This release includes the following updates and new features:

• Fix some vulnerabilities.

• CVE-2022-36338

  An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. An SMM callout vulnerability in the SMM driver FwBlockServiceSmm, creating SMM, leads to arbitrary code execution. An attacker can replace the pointer to the UEFI boot service GetVariable with a pointer to malware, and then generate a software SMI.

• CVE-2022-35897

  An stack buffer overflow vulnerability leads to arbitrary code execution issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. If the attacker modifies specific UEFI variables, it can cause a stack overflow, leading to arbitrary code execution. The specific variables are normally locked (read-only) at the OS level and therefore an attack would require direct SPI modification. If an attacker can change the values of at least two variables out of three (SecureBootEnforce, SecureBoot, RestoreBootSettings), it is possible to execute arbitrary code.

• CVE-2022-35896

  An issue SMM memory leak vulnerability in SMM driver (SMRAM was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. An attacker can dump SMRAM contents via the software SMI provided by the FvbServicesRuntimeDxe driver to read the contents of SMRAM, leading to information disclosure.

• CVE-2022-35895

  An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. The FwBlockSericceSmm driver does not properly validate input parameters for a software SMI routine, leading to memory corruption of arbitrary addresses including SMRAM, and possible arbitrary code execution.

• CVE-2022-35894

  An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. The SMI handler for the FwBlockServiceSmm driver uses an untrusted pointer as the location to copy data to an attacker-specified buffer, leading to information disclosure.

• CVE-2022-35893
• CVE-2022-35408
• CVE-2022-35407
• CVE-2022-33894
• CVE-2022-30283
• CVE-2022-29275
• CVE-2022-27497
• CVE-2022-27405
• CVE-2022-26893
• CVE-2022-26845
• CVE-2022-21198
• CVE-2021-33159
• CVE-2021-28211
• CVE-2021-28210

• Contains Absolute Computrace Agent More info
• Contains Intel Boot Guard More info
• Update is cryptographically signed More info
• Added to the LVFS by Fujitsu More info
• Firmware can be verified after flashing More info
• Virus checked using ClamAV More info
• Issues found using FwHunt from Binarly More info
• Firmware has no attestation checksums More info
• Firmware has no detected SBoM More info

This release includes the following updates and new features:

• Improved system stability.
• Fix some vulnerabilities.

• CVE-2021-0114

  Unchecked return value in the firmware for some Intel(R) Processors may allow a privileged user to potentially enable an escalation of privilege via local access.

• CVE-2021-0119

  Improper initialization in the firmware for some Intel(R) Processors may allow a privileged user to potentially enable escalation of privilege via physical access.

• CVE-2021-0118

  Out-of-bounds read in the firmware for some Intel(R) Processors may allow a privileged user to potentially enable an escalation of privilege via local access.

• CVE-2021-0117

  Pointer issues in the firmware for some Intel(R) Processors may allow a privileged user to potentially enable an escalation of privilege via local access.

• CVE-2021-0124

  Improper access control in the firmware for some Intel(R) Processors may allow a privileged user to potentially enable escalation of privilege via physical access.

• CVE-2021-0127

  Insufficient control flow management in some Intel(R) Processors may allow an authenticated user to potentially enable a denial of service via local access.

• CVE-2021-0125

  Improper initialization in the firmware for some Intel(R) Processors may allow a privileged user to potentially enable escalation of privilege via physical access.

• CVE-2021-33124

  Out-of-bounds write in the BIOS authenticated code module for some Intel(R) Processors may allow a privileged user to potentially enable aescalation of privilege via local access.

• CVE-2021-33123

  Improper access control in the BIOS authenticated code module for some Intel(R) Processors may allow a privileged user to potentially enable aescalation of privilege via local access.

• CVE-2021-33122

  Insufficient control flow management in the BIOS firmware for some Intel(R) Processors may allow a privileged user to potentially enable aescalation of privilege via local access.

• CVE-2021-33103

  Unintended intermediary in the BIOS authenticated code module for some Intel(R) Processors may allow a privileged user to potentially enable aescalation of privilege via local access.

• CVE-2022-21166

  Incomplete cleanup in specific special register write operations for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.

• CVE-2022-21151

  Processor optimization removal or modification of security-critical code for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.

• CVE-2022-21127

  Incomplete cleanup in specific special register read operations for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.

• CVE-2022-21123

  Incomplete cleanup of multi-core shared buffers for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.

