Business Wire

Binarly Discloses Multiple Firmware Vulnerabilities in Qualcomm and Lenovo ARM-based Devices

3 Mins read

Binarly’s REsearch team has led the coordinated disclosure of multiple vulnerabilities in Qualcomm reference code and ARM-based Lenovo devices powered by UEFI firmware. Multiple vendors are affected including Microsoft Surface devices, Samsung, HP, and many others.

PASADENA, Calif.–(BUSINESS WIRE)–#FwHunt–Binarly Inc., providers of the industry’s first AI-powered firmware protection platform, has led the coordinated disclosure and mitigation of multiple vulnerabilities in UEFI firmware on ARM devices, including Qualcomm Snapdragon chips.

The Qualcomm vulnerabilities, rated high-severity, were identified in the UEFI firmware reference code and impacts the entire ecosystem of ARM-based laptops and devices on Qualcomm Snapdragon chips. This is the first major vulnerability disclosure of its kind in the ARM device ecosystem, and highlights the potential for cross-platform attacks on both ARM and x86 devices.

Binarly’s research team has confirmed these vulnerabilities are exploitable on Lenovo ThinkPad and Microsoft Surface devices, including the recently released development device Microsoft Windows Dev Kit 2023 (code name “Project Volterra”).

A summary of the disclosed vulnerabilities, which carry high-risk and medium-risk severity ratings:

BRLY ID

Type

Vendor

CVE ID

CVSS score

CWE

BRLY-2022-029

BRLY-2022-030

BRLY-2022-033

Stack overflow via double GetVariable in DXE driver

Qualcomm

Qualcomm

Qualcomm

CVE-2022-40516

CVE-2022-40517

CVE-2022-40520

8.2 High

8.2 High

8.2 High

CWE-121: Stack-based Buffer Overflow

BRLY-2022-031

BRLY-2022-032

BRLY-2022-034

BRLY-2022-035

BRLY-2022-036

BRLY-2022-037

Stack memory leak vulnerability in DXE driver

Qualcomm

Lenovo

Lenovo

Lenovo

Qualcomm

Lenovo

CVE-2022-40518

CVE-2022-4432

CVE-2022-4433

CVE-2022-4434

CVE-2022-40519

CVE-2022-4435

4.9 Medium

6.0 Medium

6.0 Medium

6.0 Medium

6.0 Medium

6.0 Medium

CWE-125: Out-of-bounds Read

Three of the nine vulnerabilities — CVE-2022-40516, CVE-2022-40517 and CVE-2022-40520 — are rated high-risk and allow secure boot bypass and the ability for an attacker to gain persistence on a device by gaining sufficient privileges to write to the file system. This allows an attacker to cross an extra security boundary to simplify attacks on TrustZone. All three affect Qualcomm’s reference code and affect the entire ecosystem.

Four of the issues are specific to Lenovo and allow an attacker to gain read access to the privileged boot code through all of these vulnerabilities. Compared to the previous group of vulnerabilities with arbitrary code execution, these vulnerabilities only lead to privileged information disclosure.

“With this disclosure, we have opened Pandora’s box of ARM devices with UEFI firmware vulnerabilities impacting enterprise vendors. As far as we know, this is the first major vulnerability disclosure related to UEFI firmware on ARM,” said Binarly chief executive officer Alex Matrosov.

“Vulnerabilities in reference code are usually one of the most impactful since they tend to affect the whole ecosystem and not just a single vendor. Due to the complexity of the UEFI firmware supply chain, these vulnerabilities often create additional impact,” Matrosov said, noting that UEFI’s unified specification not only brings consistency to the firmware development process, but also to attack surfaces.

In a statement, Qualcomm expressed thanks to Binarly for assisting with the research and coordinated disclosure:

“Providing technologies that support robust security and privacy is a priority for Qualcomm Technologies. We commend security researcher Alex Matrosov of Binarly for using industry-standard coordinated disclosure practices, and we have worked with Lenovo to address the reported boot issues. Patches were made available in November 2022, and we encourage affected end users to apply security updates when they become available from their device makers.” – Qualcomm spokesperson

Binarly commends the PSIRT team at Qualcomm for their timely professionalism when responding to these vulnerability reports. It was impressive that it only took two months to release the fixes and secure the supply chain after Binarly reported reference code vulnerabilities in October 2022.

With such a broad impact to the entire UEFI ARM-based ecosystem, this is an unprecedented timeline we haven’t experienced before when working with other vendors.

Closer collaboration between the vendor and researcher can significantly reduce the disclosure timeline and assist industry in recovering from repeatable firmware security failures.

Technical details on these findings are now available on the Binarly blog.

Qualcomm advisory: https://docs.qualcomm.com/product/publicresources/securitybulletin/january-2023-bulletin.html

Lenovo advisory: https://support.lenovo.com/us/en/product_security/LEN-103709

About Binarly

Founded in 2021 in Pasadena, California, Binarly brings decades of research experience identifying hardware and firmware security weaknesses and threats. Binarly’s agentless, enterprise-class AI-powered firmware security platform helps protect from advanced threats below the operating system. The company’s technology solves firmware supply chain security problems by identifying vulnerabilities, malicious firmware modifications and providing firmware SBOM visibility without access to the source code. Binarly’s cloud-agnostic solutions give enterprise security teams actionable insights, and reduce the cost and time to respond to security incidents.

Contacts

media@binarly.io
818.351.9637