December 1, 2023 at 12:19PM
Security researchers uncovered LogoFAIL vulnerabilities in UEFI firmware’s image parsers that can be exploited to deliver bootkits and bypass security during boot, affecting a wide range of devices across x86 and ARM architectures. Many consumer and enterprise devices from major manufacturers and UEFI vendors could be vulnerable, threatening boot process integrity.
**Meeting Takeaways – LogoFAIL Vulnerability**
1. **Issue Summary**:
– Multiple security vulnerabilities named LogoFAIL affect UEFI image-parsing components from various vendors.
– These vulnerabilities are potentially exploitable during the booting process to deliver bootkits.
– They exist in image parsing libraries used for displaying logos and affect both x86 and ARM architectures.
2. **Impact and Method**:
– LogoFAIL poses a risk to branding functionality by potentially allowing execution of malicious payloads via image file injection in the EFI System Partition (ESP).
– Boot process hijacks could occur, evading security mechanisms like Secure Boot and hardware-based Verified Boot.
– Malware persistence can be achieved on system firmware without modifying the bootloader or firmware, unlike methods seen in other vulnerabilities such as BootHole or the BlackLotus bootkit.
3. **Discovery**:
– LogoFAIL vulnerabilities were discovered during a research project on image-parsing attack surfaces in UEFI firmware.
– An attacker can plant a malicious image or logo on the ESP or in unsigned firmware update sections.
4. **Vulnerability Exploitation Demonstrated**:
– A demonstration included running a PoC script and rebooting, which created an arbitrary file on the system.
5. **Scope and Impact**:
– Binarly reports that hundreds of devices from vendors like Intel, Acer, Lenovo may be vulnerable.
– Custom UEFI firmware code providers AMI, Insyde, and Phoenix also have products potentially affected.
6. **Current Status**:
– The exact extent of LogoFAIL’s impact is still under investigation, but a significant number of consumer and enterprise-grade devices are at risk.
7. **Disclosure and Upcoming Presentation**:
– Findings have been disclosed to affected device vendors and UEFI providers.
– Full technical details are to be presented at the Black Hat Europe security conference on December 6 in London.