enter a valid email address Subscribe