Acer Firmware Flaw Lets Attackers Bypass Key Security Feature

0
197
Acer Firmware Flaw Lets Attackers Bypass Key Security Feature



Acer is working to repair a firmware flaw affecting 5 of its laptop computer fashions. An exploit might permit attackers to disable a machine’s Secure Boot settings to bypass key safety measures and cargo malware, researchers have discovered.

ESET Research researcher Martin Smolar found the flaw, tracked as CVE-2022-4020, within the HQSwSmiDxe DXE driver on some variations of client Acer Aspire and Extensa notebooks. An attacker with elevated privileges can use the flaw to change UEFI Secure Boot settings by way of an NVRAM variable, ESET disclosed in a collection of tweets posted Nov. 28.

“#CVE-2022-4020 is discovered within the DXE driver HQSwSmiDxe, which checks for the ‘BootOrderSecureBootDisable’ NVRAM variable,” in keeping with ESET. “If the variable exists, the motive force disables Secure Boot.”

Secure Boot is a safety function of the Unified Extensible Firmware Interface (UEFI) 2.3.1 designed to detect tampering with boot loaders, OS recordsdata, and unauthorized choice ROMs by validating their digital signatures. The function blocks any malicious exercise earlier than it may infect the system.

By exploiting the flaw, risk actors can bypass this function and run no matter code they need on the machine, malware or in any other case, even reaching persistence in a case through which an OS is reinstalled, the researchers stated.

Different Manufacturer, Similar Security Vulnerability

Specifically, CVE-2020-4020 impacts Acer Aspire A315-22, A115-21, and A315-22G, and Extensa EX215-21 and EX215-21G notebooks. The flaw creates the same alternative for attackers to the one attributable to vulnerabilities tracked as CVE-2022-3430, CVE-2022-3431, and CVE-2022-3432 that ESET researchers present in early November in varied Lenovo Yoga IdeaPad and ThinkBook units, and subsequently detailed extensively in a collection of tweets.

As in that case, ESET additionally reported the vulnerability to the pc producer for remediation. Acer shortly responded on Nov. 29 with a safety replace corroborating Smolar’s findings and stressing the intense nature of the flaw.

“By disabling the Secure Boot function, an attacker can load their very own unsigned malicious bootloader to permit absolute management over the OS loading course of,” the corporate stated. “This can permit them to disable or bypass protections to silently deploy their very own payloads with the system privileges.”

Acer is engaged on a BIOS replace to resolve the problem that it’ll submit on the Acer Support web site, and recommends that affected customers replace their BIOS, as soon as obtainable, to the most recent model to resolve the issue. The patch additionally will probably be included as a important Windows replace, the corporate stated.

Common NVRAM Variable Problem

In each the Lenovo and Acer eventualities, attackers can exploit the Acer bug by creating particular NVRAM variables, the precise worth of which isn’t vital—the existence of the variable itself is the one factor an affected firmware driver checks, the researchers famous.

NVRAM variables outline a reputation for the boot choice that may be exhibited to a consumer. The variable additionally comprises a pointer to the {hardware} gadget and to a file on that {hardware} gadget that comprises the UEFI picture to be loaded.

This downside seems to be fairly well-known, with researchers already advising towards firmware builders storing security-sensitive elements in these variables. Firmware safety engineer Nikolaj Schlej even tweeted a plea to firmware builders in October to “cease utilizing widespread NVRAM as trusted storage” due to the safety downside it poses.

“It is certainly actually tempting to make use of NVRAM or CMOS SRAM for storing triggers for varied issues, however each have to be assumed being underneath full attacker management,” he stated in a response to his personal tweet. “Even risky NVRAM variables aren’t fully protected as a result of there’s nonetheless an opportunity of incorrect attribute examine.”

In the case of the Lenovo flaws, it does seem that builders already had been conscious of the problem earlier than it made its manner into the corporate’s laptops, as a number of the affected elements had been solely meant for use throughout manufacturing and had been mistakenly included in manufacturing, in keeping with ESET.

LEAVE A REPLY

Please enter your comment!
Please enter your name here