Skip to main content
Skip table of contents

ISN 2022-02: UEFI Vulnerabilities in UD Devices

Updated 21 July 2022 (IGEL OS 11.08.100 will bring remediation)

Updated 24 February 2022 (updated "Update Instructions")

First published 10 February 2022

CVSS 3.1 Base Score: 8.2 (High)

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Summary

Multiple vulnerabilities have been found in UEFI firmware. Several of these also affect the Insyde H2O UEFI firmware used on some IGEL devices. Insyde have not completed their investigation fully, but at present the following IGEL devices are affected:

  • UD3-LX 60 (M350C)

  • UD7-LX 20 (H860C)

Details

The Insyde H2O UEFI firmware contains multiple memory management vulnerabilities in System Management Mode (SMM). A local attacker with administrator privileges could use these vulnerabilities to elevate their privileges above the installed operating system in order to execute code in SMM mode. This could enable the attacker to invalidate hardware security features such as UEFI Secure Boot, install persistent malware, or create backdoors for information disclosure.

Update Instructions

  • IGEL OS 11.08.100 (planned to be released in mid-August) will provide a method of deploying the UEFI updates from UMS via network.

Mitigation

  • Set a UEFI password, see IGEL OS > Versions of IGEL OS > (11.09.310-en) IGEL OS > (11.09.310-en) IGEL OS Articles > (11.09.310-en) Security > (11.09.310-en) Security IGEL OS Endpoints > (11.09.310-en) Setting Passwords > (11.09.310-en) Setting a UEFI Password.

  • Activate UEFI Secure Boot (default on IGEL UD devices), see UEFI Secure Boot Enabling Guides.

  • Do not allow booting from USB storage media, see IGEL OS > Versions of IGEL OS > (11.09.310-en) IGEL OS > (11.09.310-en) IGEL OS Articles > (11.09.310-en) Security > (11.09.310-en) Security IGEL OS Endpoints > (11.09.310-en) Minimizing the Attack Surface > (11.09.310-en) Disabling USB Boot.

This issue can be mitigated further by not giving users access to a terminal/virtual console on IGEL OS, which they could use to configure and run exploit code:

Remove an existing local terminal session

  1. In IGEL Setup, go to Accessories > Terminals.

  2. Select a local terminal session you want to delete.

  3. Click the trash icon to remove the selected session.

  4. When prompted, confirm that you want to delete the session.

  5. Click Apply.

Or password-protect the local terminal with the Administrator password

  1. Find the local terminal session under Accessories > Terminals.

  2. Follow the instructions under IGEL OS > Versions of IGEL OS > (11.09.310-en) IGEL OS > (11.09.310-en) IGEL OS Articles > (11.09.310-en) Security > (11.09.310-en) Security IGEL OS Endpoints > (11.09.310-en) Setting Passwords > (11.09.310-en) Password-Protecting Sessions and Accessories.

Disable virtual console access

  1. In IGEL Setup, go to User Interface > Display > Access Control.

  2. Activate Disable console switching. (Default: Console switching enabled)

  3. Click Apply.

References

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close