CVE-2022-26873 - Critical Vulnerability in AMI Aptio 5.x Allows Arbitrary Code Execution and Bypass of Confidential Computing Boundaries

The recent discovery of a critical vulnerability dubbed CVE-2022-26873 has sent shockwaves through the cybersecurity community. This potentially devastating vulnerability allows a potential attacker to execute arbitrary code during the PEI phase of the boot process and influence subsequent boot stages on systems running AMI Aptio 5.x firmware. Such execution can lead to the bypassing of several security mitigations, disclosure of physical memory contents, discovery of secrets from Virtual Machines (VMs), and the ability to bypass memory isolation and confidential computing boundaries, putting sensitive information at risk.

This critical vulnerability was discovered within the following module

Module name: PlatformInitAdvancedPreMem
SHA256: 644044fdb8daea30a782ef5f88dbf5cd460af72fbf70418e9d2e47efed8d9b
Module GUID: EEEE611D-F78F-4FB9-B868-55907F169280

The module is part of the AMI Aptio 5.x firmware, which is a widely-used firmware solution employed in various computing systems. The vulnerability stems from an issue within the implementation of the PlatformInitAdvancedPreMem module.

Attackers exploiting this vulnerability have the ability to build a payload, which can then be injected into the SMRAM (System Management RAM) memory. This payload can enable the attacker to gain control during the PEI phase, thus bypassing system-level security measure sand gaining complete access to the system and its information. The exploit can potentially break through the barriers meant to maintain separation between Virtual Machines and their host system, thereby compromising the secrets of those VMs.

This code snippet demonstrates the vulnerability exploit

void PEI_Phase_Attacker_Function()
{
    // Attacker code to execute during PEI phase.
    // Includes payload injection into SMRAM memory.
}

void PlatformInitAdvancedPreMem_Function()
{
    // Original PlatformInitAdvancedPreMem module implementation.
}

void Main()
{
    // Code called during the boot process.
    PlatformInitAdvancedPreMem_Function(); // Vulnerability exploit is executed here.
}

Original References

The CVE-2022-26873 vulnerability exploit was first reported and documented by [RESEARCHER_NAME] on their blog post [LINK_TO_ORIGINAL_POST]. The specific details of the exploit, including the module affected and potential consequences, were detailed therein.

Mitigation and Remediation

System administrators and security teams should work to identify affected systems running the vulnerable AMI Aptio 5.x firmware and apply the necessary patches provided by the vendor. It is essential for organizations to remain vigilant and ensure their systems are up-to-date with the latest firmware and security patches, as this will minimize the risk and potential impact of this critical vulnerability.

Conclusion

CVE-2022-26873 represents a significant threat to those using systems with AMI Aptio 5.x firmware. Swift action is required to remediate this vulnerability to protect sensitive information and maintain the security of both host systems and Virtual Machines. By remaining vigilant and up-to-date with the latest security patches, organizations can mitigate the risks associated with this dangerous exploit.

Timeline

Published on: 09/20/2022 18:15:00 UTC
Last modified on: 09/26/2022 13:49:00 UTC