VU#211341: A vulnerability in Insyde H2O UEFI application allows for digital certificate injection via NVRAM variable
A vulnerability in Insyde H2O UEFI firmware allows digital certificate injection through an unprotected NVRAM variable. This issue arises from the unsafe use of an NVRAM variable, which is used as trusted storage for a digital certificate in the trust validation chain. An attacker can store their own certificate in this variable and subsequently run arbitrary firmware during the early boot process within the UEFI environment. UEFI applications must be signed and verified for execution under Secure Boot, and signatures can originate from the OEM or from entries in the system's signature database. The vulnerability was identified due to the use of an untrusted NVRAM variable, SecureFlashCertData, to store and exchange public keys. Because this NVRAM variable is not protected, it can be updated at runtime, allowing an attacker to inject their own keys. To mitigate this vulnerability, affected UEFI modules must be updated via vendor-provided firmware updates. Firmware security analysis tools can also inspect affected variables in firmware images to assess exposure to this vulnerability. An attacker with the ability to modify the SecureFlashCertData NVRAM variable at runtime can use it to inject their digital certificate and bypass Secure Boot. This allows unsigned or malicious code to run before the OS loads, potentially installing persistent malware or kernel rootkits that survive reboots and OS reinstallations.