The U.S. Computer Security Emergency Response Team Coordination Center CERT/CC recently issued a warning that some UEFI implementations have vulnerabilities that allow malicious actors to obtain local administrator privileges in system management mode (SMM) to execute arbitrary code.
As a software interface between the operating system and the device hardware, UEFI uses a CPU mode with higher privilege than the core—SMM mode—to communicate directly with the hardware, and the operating system does not know or record when the system enters SMM mode. SMM processing is performed in the dedicated SMRAM system management memory area.
The vulnerability this time is based on insufficient permission verification for SMRAM, which gives attackers the opportunity to use DMA timing attacks to rewrite the content of SMRAM, thereby executing arbitrary code, bypassing security mechanisms such as SecureBoot to escalate to higher permissions than the operating system. , install malicious programs, open backdoors, or make the system unable to start normally.
Attackers can also exploit the vulnerable System Management Interrupt (SMI) processor to launch attacks on the operating system. Even more frightening is that under certain circumstances, this vulnerability can be triggered during the UEFI early boot phase, including hibernation or recovery mode, before the operating system is fully booted.
According to CERT/CC, currently affected UEFI products include products from AMI, Dell, Hewlett Packard Enterprise (HPE), Insyde Software Corporation and Intel, while AMD, Phoenix Technologies and Toshiba have not found any vulnerabilities. Products such as Acer, AsusTeK, GIGABYTE, Lenovo, Microsoft and MSI are pending.
They urge users to install the latest stable version of UEFI firmware immediately to fix the problem.