CVE-2022-36338 InsydeH2O from kernel 5.0 to 5.5 has an SMM callout vulnerability that leads to arbitrary code execution.

An attacker can create a SMI by sending a specially crafted SMI to the affected device via a remote attack. The SMI is then received by the UEFI firmware, which, in turn, executes it on the affected system. An attacker may leverage a remote access to gain unauthorized access to the system, and then use the SMI to install malware.
In addition to the remote attack, an attacker may configure a local attack to exploit the SMI. An attacker may send a SMI that has a pointer to a local file system.
In the case of a local attack, the UEFI firmware will then execute the SMI. An attacker may also leverage a local attack to leverage the SMI. An attacker may create a SMI with a pointer to a local file system. This will allow an attacker to install a local file system. The attacker may also create a SMI with a pointer to the UEFI boot service. An SMI with a pointer to the UEFI boot service will allow an attacker to install a local rootkit. In addition, an attacker may also use a remote or local attack to exploit the SMI. An attacker may send a SMI to a UEFI firmware that has a pointer to a remote SMI. In this case, the UEFI firmware will receive the SMI, and then execute it on the affected system. An attacker may also send a SMI with a pointer to a local file system. In this case, the UE

Vulnerability Details

An attacker may leverage a remote access to gain unauthorized access to the system and then use a SMI to install malware. An attacker may send a SMI that has a pointer to a local file system, which will allow him or her to install malware. In the case of a local attack, the UEFI firmware will then execute the SMI. An attacker may also create an SMI with a pointer to the UEFI boot service which will allow an attacker to install a local rootkit.

Remote Attack

If an attacker sends a SMI to the UEFI firmware, the UEFI firmware will execute it. An attacker may leverage a remote access to gain unauthorized access to the system, and then use the SMI to install malware.

Vulnerable firmware versions

The following UEFI firmware versions are vulnerable to this issue:
- Boot Order #1
- Boot Order #2
- Boot Order #3
- UEFI 2.4.X
- UEFI 3.0.X
- UEFI 3.2.X
- UEFI 4.0.X
- UEFI 5.0.B1
If your device is one of the below, then it is possible that a SMI could be executed on your system via an attack:

Vulnerability Detection

The vulnerability can be detected by the following:

- Scanning a UEFI firmware for SMI pointers in memory.
- Checking whether or not an attacker has exploited the vulnerability.

Timeline

Published on: 09/23/2022 18:15:00 UTC
Last modified on: 09/27/2022 05:01:00 UTC

References

• https://www.insyde.com/security-pledge
• https://www.insyde.com/security-pledge/SA-2022029
• https://binarly.io/advisories/BRLY-2022-017/index.html
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-36338