Buffer Validation Flaw in Fujitsu BIOS on Lifebook Devices
CVE-2022-28806

7.8HIGH

Key Information:

Vendor

Fujitsu

Status
Lifebook A3510 Firmware
Vendor
CVE Published:
4 May 2022

What is CVE-2022-28806?

A vulnerability in certain Fujitsu Lifebook devices allows insecure registration of a Software System Management Interrupt (SWSMI) handler. This flaw arises from insufficient validation, enabling attackers to potentially write fixed data to System Management RAM (SMRAM). This can lead to data corruption, privilege escalation from ring 0 to ring -2, allowing unauthorized execution of arbitrary code within the System Management Mode (SMM). The affected models include A3510, U9310, U7511/U7411/U7311, U9311, E5510, U7510/U7410, U7310, E459, and E449, with specific BIOS version limitations. Timely updates and security measures are essential to mitigate these risks.

References

https://www.binarly.io/advisories
x_refsource_MISC
https://kb.cert.org/vuls/id/796611
x_refsource_MISC
https://support.ts.fujitsu.com/ProductSecurity/content/Fu...
x_refsource_MISC

CVSS V3.1

Score:
7.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2022-28806 : Buffer Validation Flaw in Fujitsu BIOS on Lifebook Devices