disclosed information about vulnerability (CVE-2021-33164) in UEFI firmware, which allows you to execute the code at the SMM level (System Management Mode), more priority than the hypervisor mode and the zero protection ring, and providing unlimited access to all system memory. The vulnerability that received the code name Ringhopper is associated with the possibility of conducting Time attacks using DMA (Direct Memory Access) to damage memory in the code performed at the SMM level. The presence of vulnerability is confirmed in the firmware Intel , Dell And Insyde Software. AMD, Phoenix and Toshiba firmware are not subject to the problem.
Operation of fluidity can be made of the operating system using vulnerable SMI-processors (System Management Interrupt), to access the administrator’s rights. The attack can also be carried out if there is physical access at the early stage of loading, at the stage before initializing the operating system. To block the problem, Linux users are recommended to update the firmware using the LVFS (Linux Vendor Firmware Service) service using the FwuPDMGR (FWUPDMGR Get-UPDATES; FWUPDMGR UPDATE) from the FWUPD.
package.
The need to have the rights of an administrator for an attack limits the danger of a problem, but does not interfere with its use as a vulnerability of the second link to maintain its presence after the operation of other vulnerabilities in the system or the application of social engineering methods. Access to SMM (Ring -2) allows you to execute the code at the level of the non -controlled operating system, which can be used to modify the firmware and premises in the SPI flash of hidden malicious code or routes that are not determined from the operating system, as well as to turn off the verification at the download stage (UEFI Secure Boot, Intel BootGuard) and attacks on hypervisors to circumvent mechanisms for checking the integrity of virtual environment.
The problem is caused by the state of the race in the SMI (System Management Interrupt) processor, which occurs at the time between the inspection of access and the appeal to SMRAM. To determine the desired moment between checking the status and using the verification result, analysis on third-party channels using DMA . As a result, due to the asynchronous nature of access to SMRAM via DMA, the attacker can determine the right moment and overwrite the contents of SMRAM using DMA bypassing the SMI processor API. Processors with support for Intel-VT and Intel VT-D mechanisms include DMA-based protection, based on IMMU (Input-Autput Memory Management Unit), but this protection is effective for blocking hardware DMA attacks carried out using attackers prepared by attacking devices and does not protect against attacks through SMI handlers.