Vulnerabilities in UEFI firmware based on Insydeh2o framework, allowing you to perform code at SMM level

in the framework insydeh2o used by many manufacturers to create UEFI firmware to their equipment (the most common implementation of UEFI BIOS), Detected 23 vulnerabilities , allowing to execute code at the SMM level (System Management Mode ), more priority (Ring -2) than hypervisor mode and zero protection ring, and having unlimited access to all memory. The problem affects the UEFI firmware used by manufacturers such as Fujitsu, Siemens, Dell, HP, HPE, Lenovo, Microsoft, Intel and Bull Atos.

For the operation of vulnerabilities, local access with administrator rights is required, which makes problems in demand as the secondary vulnerabilities used after the operation of other vulnerabilities in the system or using social engineering methods.
Access at the SMM level allows you to perform the code at the level by the unemployed operating system, which can be used to modify the firmware and leaving the hidden malware or rootkits in SPI Flash, which are not determined from the operating system, as well as to disable verification during the download stage (UEFI Secure Boot , Intel Bootguard) and attacks on hypervisors to bypass the mechanisms for checking the integrity of virtual environments.


Operation of philacomats can be made from the operating system using non-verified SMI handlers (System Management Interrupt), as well as at the stage before performing the operating system during the initial stages of the download or return from the sleep mode. All vulnerabilities are caused by memory working problems and divided into three categories:

  • SMM Callout – executing your code with SMM rights through redirecting SWSMI interrupt handlers to code outside SMRAM;
  • memory damage that allows the attacker to write down its data in SMRAM, a special insulated memory area in which it is performed
    Code with SMM rights.
  • Damage to the memory in the code performed at the level of DXE (Driver Execution Environment).

To demonstrate the principles of the organization’s organization published Example of exploit

/Media reports.