CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
12.6%
Multiple Unified Extensible Firmware Interface (UEFI) implementations are vulnerable to code execution in System Management Mode (SMM) by an attacker who gains administrative privileges on the local machine. An attacker can corrupt the memory using Direct Memory Access (DMA) timing attacks that can lead to code execution. These threats are collectively referred to as RingHopper attacks.
The UEFI standard provides an open specification that defines a software interface between an operating system (OS) and the device hardware on the system. UEFI can interface directly with hardware below the OS using SMM, a high-privilege CPU mode. SMM operations are closely managed by the CPU using a dedicated portion of memory called the SMRAM. The SMM can only be entered through System Management Interrupt (SMI) Handlers using a communication buffer. SMI Handlers are essentially a system-call to access the CPUโs SMRAM from its current operating mode, typically Protected Mode.
A race condition involving the access and validation of the SMRAM can be achieved using DMA timing attacks that rely on time-of-use (TOCTOU) conditions. An attacker can use well-timed probing to try and overwrite the contents of SMRAM with arbitrary data, leading to attacker code being executed with the same elevated-privileges available to the CPU (i.e., Ring -2 mode). The asynchronous nature of SMRAM access via DMA controllers enables the attacker to perform such unauthorized access and bypass the verifications normally provided by the SMI Handler API.
The Intel-VT and Intel VT-d technologies provide some protection against DMA attacks using Input-Output Memory Management Unit (IOMMU) to address DMA threats. Although IOMMU can protect from DMA hardware attacks, SMI Handlers vulnerable to RingHopper may still be abused. SMRAM verification involving validation of nested pointers adds even more complexity when analyzing how various SMI Handlers are used in UEFI.
An attacker with either local or remote administrative privileges can exploit DMA timing attacks to elevate privileges beyond the operating system and execute arbitrary code in SMM mode (Ring -2). These attacks can be invoked from the OS using vulnerable SMI Handlers. In some cases, the vulnerabilities can be triggered in the UEFI early boot phases (as well as sleep and recovery) before the operating system is fully initialized.
A successful attack enables any of the following impacts:
Because these attacks are against UEFI supported firmware, OS and EDR solutions may have diminished visibility into unauthorized access.
Install the latest stable version of UEFI firmware provided by your PC vendor or by the reseller of your computing environments. See the links below for resources and updates provided by specific vendors to address these issues.
If your operating system supports automatic or managed updates for firmware, such as Linux Vendor Firmware Service (LVFS), check (fwupdmgr get-updates
) and apply the firmware updates provided by LVFS using fwupdmgr update
as appropriate.
Thanks to the Intel iStare researchers Jonathan Lusky and Benny Zeltser who discovered and reported this vulnerability.
This document was written by Vijay Sarvepalli and Jeffrey S. Havrilla.
434994
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Notified: 2022-01-10 Updated: 2022-11-10
Statement Date: November 09, 2022
CVE-2021-33164 | Affected |
---|
We have not received a statement from the vendor.
Notified: 2022-01-10 Updated: 2023-01-25
Statement Date: January 25, 2023
CVE-2021-33164 | Affected |
---|
We have not received a statement from the vendor.
Notified: 2022-09-14 Updated: 2024-05-06
Statement Date: May 06, 2024
CVE-2021-33164 | Affected |
---|
Fujitsu is aware of the vulnerabilities in Insyde firmware (InsydeH2O UEFI-BIOS) known as โRingHopperโ.
Fujitsu CCD (Client Computing Device) mobile devices are affected.
The Fujitsu PSIRT released FCCL-IS-2022-110801 on https://security.ts.fujitsu.com (Security Notices) accordingly.
In case of questions regarding this Fujitsu PSIRT Security Notice, please contact the Fujitsu PSIRT ([email protected]).
Notified: 2022-01-10 Updated: 2022-11-10
Statement Date: January 11, 2022
CVE-2021-33164 | Affected |
---|
We have not received a statement from the vendor.
Notified: 2022-02-23 Updated: 2022-11-10
Statement Date: November 09, 2022
CVE-2021-33164 | Affected |
---|
Some versions of Insydeโs InsydeH2O product are affected by this vulnerabililty. Insyde has released mitigations for these. Public information and further details can be found on Insyde security page https://www.insyde.com/security-pledge.
