Security researchers at Binarly have discovered nine UEFI firmware vulnerabilities in Qualcomm Snapdragon chipsets. The chipmaker has already released patches to address the security holes that impact Samsung, Lenovo and other devices.
Last week, Qualcomm disclosed the vulnerabilities and rolled out patches for the security bugs residing in the Unified Extensible Firmware Interface (UEFI) firmware reference code of its Snapdragon series of processors. According to researchers, the vulnerabilities impact devices with the ARM architecture.
As Binarly noted, “We opened Pandora’s box of ARM devices with UEFI firmware vulnerabilities impacting enterprise vendors.†In its previous research on firmware security, Binarly notedOpens a new window how vulnerabilities in firmware, an underlying component at the core of any electronic device, tend to have a long-lasting impact on overall system security. Firmware flaws also allow attackers to achieve persistence, i.e., they survive system reboot and shutdown cycles, complete reinstallation of the operating system, and hard drive formatting.
However, what’s noteworthy about Binarly’s recent findings is that the firmware flaws, which were previously relegated to the x86 architecture, were found in ARM-based devices. “As far as we know, this is the first major vulnerability disclosure related to UEFI firmware on ARM,†Binarly added.
Five of the nine vulnerabilities, viz., CVE-2022-40516, CVE-2022-40517, CVE-2022-40520, CVE-2022-40518, and CVE-2022-40519, reside in the Qualcomm reference code, which by extension, impact downstream customers and their respective devices. Binarly’s research confirmed Lenovo’s Thinkpad series, Microsoft’s Surface range of laptops, and Windows Dev Kit 2023 (Project Volterra) to be vulnerable.
See More: HP Business Devices Vulnerable to the Exploitation of Six High-risk Firmware Flaws
Three of these bugs, i.e., CVE-2022-40516, CVE-2022-40517, and CVE-2022-40520, are stack-based buffer overflow vulnerabilities in the Driver Execution Environment (DXE driver) with a CVSS score of 8.2, placing them in the ‘High’ severity category. “They can lead to a secure boot bypass, and enable an attacker to gain persistence on a device by gaining sufficient privileges to write to the file system,†Binarly explained.
CVE-2022-40518 and CVE-2022-40519 are out-of-bounds read bugs with moderately severe (CVSS scores of 4.9 and 6, respectively).
Additionally, CVE-2022-4432, CVE-2022-4433, CVE-2022-4434, and CVE-2022-4435 are also out-of-bounds read flaws in the DXE driver, all with a relatively low CVSS score of 6 that can lead to information disclosure. These are specific to Lenovo devices (BIOS). Binarly added, “An attacker can gain read access to the privileged boot code through all of these vulnerabilities.â€
Qualcomm released patches for the bugs back in November 2022. In its January 2023 security bulletin, the company also detailed 17 other critical, high and medium severity vulnerabilities discovered internally in automotive, wireless LAN, Android, audio and other components.
Meanwhile, fixing Lenovo requires updating the ThinkPad X13s BIOS to version 1.47 (N3HET75W) or newer, as per the company’s advisoryOpens a new window .
“We commend security researcher Alex Matrosov of Binarly for using industry-standard coordinated disclosure practices, and we have worked with Lenovo to address the reported boot issues,†noted a Qualcomm spokesperson. ‘Patches were made available in November 2022, and we encourage affected end users to apply security updates when they become available from their device makers.â€
Let us know if you enjoyed reading this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!
Image source: Shutterstock