• VU#796611

  SMM callout vulnerability in SMM driver on Fujitsu device (SMM arbitrary code execution). Vulnerability exists in software System Management Interrupt (SWSMI) handler located at offset `0x474` in module `AsfSecureBootSmm`. SWSMI handler with number `0x56` dereferences gRT (EFI_RUNTIME_SERVICES) pointer to call a `GetVariable` service, which is located outside of SMRAM.Hence, this can result in code execution in SMM (escalating privilege from ring 0 to ring -2).

• CVE-2020-27339

  A vulnerability exists in SMM (System Management Mode) branch that registers a SWSMI handler that does not sufficiently check or validate the allocated table EFI_BOOT_SERVICES. This can be used by an attacker to overwrite service EFI_BOOT_SERVICES address location to the address location of arbitrary code controlled by the attacker. On system call to SWSMI handler, the arbitrary code can be triggered to execute the unwanted code. See further details in attachment BRLY-2021-020.md.

• CVE-2022-29279
• CVE-2022-24030

  SMM memory corruption vulnerability in combined DXE/SMM driver on BullSequana Edge server. The vulnerability exists in child SW SMI handler registered with GUID `56947330-585c-4470-a95d-c55c529feb47` and located at offset `0x1328` in the driver. See BRLY-2021-026.md for details.

• CVE-2022-0005

  Sensitive information accessible by physical probing of JTAG interface for some Intel(R) Processors with SGX may allow an unprivileged user to potentially enable information disclosure via physical access.

• CVE-2022-0004

  Hardware debug modes and processor INIT setting that allow override of locks for some Intel(R) Processors in Intel(R) Boot Guard and Intel(R) TXT may allow an unauthenticated user to potentially enable escalation of privilege via physical access.

• CVE-2021-41837

  An unsafe pointer vulnerability exists in SMM (System Management Mode) branch that registers a SWSMI handler. An attacker can use this unsafe pointer "current_ptr" to read or write or manipulate data into SMRAM. Exploitation of this vulnerability can lead to escalation of privileges reserved only for SMM using the SwSMI handler. See further details in attachment BRLY-2021-009.md.

• CVE-2021-33625

  SMM memory corruption vulnerability in combined DXE/SMM driver on BullSequana Edge server. The vulnerability exists in SW SMI handler registered with GUID `9c28be0c-ee32-43d8-a223-e7c1614ef7ca` and located at offset `0x23B0` in the driver. See BRLY-2021-029.md for details.

• CVE-2021-0158

  Improper input validation in the BIOS firmware for some Intel(R) Processors may allow a privileged user to potentially enable escalation of privilege via local access.

• CVE-2021-0156

  Improper input validation in the firmware for some Intel(R) Processors may allow an authenticated user to potentially enable an escalation of privilege via local access.

• CVE-2021-0116

  Out-of-bounds write in the firmware for some Intel(R) Processors may allow a privileged user to potentially enable an escalation of privilege via local access.

• CVE-2021-0115

  Buffer overflow in the firmware for some Intel(R) Processors may allow a privileged user to potentially enable escalation of privilege via local access.

• CVE-2021-0111

  NULL pointer dereference in the firmware for some Intel(R) Processors may allow a privileged user to potentially enable an escalation of privilege via local access.

• CVE-2021-0107
• CVE-2021-0103
• CVE-2021-0091
• CVE-2020-8760
• CVE-2020-8758
• CVE-2020-8757
• CVE-2020-8756
• CVE-2020-8755
• CVE-2020-8754
• CVE-2020-8753
• CVE-2020-8752
• CVE-2020-8749
• CVE-2020-8747
• CVE-2020-8746
• CVE-2020-8745
• CVE-2020-8744
• CVE-2020-8705
• CVE-2020-8703
• CVE-2020-8696
• CVE-2020-8695
• CVE-2020-8694
• CVE-2020-24512
• CVE-2020-24512
• CVE-2020-24507
• CVE-2020-24506
• CVE-2020-12359
• CVE-2020-12356
• CVE-2020-12303
• CVE-2020-0570
• CVE-2019-14562
• CVE-2019-14559

• Contains Absolute Computrace Agent More info
• Contains Intel Boot Guard More info
• Update is cryptographically signed More info
• Added to the LVFS by Fujitsu More info
• Firmware can be verified after flashing More info
• Virus checked using ClamAV More info
• Issues found using FwHunt from Binarly More info
• Firmware has no attestation checksums More info
• Firmware has no detected SBoM More info