Dell, HP Still Using Risky Firmware Despite Years to Correct This
Written By: Austin Miller
A damning report from Binarly has shown that a number of Dell, HP, and other major enterprise vendors have been loading critically vulnerable firmware onto their systems for at least six years. Described as “repeatable failures”, the list of CVEs that are associated with these vendors is now growing to an incredible size.
The frustrating thing from Binarly’s perspective is that these firmware issues have been included in numerous iterations of the firmware released by Dell and HP. Although these vulnerabilities have been known to many major vendors for years, they are still included in the firmware of some of the most popular products available! Firmware development is dense and difficult to enter, but now that the adversary is looking to exploit these recurring vulnerabilities.
What are the vulnerabilities?
There are numerous critical vulnerabilities that have been found by Binarly, an AI-powered firmware protection company. As of yet, not all the vulnerabilities have been disclosed to the public, but Dell has made the most significant of these available. Among the most potent of these issues include:
|CVE-2022-24420||8.2||SMM Memory Corruption: Dell BIOS contains an improper input validation vulnerability. A local authenticated malicious user may potentially exploit this vulnerability by using an SMI to gain arbitrary code execution during SMM.|
|CVE-2022-24421||8.2||SMM Memory Corruption: Dell BIOS contains an improper input validation vulnerability. A local authenticated malicious user may potentially exploit this vulnerability by using an SMI to gain arbitrary code execution during SMM.|
|CVE-2022-24419||8.2||SMM Callout: Dell BIOS contains an improper input validation vulnerability. A local authenticated malicious user may potentially exploit this vulnerability by using an SMI to gain arbitrary code execution during SMM.|
What do these vulnerabilities have in common?
Most of the vulnerabilities unearthed by Binarly are related to a UsbRt vulnerability. Due to how common the UsbRt GUID is, a search on the Linux Vendor Firmware Service can show a number of reputable vendors are potentially at risk to the above CVEs and a variety of other vulnerabilities that are yet to be released to the public.
It’s understandable that Dell and other companies have released firmware with vulnerabilities in it – that’s an inevitable fact of the modern world. However, the uncomfortable realization that these vulnerabilities have gone unaddressed in various releases. The timeline for these discoveries can be seen here:
How does an AMI UsbRt Attack Work?
The AMI gUsbData structure (key to the UsbRt GUID) is incredibly complex and has more than 30 unique fields. This makes it an absolute minefield for potential vulnerabilities. Due to the nature of firmware development, there is no way around this. But manipulating the firmware at the operating system level is possible, meaning that these vulnerabilities are prime real estate for the adversary.
An example of an exploit in action
The CVE-2017-5721 vulnerability was discovered in the UsbRt API interface. It looked like this:
This vulnerability could be exploited to arbitrarily execute code on a machine. The patch, however, was interesting in that it has lead to a new vulnerability. This concerns the ValidateUsbData() function that can be found with a little bit of digging.
Due to a mistake in the code, the incorrect cryptographic hash function is included – CRC32. By default, this is a weakness in the system which can be exploited.
How do we exploit it? We spoof the CRC32 hash and the validation barriers that the firmware uses to sanitize data are bypassed. The process for spoofing the hash can be found here if you wish to try it out on your own systems.
Remember, this is just one of the various CVEs associated with this type of UsbRt vulnerability. There are at least eight known vulnerabilities uncovered by Binarly awaiting patches for Dell, HP, and other major vendor systems, but the implication of this research says there are many more that are just waiting to be found by the adversary.
What can I do about Dell, HP still using risky firmware despite years of correcting it?
As always, updating your systems to the most current safe version is the first port of call. Due to the complexity of the source code that makes up the firmware used in Dell, HP, and other major vendor systems, it is practically impossible to patch all vulnerabilities at the same time. However, known vulnerabilities such as the ones listed above are long-term vulnerabilities and have been included in the source code of many systems.
If you want more practical steps to ensure the protection of your systems until an update is available, removing the UsbRt component from UEFI firmware updates will reduce the risk. This is a difficult process and will require you to maintain the code as new updates and patches are released.