2022/Q1 INSYDE SECURITY ADVISORY (ISA)
Insyde 2022/Q1 ISA covering Insyde® Firmware (InsydeH2O UEFI-BIOS) updates
Fujitsu Communication
Original release:1 Feb 2022
Fujitsu PSIRT ID: FCCL-IS-2021-090903
Advisory Description
INSYDE-SA-2022/Q1: 2022/Q1 ISA – Insyde® Firmware (InsydeH2O UEFI-BIOS) Advisory
Multiple potential security vulnerabilities in the Insyde® InsydeH2O Hardware-2-Operating System (H2O) UEFI firmware (Insyde® InsydeH2O UEFI-BIOS) may allow for the compromise of confidentiality, integrity and availability. The detailed description of the vulnerabilities with at least a medium, high or critical CVSS base score is as follows:
CVE-2020-5953: A vulnerability exists in System Management Interrupt (SWSMI) handler of InsydeH2O UEFI Firmware code located in SWSMI handler that dereferences gRT (EFI_RUNTIME_SERVICES) pointer to call a GetVariable service, which is located outside of SMRAM. This can result in code execution in SMM (escalating privilege from ring 0 to ring -2). It affects the driver AsfSecureBootSmm.
CVE-2021-33625: SMM memory corruption vulnerability in combined DXE/SMM driver on BullSequana Edge server. The vulnerability exists in SW SMI handler registered with GUID `9c28be0c-ee32-43d8-a223-e7c1614ef7ca` and located at offset `0x23B0` in the driver. This affects the HddPassword driver.
CVE-2021-33626: A vulnerability exists in SMM (System Management Mode) branch that registers a SWSMI handler that does not sufficiently check or validate the allocated buffer pointer (QWORD values for CommBuffer). This can be used by an attacker to corrupt data in SMRAM memory and even lead to arbitrary code execution. It affects the driver SmmResourceCheckDxe.
CVE-2021-33627: A vulnerability exists in SMM (System Management Mode) branch that registers a SWSMI handler that does not sufficiently check or validate the allocated buffer pointer (CommBuffer). This can be used by an attacker to corrupt data in SMRAM memory and even lead to arbitrary code execution. It affects the driver FwBlockServiceSmm.
CVE-2021-41837: An unsafe pointer vulnerability exists in SMM (System Management Mode) branch that registers a SWSMI handler. An attacker can use this unsafe pointer "current_ptr" to read or write or manipulate data into SMRAM. Exploitation of this vulnerability can lead to escalation of privileges reserved only for SMM using the SwSMI handler. It affects the AhciBusDxe driver.
CVE-2021-41838: An unsafe pointer vulnerability exists in SMM (System Management Mode) branch that registers a SWSMI handler. An attacker can use this unsafe pointer "ptr" to read or write or manipulate data in the SMRAM. Exploitation of this vulnerability can lead to escalation of privileges reserved only for SMM using the SwSMI handler. It affects the driver NvmExpressDxe driver.
CVE-2021-41839: A vulnerability exists in SMM (System Management Mode) branch that registers a SWSMI handler that does not sufficiently check or validate the allocated table variable EFI_BOOT_SERVICES. This can be used by an attacker to overwrite address location of any of the functions (FreePool, LocateHandleBuffer, HandleProtocol) to the address location of arbitrary code controlled by the attacker. On system call to SWSMI handler, the arbitrary code can be triggered to execute. It affects the driver NvmExpressDxe.
CVE-2021-41840: A vulnerability exists in SMM (System Management Mode) branch that registers a SWSMI handler that does not sufficiently check or validate the allocated table variable EFI_BOOT_SERVICES. This allows an attacker who is capable of executing code in DXE phase to exploit this vulnerability to escalate privileges to SMM. The attacker can overwrite the LocateProtocol or Freepool memory address location to execute unwanted code. It affects the driver SdHostDriver.
CVE-2021-41841: A vulnerability exists in SMM (System Management Mode) branch that registers a SWSMI handler that does not sufficiently check or validate the allocated table variables EFI_BOOT_SERVICES and EFI_RUNTIME_SERVICES. This can be used by an attacker to overwrite address location of the function (LocateHandleBuffer) to the address location of arbitrary code controlled by the attacker. On system call to SWSMI handler, the arbitrary code can be triggered to execute. It affects the driver AhciBusDxe.
CVE-2021-42059: The stack buffer overflow vulnerability leads to arbitrary code execution in UEFI DXE driver on BullSequana Edge server. This affects the DisplayTypeDxe driver.
CVE-2021-42060: SMM callout vulnerability in combined DXE/SMM driver on BullSequana Edge server. The vulnerability exists in SW SMI handler registered with number 0xF9 and located at offset 0x06F0 in the driver. This affects the Int15ServiceSmm driver.
