RESEARCH | February 16, 2023

Adventures in the Platform Security Coordinated Disclosure Circus

IOActive research members continue the work on UEFI security and coordinated disclosure challenges. Platform security is one of the specialized service lines IOActive offers and we have worked with many vendors across the industry.

In a previous blog, IOActive research conducted research on various targets while developing tooling that we believe will help the industry make platform security improvements focused on AMD systems. In that blog we disclosed a number of security issues to ASUS and AMI in an SMM module called SecSMIFlash. This module garnered some attention after Alexander Matrosov (BlackHat USA 2017) demonstrated how the SMI handlers failed to check input pointers with SmmIsBufferOutsideSmmValid(), resulting in CVE-2017-11315.