Skip to main content

CVE-2022-33905: n/a in n/a

High
VulnerabilityCVE-2022-33905cvecve-2022-33905
Published: Mon Nov 14 2022 (11/14/2022, 00:00:00 UTC)
Source: CVE
Vendor/Project: n/a
Product: n/a

Description

DMA transactions which are targeted at input buffers used for the AhciBusDxe software SMI handler could cause SMRAM corruption (a TOCTOU attack). DMA transactions which are targeted at input buffers used for the software SMI handler used by the AhciBusDxe driver could cause SMRAM corruption through a TOCTOU attack. This issue was discovered by Insyde engineering based on the general description provided by Intel's iSTARE group, Fixed in kernel 5.2: 05.27.23, kernel 5.3: 05.36.23, kernel 5.4: 05.44.23, kernel 5.5: 05.52.23 https://www.insyde.com/security-pledge/SA-2022047

AI-Powered Analysis

AILast updated: 07/02/2025, 03:26:44 UTC

Technical Analysis

CVE-2022-33905 is a high-severity vulnerability involving a Time-Of-Check to Time-Of-Use (TOCTOU) race condition in the handling of Direct Memory Access (DMA) transactions targeting input buffers used by the AhciBusDxe software System Management Interrupt (SMI) handler. The AhciBusDxe driver is responsible for managing AHCI (Advanced Host Controller Interface) SATA controllers in UEFI firmware environments. The vulnerability arises because DMA transactions can manipulate input buffers during the window between validation and use by the SMI handler, leading to corruption of System Management RAM (SMRAM). SMRAM is a highly privileged memory region used by the System Management Mode (SMM) of x86 processors to execute firmware-level code isolated from the operating system. Corruption of SMRAM can allow attackers to execute arbitrary code with the highest privilege level, bypassing OS-level security controls. This vulnerability was discovered by Insyde engineering based on Intel iSTARE group findings and affects multiple kernel versions (5.2 through 5.5) with fixes released in May 2023. The CVSS 3.1 base score is 7.0, reflecting high impact on confidentiality, integrity, and availability, with attack vector local, requiring low privileges, no user interaction, and high attack complexity. No known exploits are reported in the wild. The underlying weakness is classified as CWE-367 (Time-of-check Time-of-use race condition).

Potential Impact

For European organizations, this vulnerability poses a significant risk especially to environments relying on affected UEFI firmware implementations managing AHCI controllers, particularly in servers, workstations, and critical infrastructure systems. Successful exploitation could lead to persistent firmware-level compromise, allowing attackers to execute arbitrary code with SMM privileges, potentially bypassing OS and hypervisor security mechanisms. This can result in data theft, system manipulation, and persistent backdoors that survive OS reinstallations. The high integrity and confidentiality impact could affect sensitive data processing in sectors such as finance, healthcare, government, and critical infrastructure. Availability could also be impacted if attackers corrupt SMRAM to cause system instability or denial of service. Although exploitation requires local access and low privileges, threat actors with insider access or those who have compromised lower-privileged accounts could leverage this vulnerability to escalate privileges to the highest level. The absence of known exploits in the wild suggests limited active exploitation currently, but the severity and persistence of firmware-level attacks warrant urgent attention.

Mitigation Recommendations

European organizations should prioritize the following mitigations: 1) Apply firmware and kernel patches promptly as provided by hardware vendors and Linux kernel maintainers for versions 5.2 through 5.5 and later. 2) Verify that UEFI firmware versions include fixes for AhciBusDxe SMI handler vulnerabilities, coordinating with OEMs and firmware providers. 3) Restrict and monitor local access to systems, enforcing strict access controls and auditing to prevent unauthorized local privilege escalation attempts. 4) Employ hardware-based protections such as Intel TXT or AMD SME where available to isolate and protect SMM memory regions. 5) Use endpoint detection and response (EDR) solutions capable of monitoring firmware-level anomalies and unusual SMI activity. 6) Conduct regular security assessments of firmware and system management components to detect potential tampering. 7) Educate IT staff about the risks of firmware-level vulnerabilities and the importance of timely patching and secure configuration. These steps go beyond generic advice by focusing on firmware-specific controls, local access restrictions, and monitoring tailored to the nature of this vulnerability.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
mitre
Date Reserved
2022-06-17T00:00:00.000Z
Cisa Enriched
true
Cvss Version
3.1
State
PUBLISHED

Threat ID: 682d983ac4522896dcbed86d

Added to database: 5/21/2025, 9:09:14 AM

Last enriched: 7/2/2025, 3:26:44 AM

Last updated: 8/9/2025, 5:15:14 AM

Views: 9

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats