CVE-2022-28806 Information

Description

An issue was discovered on certain Fujitsu LIEFBOOK devices (A3510 U9310 U7511/U7411/U7311 U9311 E5510/E5410 U7510/U7410/U7310 E459/E449) with BIOS versions before v1.09 (A3510) v2.17 (U9310) v2.30 (U7511/U7411/U7311) v2.33 (U9311) v2.23 (E5510) v2.19 (U7510/U7410) v2.13 (U7310) and v1.09 (E459/E449). The FjGabiFlashCoreAbstractionSmm driver registers a Software System Management Interrupt (SWSMI) handler that is not sufficiently validated to ensure that the CommBuffer (or any other communication buffer’s nested contents) are not pointing to SMRAM contents. A potential attacker can therefore write fixed data to SMRAM which could lead to data corruption inside this memory (e.g. change the SMI handler’s code or modify SMRAM map structures to break input pointer validation for other SMI handlers). Thus the attacker could elevate privileges from ring 0 to ring -2 and execute arbitrary code in SMM.

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Reference

https://www.binarly.io/advisories https://support.ts.fujitsu.com/ProductSecurity/content/Fujitsu-PSIRT-FCCL-IS-2021-090903-Security-Advisory.asp http://www.fmworld.net/biz/common/insyde/20220210/ https://kb.cert.org/vuls/id/796611

Attack Complexity

LOW

Privileges Required

LOW

User Interaction Required

LOW

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

7.8