Full Report
Insyde has published information on vulnerabilities in Insyde BIOS on November 8th 2022. These vulnerabilities also affect the RUGGEDCOM APE1808 product family. Siemens has released updates for the affected products and recommends to update to the latest versions.
Analysis Summary
# Vulnerability: Insyde BIOS TOCTOU Flaws in RUGGEDCOM APE1808
## CVE Details
- **CVE ID:** CVE-2022-33980, CVE-2022-33982, CVE-2022-33984
- **CVSS Score:** 7.0 (High) for CVE-2022-33980/33984; 6.4 (Medium) for CVE-2022-33982
- **CWE:** CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition
## Affected Systems
- **Products:** Siemens RUGGEDCOM APE1808 product family (including ADM, CKP, CloudConnect, ELAN, SAM-L, and CLA-P variants).
- **Versions:** All BIOS versions prior to V1.0.212N.
- **Configurations:** Systems utilizing Insyde BIOS software SMI handlers (specifically SdMmcDevice and Int15ServiceSmm).
## Vulnerability Description
Multiple vulnerabilities exist in the Insyde BIOS where software System Management Interrupt (SMI) handlers fail to properly protect input buffers.
- **CVE-2022-33980 & CVE-2022-33984:** DMA (Direct Memory Access) transactions targeting input buffers used for the `SdMmcDevice` SMI handler can lead to a TOCTOU race condition.
- **CVE-2022-33982:** DMA attacks on the parameter buffer used by the `Int15ServiceSmm` software SMI handler.
In these scenarios, an attacker can modify the memory contents between the time the BIOS checks the data and the time it uses it, potentially leading to the corruption of System Management RAM (SMRAM) and subsequent arbitrary code execution at the SMM level.
## Exploitation
- **Status:** PoC available (indicated by "E:P" in the CVSS vector).
- **Complexity:** High (Requires winning a race condition via DMA).
- **Attack Vector:** Local (Attacker must have local access to the system).
## Impact
- **Confidentiality:** High (Full access to SMRAM data).
- **Integrity:** High (Ability to corrupt SMRAM and modify system firmware behavior).
- **Availability:** High (Potential for system instability or permanent denial of service).
## Remediation
### Patches
Siemens recommends updating the BIOS to **V1.0.212N** or later for all affected RUGGEDCOM APE1808 models.
- Download Link: hxxps://support.industry.siemens.com/cs/in/en/view/109814796
### Workarounds
The advisory does not list specific functional workarounds. Organizations should prioritize the firmware update to mitigate the risk of SMM-level exploitation.
## Detection
- **Indicators of compromise:** Unauthorized attempts to modify SMRAM or unexpected system crashes/reboots during BIOS-level operations.
- **Detection methods and tools:** Monitoring for unusual DMA activity; utilizing platform integrity tools that verify the BIOS signature and version.
## References
- Siemens Security Advisory: hxxps://cert-portal.siemens.com/productcert/html/ssa-450613.html
- Insyde Security Pledge (SA-2022050): hxxps://www.insyde.com/security-pledge/SA-2022050
- Insyde Security Pledge (SA-2022054): hxxps://www.insyde.com/security-pledge/SA-2022054
- Siemens ProductCERT: hxxps://www.siemens.com/cert/advisories