Intel, Lenovo and more hit by major BIOS security flaws

High severity flaws allow malware to persist even after OS reinstall

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

UEFI firmware from the software company Insyde carries 23 flaws, many of which are critical and would allow malicious actors to persist in a target device, installmalware, steal sensitive data, all while accessing theendpointremotely, experts have warned.

The flaws were discovered by firmware protection company Binarly, which claims more than two dozen hardware manufacturers are affected, including top-end OEMs such as  Fujitsu,Intel,AMD,Lenovo,Dell, ASUS,HP, Siemens,Microsoft, andAcer.

UEFI (Unified Extensible Firmware Interface) is a software interface that serves as a bridge between the device’s firmware and theoperating system. It handles the bootup, system diagnostics, as well as some system repair features.

High severity flaws

The 23 flaws are tracked as: CVE-2020-27339, CVE-2020-5953, CVE-2021-33625, CVE-2021-33626, CVE-2021-33627, CVE-2021-41837, CVE-2021-41838, CVE-2021-41839, CVE-2021-41840, CVE-2021-41841, CVE-2021-42059, CVE-2021-42060, CVE-2021-42113, CVE-2021-42554, CVE-2021-43323, CVE-2021-43522, CVE-2021-43615, CVE-2021-45969, CVE-2021-45970, CVE-2021-45971, CVE-2022-24030, CVE-2022-24031, CVE-2022-24069.

Of those, three (CVE-2021-45969, CVE-2021-45970, and CVE-2021-45971) have gotten a 9.8 out of 10 severity rating.

“The root cause of the problem was found in the reference code associated with InsydeH2O firmware framework code,” Binarly’s explained.

Millions of Dell PCs could be at risk from driver security flaw dating from 2009>Faulty update mechanism puts millions of Dell devices at risk>This dangerous Intel CPU vulnerability could allow attackers to break into your laptop

“All of the aforementioned vendors (over 25) were using Insyde-based firmware SDK to develop their pieces of (UEFI) firmware.”

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

While Insyde released firmware patches to help address the issue, these now need to be accepted by the OEMs and released onto affected products, and that might take a while. What makes the issue that much more complicated is the fact that some of the devices affected have exceeded their end-of-life date and are no longer supported.

Others may cross that threshold before OEMs come up with a fix.

BleepingComputer notes that only Insyde, Fujitsu, and Intel have confirmed being affected by the flaws. Rockwell, Supermicro, and Toshiba have confirmed not being impacted. The remaining OEMs are still investigating the matter.

Via:BleepingComputer

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

This new phishing strategy utilizes GitHub comments to distribute malware

Should your VPN always be on?

Anker Nebula Mars 3 review: A powerful and truly portable projector