BIOS flaws put Intel, Lenovo, and many others at risk
- Security experts have uncovered a flaw in computer hardware that could allow hackers to quietly access your hardware, infect it with malware and even steal your sensitive data.
- These flaws are located in the BIOS (Basic Input Output System) firmware that preps your computer for booting.
- A major BIOS security flaw, in which firmware authentication can be bypassed, means that hackers will be able to take control of your PC.
Windows users who use Lenovo, Intel and other PCs will not like the news that there is an impeding BIOS vulnerability.
The flaws, which can be exploited to gain full administrative control of a target system, were discovered by firmware protection company Binarly.
The company claims more than two dozen hardware manufacturers are affected, including top-end OEMs such as Intel, AMD and Lenovo.
UEFI stands for Unified Extensible Firmware Interface, which is the foundational layer for all modern PCs.
It provides a standardized way for devices to interact with each other, including communicating over a network. It also allows administrators to manage the configuration of various devices such as printers, webcams and more.
You can easily fix any BIOS issues especially during startup with our excellent guide.
Insyde’s UEFI firmware is vulnerable to 23 flaws that would allow attackers to gain full control of the computer while maintaining remote access. These vulnerabilities are categorized as critical and high-impact flaws.
Twenty-three severe flaws
23 of these vulnerabilities have been classified as critical or high severity and would allow malicious actors to access the endpoint in a number of ways, including keylogging attacks, a system information leak or full physical access.
The 23 flaws are tracked as: CVE-2020-27339, CVE-2020-5953, CVE-2021-33625, CVE-2021-33626, CVE-2021-33627, CVE-2021-41837, CVE-2021-41838, CVE-2021-41839, CVE-2021-41840, CVE-2021-41841, CVE-2021-42059, CVE-2021-42060, CVE-2021-42113, CVE-2021-42554, CVE-2021-43323, CVE-2021-43522, CVE-2021-43615, CVE-2021-45969, CVE-2021-45970, CVE-2021-45971, CVE-2022-24030, CVE-2022-24031, CVE-2022-24069.
These three have a 9.8 out of 10 ratings and are classified as high-impact. CVE-2021-45969, CVE-2021-45970, and CVE-2021-45971
The root cause of the problem was found in the reference code associated with InsydeH2O firmware framework code. All of the aforementioned vendors (over 25) were using Insyde-based firmware SDK to develop their pieces of (UEFI) firmware.
Patches to address the issue
Security researchers at Insyde have discovered that there is an extremely serious security flaw in some of Intel’s processors’ firmware.
Security patches are a good thing, but they aren’t always released quickly enough. Insyde released firmware patches to help address the issue, but these now need to be accepted by OEMs and released onto affected products, and that might take a while.
In other words, you might get a patch for your PC today, but it might not work until tomorrow. Furthermore, your PC might become inoperable after you install it if you don’t also install a patch for another piece of software that you use on a daily basis.
Some OEMs are also yet to confirm they have been affected so it will be a while. You can also update your BIOS easily if you haven’t already.
Has your PC been affected by the BIOS flaws? Let us know in the comment section below.