Binarly, a security research company that deals with firmware threats, has disclosed in a recent blog post that the InsydeH2O "Hardware-2-Operating System" UEFI BIOS, a firmware used by several major industry vendors like Microsoft, Intel, HP, Dell, Lenovo, Siemens, Fujitsu, among others, is susceptible to nearly two dozen security vulnerabilities.
In total, there are 23 such vulnerabilities mostly affecting the System Management Mode (SMM) that are given below alongside their assigned security IDs.
Since it is a firmware-level flaw, the successful exploitation can lead to persistent malware that may be almost impossible to get rid of.
Here's how Binarly describes the vulnerabilities discovered.
The majority of the vulnerabilities disclosed (CVSS score: 7.5 - 8.2 high-severity rating) lead to code execution with SMM privileges. As part of the exploit chain, these vulnerabilities can be used as the second stage to bypass security features or gain long-term persistence. [..]
By exploiting these vulnerabilities, attackers can successfully install malware that survives operating system re-installations and allows the bypass of endpoint security solutions (EDR/AV), Secure Boot and Virtualization-Based Security isolation.
The active exploitation of all the discovered vulnerabilities can’t be detected by firmware integrity monitoring systems due to limitations of the Trusted Platform Module (TPM) measurement. The remote device health attestation solutions will not detect the affected systems due to the design limitations in visibility of the firmware runtime.
Binarly first discovered the vulnerabilities on Fujitsu's LIFEBOOK notebooks but quickly realized that other vendors, like those mentioned above, were also susceptible to these issues as they were also utilizing InsydeH2O UEFI solutions.