Qualcomm UEFI Security Flaw

Qualcomm Snapdragon chip enabled devices are potentially vulnerable to UEFI firmware flaws, and patches were released by the chip maker.

Researcherd discovered a total of nine vulnerabilities while analyzing the firmware for Lenovo Thinkpad X13s laptops powered by the Qualcomm Snapdragon system-on-a-chip.

Those discovered flaws were specific to Lenovo devices and impacted Qualcomm reference code. This makes researchers think that these flaw are also present in laptops and other devices using Snapdragon.

The Snapdragon CPU uses the Arm architecture, and this is the first such disclosure of UEFI firmware vulnerabilities related to the arm device ecosystem.

In addition to Lenovo devices Arm-based Microsoft Surface and the Windows Dev Kit 2023 (Project Volterra) computers, as well as Samsung products.

Two types of vulnerabilities were discovered stack-based buffer overflows and out-of-bounds read issues both related to the DXE driver. These can be exploited for a security boot bypass and enable the attacker to gain persistence and to perform arbitrary code execution.

Qualcomm said patches for the vulnerabilities were made available to customers in November 2022 and recommended to apply security updates when they become available from device makers.

Researchers from Binarly plans on disclosing technical details in a blog post scheduled for January 9.