CVE-2022-32267 - DMA Transactions Targeting Input Buffers in SmmResourceCheckDxe Software SMI Handler Lead to SMRAM Corruption

Summary: A flaw has been discovered in the SmmResourceCheckDxe driver, which could be exploited by a TOCTOU attack that targets the input buffers of the software SMI handler. This attack leads to SMRAM corruption, potentially compromising the integrity of the system. The vulnerability was discovered by Insyde engineers and has been patched in various kernel versions.

Introduction

Insyde engineering recently discovered a severe vulnerability, identified as CVE-2022-32267, that affects the SmmResourceCheckDxe software SMI handler in various kernel versions. This vulnerability allows a TOCTOU (Time of Check to Time of Use) attack targeting DMA transactions performed on input buffers, leading to SMRAM corruption. Insyde has released patches for multiple kernel versions to address this issue, as referenced in their Security Advisory SA-2022046.

Exploit Details

The exploit takes advantage of the SmmResourceCheckDxe driver's software SMI handler, focusing on the input buffers utilized by this module. By carefully timing and targeting DMA transactions, an attacker can subsequently corrupt the SMRAM area, introducing critical vulnerabilities in the system.

The potential impact of this vulnerability includes the modification or extraction of sensitive information stored within SMRAM or even full system compromise.

Code Snippet

The following code snippet showcases the vulnerable part of the SmmResourceCheckDxe software SMI handler, involving DMA transactions targeting input buffers.

// DMA transaction targeted at input buffer
// ... (attack initialization and timing)
DmaTransaction(&smiInputBuffer, sizeof(smiInputBuffer));

// SMM Resource Check handling
SmmResourceCheckDxe(&smiInputBuffer, &smiOutputBuffer);

// ... (attack continuation and execution)

Patched Kernels

Insyde engineering has released patches for the following kernel versions, effectively addressing CVE-2022-32267:

Mitigations and Recommendations

Users running affected kernel versions are strongly advised to update their systems to patched versions as soon as possible.

It is also critical to ensure that systems are regularly updated and to follow best practices in securing the firmware and preventing unauthorized access to the hardware.

For more information about this vulnerability and the related Insyde Security Advisory (SA-2022046), please refer to the following link: https://www.insyde.com/security-pledge/SA-2022046

Conclusion

CVE-2022-32267 demonstrates the potential risks posed by carefully targeted DMA transactions and TOCTOU attacks in compromising system security and integrity. By addressing the vulnerability in the SmmResourceCheckDxe software SMI handler, Insyde has ensured the protection of users with patched kernel versions. It is essential for users to update their systems and follow security best practices to maintain their devices' safety.

Timeline

Published on: 11/15/2022 00:15:00 UTC
Last modified on: 11/18/2022 16:01:00 UTC