A security company leads the coordinated disclosure of multiple high-risk vulnerabilities at Qualcomm snapdragon Slices.
Vulnerabilities have been identified in the Unified Extensible Firmware Interface (UEFI) firmware reference code and their impact on laptops and ARM-based devices using Qualcomm Snapdragon chipsets, According to Binarly Research.
Qualcomm revealed the vulnerabilities on January 5, with links to available patches. Lenovo also issued a prospectus and updating the BIOS to address defects in affected laptops. However, two of the vulnerabilities were not fixed, as Binarly noted.
If exploited, these vulnerabilities allow attackers to gain control of the system by modifying a variable in non-volatile memory, which stores data permanently, even when the system is turned off. Alex Matrosov, founder and CEO of Binarly says the modified variant will compromise the secure boot phase of the system, and an attacker can gain persistent access to the compromised systems once the vulnerability has been exploited.
“Basically, an attacker can manipulate variables from the operating system level,” says Matrosov.
Firmware flaws open the door to attacks
Secure Boot is a system that is deployed in most computers and servers to ensure that devices start up correctly. Adversaries can take control of the system if the boot process has been bypassed or under their control. They can execute malicious code before the operating system is loaded. Firmware vulnerabilities are like leaving a door open — an attacker can access system resources as they wish when the system is running, says Matrosov.
“The firmware part is important because an attacker can gain very interesting stability capabilities, so they can play long-term on the device,” says Matrosov.
The flaws are noticeable because they affect processors based on the ARM architecture, which are used in computers, servers, and mobile devices. A number of security issues have been discovered on x86 chips Intel And AMDHowever, Matrosov noted that this disclosure is an early indication of security flaws in ARM’s chip designs.
Firmware developers need to develop a security-first mindset, says Matrosov. Many computers today run on specifications provided by the UEFI forum, which provides hooks for software and hardware to interact.
“We found that OpenSSL, which is used in the UEFI firmware — it’s in the ARM version — is very old. For example, one of the major TPM providers called Infineon, they use an eight-year-old version of OpenSSL,” says Matrosov.
Remediation of affected systems
In its security bulletin, Lenovo said the vulnerability affected the BIOS of its ThinkPad X13s laptop. Updating the BIOS corrects the defects.
Binarly said in a research note that Microsoft Windows Dev Kit 2023, codenamed Project Volterra, is also affected by the vulnerability. Project Volterra is designed for programmers to write and test code for Windows 11. Microsoft is using the Project Volterra device to lure traditional x86 Windows developers into the ARM software ecosystem, and the device’s release was the first announcement at Microsoft’s Build and ARM DevSummit conferences last year.
the Meltdown and Specter vulnerabilities It greatly affected x86 chipsets in server and PC infrastructures. But discover ARM boot layer vulnerabilities It’s especially troubling because the build is driving a low-power mobile ecosystem, which includes 5G smartphones and base stations. Base stations are increasingly becoming the communications hub for high-end devices and cloud infrastructures. Attackers could act like operators, Matrosov says, and they would just persist in the base stations and no one would know.
System administrators need to prioritize fixing firmware flaws by understanding the risks their companies are exposed to and quickly addressing them, he says. Binary Deals Open source tools for finding firmware vulnerabilities.
“Not every company has policies for offering firmware fixes to their devices. I’ve worked for large companies in the past, and before I started my own company, none of them—even these hardware-related companies—had an in-house policy for updating firmware on employee laptops. This Not true, ”says Matrosov.