CVE-2021-28216 Overview
CVE-2021-28216 is a vulnerability in TianoCore EDK II where the BootPerformanceTable pointer is read from an NVRAM variable during the Pre-EFI Initialization (PEI) phase. This flaw allows an attacker with local access to potentially manipulate NVRAM variables to point to arbitrary memory locations, leading to code execution or privilege escalation during the boot process.
Critical Impact
Local attackers can exploit this firmware-level vulnerability to achieve privilege escalation and potentially compromise system integrity during the boot phase, bypassing traditional OS-level security controls.
Affected Products
- TianoCore EDK II (all versions without the patch)
- Systems utilizing EDK II-based UEFI firmware
- Virtual machines and hardware platforms implementing TianoCore EDK II
Discovery Timeline
- 2021-08-05 - CVE CVE-2021-28216 published to NVD
- 2025-11-03 - Last updated in NVD database
Technical Details for CVE-2021-28216
Vulnerability Analysis
This vulnerability affects the firmware initialization process in TianoCore EDK II, specifically during the Pre-EFI Initialization (PEI) phase. The core issue stems from the firmware reading a BootPerformanceTable pointer directly from an NVRAM variable without proper validation. The associated CWE classifications (CWE-587: Assignment of a Fixed Address to a Pointer and CWE-763: Release of Invalid Pointer or Reference) indicate that the vulnerability involves improper handling of memory pointers.
During the boot process, UEFI firmware relies on NVRAM variables to store configuration data. When the BootPerformanceTable pointer is read from NVRAM without adequate validation, an attacker who can modify NVRAM variables could redirect this pointer to malicious code or sensitive memory regions. This occurs before the operating system loads, meaning traditional security software cannot detect or prevent exploitation.
Root Cause
The root cause is the direct use of an NVRAM-stored pointer value without validation during the PEI phase. The firmware incorrectly trusts the integrity of NVRAM data, failing to verify that the BootPerformanceTable pointer references a legitimate and expected memory location. This violates the security principle that data from persistent storage should be treated as potentially untrusted input. The PcdFirmwarePerformanceDataTableS3Support feature, when enabled, facilitates this vulnerable code path.
Attack Vector
The attack requires local access to the system with sufficient privileges to modify NVRAM variables. An attacker would craft a malicious NVRAM variable containing a pointer to attacker-controlled memory or code. When the system boots and the PEI phase executes, the firmware reads this malicious pointer and follows it, potentially executing arbitrary code with the highest privilege level. This attack persists across reboots since NVRAM variables survive power cycles, making it an attractive vector for firmware implants.
The vulnerability mechanism involves the firmware's BootPerformanceTable handling during PEI initialization. When the system reads performance data from NVRAM storage, the pointer value is used directly without bounds checking or validation. An attacker modifying the NVRAM variable can redirect execution flow to arbitrary memory addresses. For detailed technical analysis, see the TianoCore Bug Report #2957.
Detection Methods for CVE-2021-28216
Indicators of Compromise
- Unexpected modifications to UEFI NVRAM variables, particularly those related to boot performance tables
- Anomalous memory access patterns during the PEI boot phase
- Firmware integrity check failures or unexpected hash mismatches
- Unusual boot-time behavior or delays that could indicate code injection
Detection Strategies
- Implement firmware integrity monitoring solutions that verify UEFI code and configuration integrity
- Deploy hardware security modules (HSM) or TPM-based attestation to detect boot-time tampering
- Monitor system event logs for unauthorized NVRAM variable modifications
- Use SentinelOne Singularity platform's firmware visibility capabilities to detect anomalous boot behavior
Monitoring Recommendations
- Enable Secure Boot and verify its configuration to prevent unauthorized code execution during boot
- Implement continuous firmware monitoring and establish baselines for normal NVRAM variable states
- Configure alerts for any NVRAM variable changes, especially on critical systems
- Perform regular firmware integrity audits comparing against known-good firmware images
How to Mitigate CVE-2021-28216
Immediate Actions Required
- Set PcdFirmwarePerformanceDataTableS3Support to FALSE in firmware configuration as recommended by the vendor
- Apply the latest EDK II firmware updates from your hardware vendor
- Enable Secure Boot and ensure proper key management is in place
- Restrict local access to systems and limit NVRAM modification privileges
Patch Information
TianoCore has addressed this vulnerability in updated releases of EDK II. System administrators should contact their hardware vendors for firmware updates that incorporate the fix. The primary mitigation involves disabling the vulnerable feature by setting PcdFirmwarePerformanceDataTableS3Support to FALSE. Additional details are available in the TianoCore Bug Report #2957. Debian users should also review the Debian LTS Announcement for distribution-specific guidance.
Workarounds
- Disable the S3 performance data table support by setting PcdFirmwarePerformanceDataTableS3Support to FALSE
- Implement physical access controls to prevent unauthorized local access to affected systems
- Use write-protection mechanisms for NVRAM where available in firmware settings
- Consider enabling UEFI Secure Boot with custom keys to establish trust chain integrity
The recommended configuration change to disable the vulnerable feature:
# In EDK II platform configuration (.dsc file)
# Disable S3 performance data table support
PcdFirmwarePerformanceDataTableS3Support|FALSE
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