CVE-2021-42113: SMM callout vulnerability in combined DXE/SMM driver on BullSequana Edge server. The vulnerability exists in child SW SMI handler registered with GUID `1d3de7f0-0807-424f-aa69-11a54e19a46f` and located at offset `0x1E0C` in the driver. It affects the StorageSecurityCommandDxe driver.
CVE-2021-42554: SMM memory corruption vulnerability in combined DXE/SMM driver on BullSequana Edge server. The vulnerability exists in SW SMI handler registered with number `0x16` and located at offset `0x3DBC` in the driver. This affects the FvbServicesRuntimeDxe driver.
CVE-2021-43323: SMM callout vulnerability in combined DXE/SMM driver on BullSequana Edge server. The vulnerability exists in SW SMI handler registered with number `0xFD` and located at offset `0x291C` in the driver. This affects the UsbCoreDxe driver.
CVE-2021-43522: SMM memory corruption vulnerability in combined DXE/SMM driver on BullSequana Edge server. The vulnerability exists in child SW SMI handler registered with GUID `1d3de7f0-0807-424f-aa69-11a54e19a46f` and located at offset `0x1E0C` in the driver.
CVE-2021-43615: SMM callout vulnerability in combined DXE/SMM driver on BullSequana Edge server. The vulnerability exists in SW SMI handler registered with GUID `9c28be0c-ee32-43d8-a223-e7c1614ef7ca` and located at offset `0x23B0` in the driver. This affects the HddPassword driver.
CVE-2021-45969: A vulnerability exists in SMM (System Management Mode) branch that registers a SWSMI handler that does not sufficiently check or validate the allocated buffer pointer (CommBuffer + 8 location). This can be used by an attacker to corrupt data in SMRAM memory and even lead to arbitrary code execution. It affects the driver AhciBusDxe.
CVE-2021-45971: A vulnerability exists in SMM (System Management Mode) branch that registers a SWSMI handler that does not sufficiently check or validate the allocated buffer pointer (CommBufferData). This can be used by an attacker to corrupt data in SMRAM memory and even lead to arbitrary code execution. It affects the driver SdHostDriver.
CVE-2022-24030: SMM memory corruption vulnerability in combined DXE/SMM driver on BullSequana Edge server. The vulnerability exists in child SW SMI handler registered with GUID `56947330-585c-4470-a95d-c55c529feb47` and located at offset `0x1328` in the driver. This affects the AhciBusDxe driver.
CVE-2022-24031: SMM memory corruption vulnerability in combined DXE/SMM driver on BullSequana Edge server. The vulnerability exists in SW SMI handler registered with GUID `52c78312-8edc-4233-98f2-1a1aa5e388a5` and located at offset `0x2090` in the driver. This affects the NvmExpressDxe driver.
CVE-2022-24069: SMM callout vulnerability in combined DXE/SMM driver on BullSequana Edge server. The vulnerability exists in child SW SMI handler registered with GUID `56947330-585c-4470-a95d-c55c529feb47` and located at offset `0x1328` in the driver.
Insyde described the affection in detail and mentioned updates for supported InsydeH2O UEFI-BIOS firmware versions.
Potential Impact: According to the information provided the potential impact of INSYDE-SA-2022/Q1 is:
Loss of Confidentiality, Integrity, Availability
CVE Reference (INSYDE-SA-2022/Q1)
INSYDE-SA-2022/Q1: 2022/Q1 ISA – Insyde® Firmware (InsydeH2O UEFI-BIOS) Advisory
∗ The description of the vulnerabilities with at least a medium, high or critical CVSS base score is as follows:
| CVE Number | CVSS Base Score | Insyde SA | BINARLY ID |
|---|---|---|---|
| CVE-2020-5953 | 7.5 (High) | INSYDE-SA-2022017 | BRLY-2021-008 |
| CVE-2021-33625 | 7.5 (High) | INSYDE-SA-2022014 | BRLY-2021-029 |
| CVE-2021-33626 | 7.8 (High) | INSYDE-SA-2022021 | BRLY-2021-013 |
| CVE-2021-33627 | 8.2 (High) | INSYDE-SA-2022022 | BRLY-2021-011 |
| CVE-2021-41837 | 8.2 (High) | INSYDE-SA-2022024 | BRLY-2021-009 |
| CVE-2021-41838 | 8.2 (High) | INSYDE-SA-2022023 | BRLY-2021-010 |
| CVE-2021-41839 | 8.2 (High) | INSYDE-SA-2022020 | BRLY-2021-017 |
