Acer is working to repair a firmware flaw affecting 5 of its laptop computer fashions. An exploit may enable attackers to disable a machine’s Safe Boot settings to bypass key safety measures and cargo malware, researchers have discovered.
ESET Analysis researcher Martin Smolar found the flaw, tracked as CVE-2022-4020, within the HQSwSmiDxe DXE driver on some variations of client Acer Aspire and Extensa notebooks. An attacker with elevated privileges can use the flaw to switch UEFI Safe Boot settings by way of an NVRAM variable, ESET disclosed in a collection of tweets posted Nov. 28.
“#CVE-2022-4020 is discovered within the DXE driver HQSwSmiDxe, which checks for the ‘BootOrderSecureBootDisable’ NVRAM variable,” in accordance with ESET. “If the variable exists, the driving force disables Safe Boot.”
Safe Boot is a safety function of the Unified Extensible Firmware Interface (UEFI) 2.3.1 designed to detect tampering with boot loaders, OS information, and unauthorized possibility ROMs by validating their digital signatures. The function blocks any malicious exercise earlier than it could infect the system.
By exploiting the flaw, menace actors can bypass this function and run no matter code they need on the machine, malware or in any other case, even reaching persistence in a case during which an OS is reinstalled, the researchers stated.
Totally different Producer, Comparable Safety Vulnerability
Particularly, CVE-2020-4020 impacts Acer Aspire A315-22, A115-21, and A315-22G, and Extensa EX215-21 and EX215-21G notebooks. The flaw creates an analogous alternative for attackers to the one brought on by vulnerabilities tracked as CVE-2022-3430, CVE-2022-3431, and CVE-2022-3432 that ESET researchers present in early November in varied Lenovo Yoga IdeaPad and ThinkBook gadgets, and subsequently detailed extensively in a collection of tweets.
As in that case, ESET additionally reported the vulnerability to the pc producer for remediation. Acer rapidly responded on Nov. 29 with a safety replace corroborating Smolar’s findings and stressing the intense nature of the flaw.
“By disabling the Safe Boot function, an attacker can load their very own unsigned malicious bootloader to permit absolute management over the OS loading course of,” the corporate stated. “This may enable them to disable or bypass protections to silently deploy their very own payloads with the system privileges.”
Acer is engaged on a BIOS replace to resolve the problem that it’ll publish on the Acer Assist website, and recommends that affected customers replace their BIOS, as soon as obtainable, to the most recent model to resolve the issue. The patch additionally can be included as a important Home windows replace, the corporate stated.
Widespread NVRAM Variable Downside
In each the Lenovo and Acer situations, attackers can exploit the Acer bug by creating particular NVRAM variables, the precise worth of which isn’t vital—the existence of the variable itself is the one factor an affected firmware driver checks, the researchers famous.
NVRAM variables outline a reputation for the boot possibility that may be exhibited to a person. The variable additionally incorporates a pointer to the {hardware} machine and to a file on that {hardware} machine that incorporates the UEFI picture to be loaded.
This drawback seems to be fairly well-known, with researchers already advising towards firmware builders storing security-sensitive parts in these variables. Firmware safety engineer Nikolaj Schlej even tweeted a plea to firmware builders in October to “cease utilizing widespread NVRAM as trusted storage” due to the safety drawback it poses.
“It’s certainly actually tempting to make use of NVRAM or CMOS SRAM for storing triggers for varied issues, however each have to be assumed being beneath full attacker management,” he stated in a response to his personal tweet. “Even unstable NVRAM variables aren’t fully protected as a result of there may be nonetheless an opportunity of incorrect attribute test.”
Within the case of the Lenovo flaws, it does seem that builders already had been conscious of the problem earlier than it made its method into the corporate’s laptops, as a number of the affected parts had been solely meant for use throughout manufacturing and had been mistakenly included in manufacturing, in accordance with ESET.
