CVE-2022-30772: Potential SMRAM and OS Kernel Memory Overwrite Exploit through Manipulation of Input Address in PnpSmm Function x52

A potential vulnerability, identified under the reference CVE-2022-30772, may lead to the manipulation of the input address in the PnpSmm function x52. This issue arises when the PnpSmm driver is used in conjunction with SMBIOS, which may be leveraged by malicious actors to overwrite SMRAM or Operating System kernel memory. Insyde engineering discovered the vulnerability during a security review. The following kernels have received patches, fixing the issue:

For more information, please visit

https://www.insyde.com/security-pledge/SA-2022065

Code Snippet

The following code snippet demonstrates the potential vulnerability found in the PnpSmm function x52.

UINTN Address; // Address to write
UINTN Size;    // Size of data to write

// PnpSmm writes data to SMBIOS
Status = pInfo->PnpSmmFunc(&pInfo->Func52, Address, Size);

This code snippet is vulnerable as the values of Address and Size are not properly validated, leading to potential manipulation by malicious actors.

Exploit Details

The PnpSmm function x52 vulnerability can be exploited by manipulating the input address, allowing malware to overwrite both SMRAM and OS kernel memory. This may lead to unpredictable consequences, such as unauthorized access, system crashes, data loss, and potential exfiltration of sensitive information.

Mitigation Measures

To prevent exploitation of this vulnerability, system administrators and users should apply the appropriate updates mentioned in the introduction to the affected kernels. This will help ensure systems are protected and reduce the risk of unauthorized access, data loss, and other potential impacts.

Original References

For a detailed overview of this vulnerability, and the actions taken by Insyde engineering, please visit the original reference: https://www.insyde.com/security-pledge/SA-2022065

Conclusion

CVE-2022-30772 is a discovered vulnerability that may lead to potential exploitation through the manipulation of input addresses in the PnpSmm function x52. While initially a seemingly harmless process for writing data to the SMBIOS table, improper validation of the address and size variables create the potential for SMRAM and OS kernel memory overwrites by malicious actors. Ensuring the outlined security patches are in place will mitigate the risk and protect systems using affected kernels.

Timeline

Published on: 11/15/2022 21:15:00 UTC
Last modified on: 11/23/2022 17:24:00 UTC