Intel, Lenovo and more hit by major BIOS security flaws

representational image of a cloud firewall
(Image credit: Pixabay)

UEFI firmware from the software company Insyde carries 23 flaws, many of which are critical and would allow malicious actors to persist in a target device, install malware, steal sensitive data, all while accessing the endpoint remotely, experts have warned.

The flaws were discovered by firmware protection company Binarly, which claims more than two dozen hardware manufacturers are affected, including top-end OEMs such as  Fujitsu, Intel, AMD, Lenovo, Dell, ASUS, HP, Siemens, Microsoft, and Acer.

UEFI (Unified Extensible Firmware Interface) is a software interface that serves as a bridge between the device’s firmware and the operating system. It handles the bootup, system diagnostics, as well as some system repair features.

High severity flaws 

The 23 flaws are tracked as: CVE-2020-27339, CVE-2020-5953, CVE-2021-33625, CVE-2021-33626, CVE-2021-33627, CVE-2021-41837, CVE-2021-41838, CVE-2021-41839, CVE-2021-41840, CVE-2021-41841, CVE-2021-42059, CVE-2021-42060, CVE-2021-42113, CVE-2021-42554, CVE-2021-43323, CVE-2021-43522, CVE-2021-43615, CVE-2021-45969, CVE-2021-45970, CVE-2021-45971, CVE-2022-24030, CVE-2022-24031, CVE-2022-24069.

Of those, three (CVE-2021-45969, CVE-2021-45970, and CVE-2021-45971) have gotten a 9.8 out of 10 severity rating.

“The root cause of the problem was found in the reference code associated with InsydeH2O firmware framework code,” Binarly’s explained.

“All of the aforementioned vendors (over 25) were using Insyde-based firmware SDK to develop their pieces of (UEFI) firmware.” 

While Insyde released firmware patches to help address the issue, these now need to be accepted by the OEMs and released onto affected products, and that might take a while. What makes the issue that much more complicated is the fact that some of the devices affected have exceeded their end-of-life date and are no longer supported. 

Others may cross that threshold before OEMs come up with a fix. 

BleepingComputer notes that only Insyde, Fujitsu, and Intel have confirmed being affected by the flaws. Rockwell, Supermicro, and Toshiba have confirmed not being impacted. The remaining OEMs are still investigating the matter.

Via: BleepingComputer

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.