Download page ISN 2022-02: UEFI Vulnerabilities in UD Devices.
ISN 2022-02: UEFI Vulnerabilities in UD Devices
Updated 21 July 2022 (IGEL OS 11.08.100 will bring remediation)
Updated 24 February 2022 (updated "Update Instructions")
First published 10 February 2022
CVSS 3.1 Base Score: 8.2 (High)
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Summary
Multiple vulnerabilities have been found in UEFI firmware. Several of these also affect the Insyde H2O UEFI firmware used on some IGEL devices. Insyde have not completed their investigation fully, but at present the following IGEL devices are affected:
UD3-LX 60 (M350C)
UD7-LX 20 (H860C)
Details
The Insyde H2O UEFI firmware contains multiple memory management vulnerabilities in System Management Mode (SMM). A local attacker with administrator privileges could use these vulnerabilities to elevate their privileges above the installed operating system in order to execute code in SMM mode. This could enable the attacker to invalidate hardware security features such as UEFI Secure Boot, install persistent malware, or create backdoors for information disclosure.
Update Instructions
IGEL OS 11.08.100 (planned to be released in mid-August) will provide a method of deploying the UEFI updates from UMS via network.
This issue can be mitigated further by not giving users access to a terminal/virtual console on IGEL OS, which they could use to configure and run exploit code:
Remove an existing local terminal session
In IGEL Setup, go to Accessories > Terminals.
Select a local terminal session you want to delete.
Click the trash icon to remove the selected session.
When prompted, confirm that you want to delete the session.
Click Apply.
Or password-protect the local terminal with the Administrator password
Find the local terminal session under Accessories > Terminals.