CVE-2022-29277: Incorrect Pointer Checks in FwBlockServiceSmm Driver Could Allow Arbitrary RAM Modifications

The FwBlockServiceSmm driver, a key component used in PCs' system firmware, has been found to have incorrect pointer checks that could potentially allow adversaries to modify the system memory and SMRAM with values arbitrarily. This security vulnerability, dubbed as CVE-2022-29277, was discovered within the SpiAccessLib instances of the driver. Specifically, these instances can be tricked into writing xFF to arbitrary addresses in both the system RAM and SMRAM, resulting in unforeseen consequences.

Affected Systems and Fixed Versions

The following systems have been affected by the CVE-2022-29277 vulnerability and their respective fixed versions are as follow:

Eagle Stream: 05.44.25.0052

5. Greenlow/Greenlow-R (Skylake/KabyLake): Trunk
6. Mehlow/Mehlow-R (CoffeeLake-S): Trunk

Snow Ridge: Trunk

10. Graneville DE: 05.05.15.0038
11. Grangeville DE NS: 05.27.26.0023
12. Bakerville: 05.21.51.0026
13. Idaville: 05.44.27.003
14. Whiskey Lake: Trunk
15. Comet Lake-S: Trunk
16. Tiger Lake H/UP3: 05.43.12.0052
17. Alder Lake: 05.44.23.0047
18. Gemini Lake: Not Affected
19. Apollo Lake: Not Affected
20. Elkhart Lake: 05.44.30.0018
21. AMD ROME: Trunk
22. MILAN: 05.36.10.0017
23. GENOA: 05.52.25.0006
24. Snowy Owl: Trunk
25. R100: 05.32.50.0018
26. R200: 05.44.30.0005
27. V200: Trunk
28. V300: 05.44.30.0007
29. Ryzen 500: 05.44.30.0004
30. Embedded ROME: Trunk
31. Embedded MILAN: Trunk
32. Hygon Hygon #1/#2: 05.36.26.0016
33. Hygon #3: 05.44.26.0007

Consider a vulnerable function SpiAccessLibWrite in the FwBlockServiceSmm driver

EFI_STATUS
EFIAPI
SpiAccessLibWrite (
  IN UINTN BaseAddress,
  IN UINTN WriteSize
  )
{
  UINTN Index;
  for (Index = ; Index < WriteSize; Index++) {
    MmioWrite8 (BaseAddress + Index, xFF);
  }

  return EFI_SUCCESS;
}

In this example, an attacker can manipulate the BaseAddress and WriteSize values to target arbitrary memory locations.

Original References and Exploit Details

The details about CVE-2022-29277 are available at the Insyde Security Pledge: https://www.insyde.com/security-pledge/SA-202206. The findings indicate that the vulnerable drivers could be abused by an attacker to alter the contents of memory to their advantage.

Mitigations and Recommendations

Users who are running the affected systems are strongly advised to update their firmware to the fixed versions provided by their respective vendors. To prevent unauthorized tampering of the firmware and other vital components, it is crucial to enable hardware-based security features and follow best practices in handling sensitive data. Further, users should be cautious of opening any suspicious emails, attachments or links to avoid falling victim to potential exploits.

Timeline

Published on: 11/15/2022 22:15:00 UTC
Last modified on: 11/22/2022 19:45:00 UTC