A security company is leading the coordinated vulnerability disclosure of multiple high-severity vulnerabilities in the Qualcomm Snapdragon chipset.

The vulnerabilities were identified in the Unified Extensible Firmware Interface (UEFI) firmware reference code and impacts ARM-based laptops and devices using Qualcomm Snapdragon chips, according to Binarly Research.

Qualcomm disclosed the vulnerabilities on Jan. 5, along with links to available patches. Lenovo has also issued a bulletin and a BIOS update to address the flaws in affected laptops. However, two of the vulnerabilities are still not fixed, Binarly noted.

If exploited, these hardware vulnerabilities allow attackers to gain control of the system by modifying a variable in nonvolatile memory, which stores data permanently, even when a system is turned off. The modified variable will compromise the secure boot phase of a system, and an attacker can gain persistent access to compromised systems once the exploit is in place, says Alex Matrosov, founder and CEO of Binarly.

"Basically, the attacker can manipulate variables from the operating system level," Matrosov says.

Firmware Flaws Open the Door to Attacks

Secure boot is a system deployed in most PCs and servers to ensure that devices start properly. Adversaries can take control of the system if the boot process is either bypassed or under their control. They can execute malicious code before the operating system is loaded. Firmware vulnerabilities are like leaving a door open — an attacker can gain access to system resources as and when they please when the system is switched on, Matrosov says.

"The firmware piece is important because the attacker can gain very, very interesting persistence capabilities, so they can play for the long term on the device," Matrosov says.

The flaws are notable because they affect processors based on the ARM architecture, which are used in PCs, servers, and mobile devices. A number of security problems have been discovered on x86 chips from Intel and AMD, but Matrosov noted that this disclosure is an early indicator of security flaws existing in ARM chip designs.

Firmware developers need to develop a security-first mindset, Matrosov says. Many PCs today boot based on specifications provided by UEFI Forum, which provides the hooks for the software and hardware to interact.

"We found that OpenSSL, which is used in UEFI firmware — it's in the ARM version — is very outdated," Matrosov says. "As an example, one of the major TPM providers called Infineon, they use an 8-year-old OpenSSL version."

Addressing Affected Systems

In its security bulletin, Lenovo said the vulnerability affected the BIOS of the ThinkPad X13s laptop. The BIOS update patches the flaws.

Microsoft's Windows Dev Kit 2023, code-named Project Volterra, is also impacted by the vulnerability, Binarly said in a research note. Project Volterra is designed for programmers to write and test code for the Windows 11 operating system. Microsoft is using the Project Volterra device to lure conventional x86 Windows developers into the ARM software ecosystem, and the device's release was a top announcement at Microsoft's Build and ARM's DevSummit conferences last year.

The Meltdown and Spectre vulnerabilities largely affected x86 chips in server and PC infrastructures. But the discovery of vulnerabilities in ARM's boot layer is particularly concerning because the architecture is driving a low-power mobile ecosystem, which includes 5G smartphones and base stations. The base stations are increasingly at the center of communications for edge devices and cloud infrastructures. Attackers could behave like operators, and they will have persistence at base stations and nobody will know, Matrosov says.

System administrators need to prioritize patching firmware flaws by understanding the risk to their company and addressing it quickly, he says. Binarly offers open source tools to detect firmware vulnerabilities.

Patching systems with firmware can be complicated, and isn't as simple as patching software. Companies need to weigh the risks in patching systems in diverse hardware environments with x86 and ARM processors, and set patching priorities accordingly. It's easy to push patches in a standardized hardware infrastructure, for example, on systems with Intel's vPro technology. vPro includes system and remote management tools that provide high-level visibility and remote delivery of firmware to devices. But Intel's vPro tools won't be able to detect the firmware status on systems with AMD or ARM processors. 

Patching of systems is largely a manual process that depends on the hardware and chip vendors, and the timeline at which they release patches. Companies are also limited by patching timelines. Lenovo, HP and Dell have different firmware patch cycles, and in some cases, don't even look for vulnerabilities in other devices, and many of those complications remain undisclosed. That creates a security gap, Matrosov said, adding that "when supply chain problems come to the firmware, it's got a long-term impact."

"Not every company has policies to deliver firmware fixes to their devices," Matrosov says. "I have worked for large companies in the past, and before I started my own company, none of them — even these hardware-related companies — had an internal policy to update the firmware on employee laptops and devices. This is not right."