Notified: 2022-01-10 Updated: 2022-11-08
Statement Date: November 07, 2022
CVE-2021-33164 | Affected |
---|
Intel is releasing a public security advisory pertaining to this issue - INTEL-SA-00752 on November 8, 2022 This advisory will be available here on that date - https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00752.html This issue has been assigned CVE-2021-33164
Notified: 2022-01-26 Updated: 2022-11-08
Statement Date: June 20, 2022
CVE-2021-33164 | Not Affected |
---|
We have not received a statement from the vendor.
Notified: 2022-01-10 Updated: 2022-11-08
Statement Date: March 24, 2022
CVE-2021-33164 | Not Affected |
---|
We have reviewed our code and do NOT believe we are affected by this vulnerability.
Notified: 2022-01-10 Updated: 2022-11-08
Statement Date: January 20, 2022
CVE-2021-33164 | Not Affected |
---|
We have not received a statement from the vendor.
Notified: 2022-01-10 Updated: 2022-11-08 CVE-2021-33164 | Unknown |
---|
We have not received a statement from the vendor.
Notified: 2022-08-22 Updated: 2022-11-08 CVE-2021-33164 | Unknown |
---|
We have not received a statement from the vendor.
Notified: 2022-01-10 Updated: 2022-11-08 CVE-2021-33164 | Unknown |
---|
We have not received a statement from the vendor.
Notified: 2022-01-10 Updated: 2022-11-08 CVE-2021-33164 | Unknown |
---|
We have not received a statement from the vendor.
Notified: 2022-01-10 Updated: 2022-11-08 CVE-2021-33164 | Unknown |
---|
We have not received a statement from the vendor.
Notified: 2022-01-19 Updated: 2022-11-08 CVE-2021-33164 | Unknown |
---|
We have not received a statement from the vendor.
Notified: 2022-08-22 Updated: 2022-11-08 CVE-2021-33164 | Unknown |
---|
We have not received a statement from the vendor.
Notified: 2022-01-10 Updated: 2022-11-08 CVE-2021-33164 | Unknown |
---|
We have not received a statement from the vendor.
Notified: 2022-02-18 Updated: 2022-11-08 CVE-2021-33164 | Unknown |
---|
We have not received a statement from the vendor.
Notified: 2022-01-10 Updated: 2022-11-08 CVE-2021-33164 | Unknown |
---|
We have not received a statement from the vendor.
Notified: 2022-01-10 Updated: 2022-11-08
Statement Date: June 21, 2022
CVE-2021-33164 | Unknown |
---|
We have not received a statement from the vendor.
Notified: 2022-01-19 Updated: 2022-11-08 CVE-2021-33164 | Unknown |
---|
We have not received a statement from the vendor.
Notified: 2022-02-09 Updated: 2022-11-08 CVE-2021-33164 | Unknown |
---|
We have not received a statement from the vendor.
Notified: 2022-01-10 Updated: 2022-11-08 CVE-2021-33164 | Unknown |
---|
We have not received a statement from the vendor.
Notified: 2022-01-10 Updated: 2022-11-08 CVE-2021-33164 | Unknown |
---|
We have not received a statement from the vendor.
Notified: 2022-01-10 Updated: 2022-11-08 CVE-2021-33164 | Unknown |
---|
We have not received a statement from the vendor.
Notified: 2022-08-22 Updated: 2022-11-08 CVE-2021-33164 | Unknown |
---|
We have not received a statement from the vendor.
View all 26 vendors __View less vendors __
CVE IDs: | CVE-2021-33164 |
---|---|
API URL: | VINCE JSON |
Date Public: | 2022-11-08 Date First Published: |
blog.cr4.sh/2015/09/breaking-uefi-security-with-software.html
eclypsium.com/2020/01/30/direct-memory-access-attacks/
edk2-docs.gitbook.io/a-tour-beyond-bios-memory-protection-in-uefi-bios/memory-protection-in-smm
edk2-docs.gitbook.io/edk-ii-secure-coding-guide/secure_coding_guidelines_general
fwupd.org/lvfs/docs/users
jvn.jp/vu/JVNVU96604488/
www.intel.com/content/dam/develop/external/us/en/documents/intel-whitepaper-using-iommu-for-dma-protection-in-uefi-820238.pdf
www.sentinelone.com/labs/another-brick-in-the-wall-uncovering-smm-vulnerabilities-in-hp-firmware/