| CVE-2021-41840 | 8.2 (High) | INSYDE-SA-2022018 | BRLY-2021-019 |
| CVE-2021-41841 | 8.2 (High) | INSYDE-SA-2022019 | BRLY-2021-018 |
| CVE-2021-42059 | 6.7 (Medium) | INSYDE-SA-2022006 | BRLY-2021-021 |
| CVE-2021-42060 | 8.2 (High) | INSYDE-SA-2022007 | BRLY-2021-022 |
| CVE-2021-42113 | 8.2 (High) | INSYDE-SA-2022008 | BRLY-2021-023 |
| CVE-2021-42554 | 9.8 (Critical) | INSYDE-SA-2022012 | BRLY-2021-027 |
| CVE-2021-43323 | 8.2 (High) | INSYDE-SA-2022016 | BRLY-2021-031 |
| CVE-2021-43522 | 7.5 (High) | INSYDE-SA-2022009 | BRLY-2021-024 |
| CVE-2021-43615 | 8.2 (High) | INSYDE-SA-2022013 | BRLY-2021-028 |
| CVE-2021-45969 | 8.2 (High) | INSYDE-SA-2022003 | BRLY-2021-016 |
| CVE-2021-45971 | 8.2 (High) | INSYDE-SA-2022001 | BRLY-2021-012 |
| CVE-2022-24030 | 9.8 (Critical) | INSYDE-SA-2022011 | BRLY-2021-026 |
| CVE-2022-24031 | 8.2 (High) | INSYDE-SA-2022015 | BRLY-2021-030 |
| CVE-2022-24069 | 8.2 (High) | INSYDE-SA-2022010 | BRLY-2021-025 |
Links for Technical Details
Technical details of the potential security vulnerabilities and functional issues are documented online:
https://www.insyde.com/security-pledge
https://kb.cert.org/vuls/id/796611
Affected Fujitsu Products
A number of Fujitsu products are affected by these vulnerabilities. Fujitsu is working to distribute updates for all affected products that are currently supported. Older systems that are no longer supported will not be updated.
An overview of the affected Client Computing Devices (e.g. CELSIUS, ESPRIMO, FUTRO, LIFEBOOK, STYLISTIC) can be found here: List of affected Fujitsu products (APL) (available: Feb. 9, 2022)
This page will be updated regularly as soon as new information is available. Besides a list of affected systems, also more detailed advice will follow.
List of Affected Fujitsu products ( APL )
Insyde 2022/Q1 ISA covering Insyde® Firmware (InsydeH2O UEFI-BIOS) updates
Mobile ( CELSIUS /LIFEBOOK /STYLISTIC )
| AFFECTED SYSTEM | NEW FIXED
BIOS/ME | BIOS/ME
RELEASE DATE |
|---|---|---|
| LIFEBOOK E448 /E458 | V1.21 | cw 21/2022 |
| LIFEBOOK E449/459 | V1.09 | cw 21/2022 |
| LIFEBOOK E547/E557
( Non v-Pro ) | V1.19 | cw 24/2022 |
| LIFEBOOK E547/E557
(v-Pro ) | V1.23 | cw 24/2022 |
| LIFEBOOK E548 /E558 | V1.22 | cw 21/2022 |
| LIFEBOOK E549 /E559 | V2.20 | cw 17/2022 |
| LIFEBOOK E5410 /E5510 | V2.23 | cw 15/2022 |
| LIFEBOOK E5411/E5511 | V2.27 | cw 11/2022 |
| LIFEBOOK P727 | V1.23 | cw 24/2022 |
| LIFEBOOK P728 | V1.19 | cw 21/2022 |
| LIFEBOOK S937 | V2.11 | cw 21/2022 |
| LIFEBOOK S938 | V1.19 | cw 21/2022 |
| LIFEBOOK T726 | V1.24 | cw 26/2022 |
| LIFEBOOK T937 | V1.24 | cw 24/2022 |
| LIFEBOOK T938 | V2.15 | cw 17/2022 |
| LIFEBOOK U727/U747/U757 6th Gen CPU model | V1.29 | cw 24/2022 |
| LIFEBOOK U727/U747/U757 | V1.29 | cw 24/2022 |
| LIFEBOOK U728 /U748 /U758 | V1.25 | cw 21/2022 |
| LIFEBOOK U729 /U749 /U759 | V2.25 | cw 17/2022 |
| LIFEBOOK U729X | V2.16 | cw 17/2022 |
| LIFEBOOK U937 | V1.20 | cw 24/2022 |
| LIFEBOOK U938 | V1.26 | cw 21/2022 |
| LIFEBOOK U939
(THUNDERBOLT model ) | V2.18 | cw 17/2022 |
| LIFEBOOK U939
(Type c model ) | V2.17 | cw 18/2022 |
| LIFEBOOK U939X | V2.21 | cw 18/2022 |
| LIFEBOOK U9310 | V2.17 | cw 16/2022 |
| LIFEBOOK U9310X | V2.16 | cw 15/2022 |
| LIFEBOOK U9311
(updating from BIOS version 2.XX) | V2.33 | cw 12/2022 |
| LIFEBOOK U9311
(updating from BIOS version 1.XX) |
V1.53 |
cw 12/2022 |
| LIFEBOOK U9311X | V2.27 | cw 12/2022 |
| STYLISTIC Q509 | V1.29 | cw 19/2022 |
| STYLISTIC Q737 | V1.22 | cw 26/2022 |
| STYLISTIC Q738 | V1.15 | cw 21/2022 |
| STYLISTIC Q739 | V2.16 | cw 17/2022 |
| STYLISTIC Q5010 | V1.24 | cw 19/2022 |
| STYLISTIC Q7310 | V2.17 | cw 15/2022 |
| STYLISTIC Q7311 | V2.21 | cw 12/2022 |
| CELSIUS H770 | v1.23 | cw 24/2022 |
| CELSIUS H780 | V1.19 | t.b.d. |
| CELSIUS H970 | V1.17 | t.b.d. |
| CELSIUS H980 | V1.14 | t.b.d. |
| CELSIUS H7510 | V1.12 | t.b.d. |
CELSIUS (WorkStation) | Please refer to the following site.
