"New Firmware Vulnerabilities Affecting Millions of Devices Allow Persistent Access"
Security researchers at Binarly have discovered another round of potentially serious firmware vulnerabilities that could allow attackers to gain persistent access to millions of affected devices. The researchers identified seven new security holes in InsydeH2O UEFI firmware provided by Insyde Software. The impacted code is used by dozens of other companies, including major vendors such as HP, Dell, Intel, Microsoft, Fujitsu, Framework, and Siemens. The researchers noted that exploiting the new vulnerabilities requires local privileged OS access, but many of them have still been assigned a "high severity" rating. The researchers stated that the flaws are related to System Management Mode (SMM) and can lead to information disclosure or arbitrary code execution. Alex Matrosov, the CEO of Binarly, stated that "these vulnerabilities can be used as second or third stage in the exploit chain to deliver long-term persistence invisible to most of the security solutions available in the market." The vendor has released patches and published advisories for the newly discovered vulnerabilities. CVE identifiers have also been assigned to each of the seven bugs. Matrosov stated that while Insyde has developed patches, it will take a long time for the fixes to reach devices. Matrosov noted that in terms of supply chain impact, it will take 6-9 months, based on their data, for the vulnerabilities to be patched by device manufacturers, at least on all enterprise devices.