An attacker can inject malicious code into the SMI service via the SMI, which will be executed in the context of the system process, thus the attacker can use this vulnerability to gain access to privileged system commands and system information. CVE-2018-5602 An issue has been discovered in InsydeH2O with kernel 5.0 through 5.5. An issue was found in the FvbServicesRuntimeDxe driver. If an attacker sends specially crafted SMI to the FvbServicesRuntimeDxe driver, it can be used to cause a memory leak and potentially lead to a Denial-of-Service (DoS) condition. An attacker can send specially crafted SMI to the FvbServicesRuntimeDxe driver that is not necessarily malicious, but can be used to exploit this issue. An issue has been found in the InsydeH2O with kernel 5.0 through 5.5. An issue was found in the FvbServicesRuntimeDxe driver. If an attacker sends specially crafted SMI to the FvbServicesRuntimeDxe driver, it can be used to cause a memory leak and potentially lead to a Denial-of-Service (DoS) condition. An attacker can send specially crafted SMI to the FvbServicesRuntimeDxe driver that is not necessarily malicious, but can be used to exploit this issue. What’s worse is that not only can be used to exploit this issue, but it
Tactic 3: Malicious SMI can be used to gain root access
This particular vulnerability is a good example of how attackers can use malicious SMI to gain root access on the system. It is important to note that this specific vulnerability requires the attacker to be able to send an ECX packet, which is not always possible.
References:
1) https://www.symantec.com/connect/blogs/sme-attacks-can-destabilize-entire-network
2) https://www.symantec.com/connect/blogs/patches-delayed-insecurity
3) https://www.symantec.com/connect/blogs/patches-delayed-insecurity
Timeline
Published on: 09/22/2022 00:15:00 UTC
Last modified on: 09/26/2022 16:39:00 UTC