Critical LogoFAIL Bugs Offer Secure Boot Bypass for Millions of PCs

  /     /     /  
Publicated : 23/11/2024   Category : security


Critical LogoFAIL Bugs Offer Secure Boot Bypass for Millions of PCs


Hundreds of consumer and enterprise-grade x86 and ARM models from various vendors, including Intel, Acer, and Lenovo, are potentially vulnerable to bootkits and takeover.



Researchers have uncovered LogoFAIL, a set of critical vulnerabilities present in the
Unified Extensible Firmware Interface (UEFI) ecosystem
for PCs.
Exploitation of the vulnerabilities nullify essential endpoint security measures and provide attackers with deep control over affected systems.
The flaws originate in image-parsing libraries within the boot process, impacting all major device manufacturers on both x86 and ARM-based devices, according to a Binarly Research report that will be officially released at Black Hat Europe in London next week.
The severity of LogoFAIL is exacerbated by its widespread reach, researchers warn, noting that it affects the entire ecosystem, not just individual vendors here and there. The findings were reported via the CERT/CC VINCE system, with anticipated vendor patches scheduled for December 6, in tandem with the Black Hat talk, which is entitled,
LogoFAIL: Security Implications of Image Parsing During System.
Binarly researchers found that by embedding compromised images in the EFI System Partition (ESP) or unsigned firmware update sections, threat actors can execute malicious code during boot-up, enabling them to hijack the boot process.
This exploitation bypasses crucial security measures like Secure Boot and Intel Boot Guard, facilitating the insertion of a persistent firmware bootkit operating beneath the OS level.
Because the attacker is getting the privileged code execution into the firmware, its bypassing the security boundaries by design, like a Secure Boot, explains Alex Matrosov, CEO and founder of Binarly. The Intel Boot Guard and other trusted boot technologies are not extended in runtime, and after the firmware is verified, it just boots further in the system boot flow.
He says the Binarly Research team originally was experimenting with logo modification on one of the Lenovo devices they have in the lab.
One day, it suddenly started to reboot after showing the boot logo, he says. We realized that the root cause of the issue was the change of the original logo, which led to a deeper investigation.
He adds, In this case, we are dealing with continued exploitation with a modified boot logo image, triggering the payload delivery in runtime, where all the integrity and security measurements happen before the firmware components are loaded.”
This is not the first Secure Boot bypass ever discovered; in November 2022, a
firmware flaw was found in five Acer laptop models
that could be used to disable Secure Boot and allow malicious actors to load malware; and the
BlackLotus
or
BootHole
threats have opened the door to boot process hijacking before. However, Matrosov says that LogoFAIL differs from prior threats because it doesnt break runtime integrity by modifying the bootloader or firmware component.
In fact, he says LogoFAIL is a data-only attack, occurring when malicious input comes from the firmware image or the logo is read from the ESP partition during the system boot process

and thus, its hard to detect.
Such an approach with the ESP attack vector leaves zero evidence of the firmware attack inside the firmware itself, since the logo comes from an outside source, he explains.
Devices equipped with firmware from the three major independent BIOS vendors (IBVs), Insyde, AMI, and Phoenix, are susceptible, indicating a potential impact across diverse hardware types and architectures. Between them, the three cover 95% of the BIOS ecosystem, Matrosov says.
In fact, Matrosov says LogoFAIL affects most devices worldwide, including consumer and enterprise-grade PCs from various vendors —Acer, Gigabyte, HP, Intel, Lenovo, MSI, Samsung, Supermicro, Fujitsu, and many others.
The exact list of affected devices is still being determined, but its crucial to note that all three major IBVs — AMI, Insyde, and Phoenix — are impacted due to multiple security issues related to image parsers they are shipping as a part of their firmware, the Binarly report warned. We estimate LogoFAIL impacts almost any device powered by these vendors in one way or another.
For its part, Phoenix Technologies published an early security notification this week (now taken down but
available as a cache
until it goes back up Dec. 6) detailing that the bug (CVE-2023-5058) is present in all versions lower than 1.0.5 of its Phoenix SecureCore Technology 4, which is a BIOS firmware that provides advanced security features for various devices.
The flaw exists in the processing of user-supplied splash screen during system boot, which can be exploited by an attacker who has physical access to the device, according to the notification, which noted that an updated version is available. By supplying a malicious splash screen, the attacker can cause a denial-of-service attack or execute arbitrary code in the UEFI DXE phase, bypassing the Secure Boot mechanism and compromising the system integrity.
LogoFAIL is also tracked by Insyde as CVE-2023-40238, and by AMI as CVE-2023-39539 and CVE-2023-39538.
Matrosov says the company is actively collaborating with multiple device vendors to coordinate disclosure and mitigation efforts across the spectrum.
To minimize firmware risk in general, users should stay updated with manufacturer advisories and promptly apply firmware updates, as they often address critical security flaws.
Also, vetting suppliers is a must. Be picky about the device vendors you rely on daily as personal device or devices across your enterprise infrastructure, Matrosov adds. Dont blindly trust the vendors, but rather validate the vendors security promises and identify the gaps across your device inventory and beyond.

Last News

▸ Scan suggests Heartbleed patches may not have been successful. ◂
Discovered: 23/12/2024
Category: security

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Critical LogoFAIL Bugs Offer Secure Boot Bypass for Millions of PCs