But first let’s take a step back. UEFI (Unified Extensible Firmware Interface) is the replacement/upgrade for the standard BIOS (Basic Input Output System). It is an improvement on the original and allows for a faster and more flexible system to control hardware resources and access to them. UEFI is important during the boot process as the operating system identifies and begins to communicate with all the hardware at its disposal. The UEFI firmware is maintained on the flash memory chip on the motherboard (or mainboard) and all devices connected to the motherboard communicate with the OS via this subsystem. This low-level control along with its complexity make it a significant target for attackers.
If an attacker can get to the UEFI and implant malware there, it can run undetected by the OS and any antimalware present there. It can also compromise or blind the secure boot function to allow injection of malware to the OS before the boot process is complete. Any such malware would survive an OS reload making it exceptionally persistent. Finally, an attacker can (as we saw at Def Con 22) brick the system if they are discovered by simply rewriting 2 bits in the UEFI firmware. They could effectively bring down an entire organization with a single command.
Yesterday, Insyde Software announced a total of 23 (yes 23) vulnerabilities in their InsydeH2O UEFI firmware. InsydeH2O is used by a significant number of vendors including Juniper Networks, HP, and Lenovo. Because the flaws are core flaws, they will be present in these devices are well making this a serious issue and one with no good methods to patch at scale.
The vulnerabilities were mostly in the System Management Mode (SMM) and included a Privilege Escalation and Memory Corruption. SMM Code can execute at the highest privilege and can, with the right nudge, even fool another process into performing an unauthorized task. All while remaining invisible to the OS and any security software running on it.
Insyde has released patches for these critical vulnerabilities as part of the disclosure of them which is good news. The bad news is that there will most likely be a significant delay from the release of these patches until we actually see them hit the vendors that use InsydeH2O. This is a window of opportunity for attackers that is unfortunate for the defenders. For the next couple of months (at least) security teams will need to be extra vigilant when it comes to observing device behavior and network communication. These are probably the only reliable way to detect and respond to a threat of this type. Hopefully the criticality of this threat will motivate the OEMs to get these patches out quickly and organization to run them as soon as they are available.