CVE-2022-40261

SMM memory corruption vulnerability in OverClockSmiHandler SMM driver

Severity Score

8.2

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

An attacker can exploit this vulnerability to elevate privileges from ring 0 to ring -2, execute arbitrary code in System Management Mode - an environment more privileged than operating system (OS) and completely isolated from it. Running arbitrary code in SMM additionally bypasses SMM-based SPI flash protections against modifications, which can help an attacker to install a firmware backdoor/implant into BIOS. Such a malicious firmware code in BIOS could persist across operating system re-installs. Additionally, this vulnerability potentially could be used by malicious actors to bypass security mechanisms provided by UEFI firmware (for example, Secure Boot and some types of memory isolation for hypervisors). This issue affects: Module name: OverClockSmiHandler SHA256: a204699576e1a48ce915d9d9423380c8e4c197003baf9d17e6504f0265f3039c Module GUID: 4698C2BD-A903-410E-AD1F-5EEF3A1AE422

Un atacante puede explotar esta vulnerabilidad para elevar los privilegios del anillo 0 al anillo -2, ejecutar código arbitrario en el Modo de Administración del Sistema - un entorno más privilegiado que el sistema operativo (SO) y completamente aislado de él. La ejecución de código arbitrario en el SMM también evita las protecciones de la flash SPI basadas en el SMM contra las modificaciones, lo que puede ayudar a un atacante a instalar una puerta trasera/implante de firmware en la BIOS. Este código de firmware malicioso en la BIOS podría persistir a través de las reinstalaciones del sistema operativo. Además, esta vulnerabilidad podría ser usada por actores maliciosos para omitir los mecanismos de seguridad proporcionados por el firmware UEFI (por ejemplo, Secure Boot y algunos tipos de aislamiento de memoria para hipervisores). Este problema afecta: Nombre del módulo: OverClockSmiHandler SHA256: a204699576e1a48ce915d9d9423380c8e4c197003baf9d17e6504f0265f3039c GUID del módulo: 4698C2BD-A903-410E-AD1F-5EEF3A1E422

*Credits: Binarly efiXplorer team

CVSS Scores

NISTv3.1 8.2

Attack Vector

Local

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2022-09-08 CVE Reserved
2022-09-20 CVE Published
2024-03-03 EPSS Updated
2024-09-17 CVE Updated
2024-09-17 First Exploit
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

CAPEC

References (2)

URL	Tag	Source

URL	Date	SRC
https://www.binarly.io/advisories/BRLY-2022-003	2024-09-17

URL	Date	SRC

URL	Date	SRC
https://www.ami.com/security-center	2022-09-26

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Intel Search vendor "Intel"	Nuc M15 Laptop Kit Lapbc510 Firmware Search vendor "Intel" for product "Nuc M15 Laptop Kit Lapbc510 Firmware"	-	-	Affected	in	Intel Search vendor "Intel"	Nuc M15 Laptop Kit Lapbc510 Search vendor "Intel" for product "Nuc M15 Laptop Kit Lapbc510"	-	-	Safe
Intel Search vendor "Intel"	Nuc M15 Laptop Kit Lapbc710 Firmware Search vendor "Intel" for product "Nuc M15 Laptop Kit Lapbc710 Firmware"	-	-	Affected	in	Intel Search vendor "Intel"	Nuc M15 Laptop Kit Lapbc710 Search vendor "Intel" for product "Nuc M15 Laptop Kit Lapbc710"	-	-	Safe
Ami Search vendor "Ami"		Aptio V Search vendor "Ami" for product "Aptio V"				5.0 Search vendor "Ami" for product "Aptio V" and version "5.0"		-		Affected