|
|---|---|
ESPRIMO (Desktop) | |
FUTRO (Thin-Client) |
This page will be updated regularly as soon as new information is available. Besides a list of affected systems, also more detailed advice will follow.
* cw: calendar week
t.b.d.: to be defined
** Installation by Fujitsu hardware service on request
Contact Details
Should you require any further security-related assistance, please contact:Fujitsu-PSIRT@ts.fujitsu.com.
For more information on security vulnerabilities, please also go to https://security.ts.fujitsu.com.
NOTE: Insyde Security Advisory INSYDE-SA-2021001 on InsydeH2O is not part of this 2022/Q2 Insyde Security Advisory (ISA). The Fujitsu PSIRT already addressed the Insyde Security Advisory internally and released dedicated Fujitsu PSIRT Security Notice FCCL-IS-2021-061600.
Insyde Security Advisory INSYDE-SA-2022002 on InsydeH2O, as part of this 2022/Q2 Insyde Security Advisory (ISA), does not affect any Fujitsu product. Insyde Security Advisories INSYDE-SA-2021002, INSYDE-SA-2022004 and INSYDE-SA-2022005 on InsydeH2O are not part of this 2022/Q2 Insyde Security Advisory (ISA). The Fujitsu PSIRT already addressed these Insyde Security Advisories internally and plans to release a dedicated Fujitsu PSIRT Security Notice. All necessary updates will be issued along with the 2021.2 Intel Platform Update (IPU), depending on the result of the final analysis.
The Fujitsu PSIRT would like to thank Binarly Inc., for their commitment to the security of Fujitsu products and the close collaboration throughout the process of vulnerability disclosure. Also, the Fujitsu PSIRT would like to thank the CMU CERT Coordination Center for their help and support throughout the process.
Recommended Steps for Remediation |
| Remediation via BIOS Update |
| Step 1: Determine whether you have an affected system. |
| Refer to the LIST OF AFFECTED Fujitsu product (APL)
This list is updated regularly. Before proceeding, please check the expected availability of the relevant BIOS update package. |
Step 2: Download and install the BIOS update package.
|
| • Select "Select a new Product" (button)
• Select "Browse for Product" • Select "product line" • Select "product group" and "product family". • Download and install the latest BIOS update package |
Links for Software Security UpdatesVendor Fujitsu Further Information |
| Contact Details |
| Should you require any further security-related assistance, please contact: fpca-hk.cs@hk.fujitsu.com |
Legal Statement |
| Fujitsu does not manufacture the affected microprocessors, that Fujitsu buys from third party suppliers and integrates into its products. Therefore, this communication is based on the information and recommendations Fujitsu has received from the third party suppliers of the affected microprocessors.
Fujitsu does not warrant that this communication is applicable or complete for all customers and all situations. Fujitsu recommends that customers determine the applicability of this communication to their individual situation and take appropriate measures. Fujitsu is not liable for any damages or other negative effects, resulting from customers’ use of this communication. All details of this communication are provided "as is" without any warranty or guarantee. Fujitsu reserves the right to change or update this communication at any time. Websites of other companies referred to in this communication are the sole responsibility of such other companies. Fujitsu does not assume any liability with respect to any information and materials provided by its suppliers, including on such websites. Designations may be protected by trademarks and/or copyrights of Fujitsu or the respective owners, the use of which by third parties for their own purposes may infringe the rights of such owners. |