LogoFAIL attack can install UEFI bootkits through bootup logos

LogoFAIL attack can install UEFI bootkits through bootup logos

December 1, 2023 at 12:19PM

Security researchers uncovered LogoFAIL vulnerabilities in UEFI firmware’s image parsers that can be exploited to deliver bootkits and bypass security during boot, affecting a wide range of devices across x86 and ARM architectures. Many consumer and enterprise devices from major manufacturers and UEFI vendors could be vulnerable, threatening boot process integrity.

**Meeting Takeaways – LogoFAIL Vulnerability**

1. **Issue Summary**:
– Multiple security vulnerabilities named LogoFAIL affect UEFI image-parsing components from various vendors.
– These vulnerabilities are potentially exploitable during the booting process to deliver bootkits.
– They exist in image parsing libraries used for displaying logos and affect both x86 and ARM architectures.

2. **Impact and Method**:
– LogoFAIL poses a risk to branding functionality by potentially allowing execution of malicious payloads via image file injection in the EFI System Partition (ESP).
– Boot process hijacks could occur, evading security mechanisms like Secure Boot and hardware-based Verified Boot.
– Malware persistence can be achieved on system firmware without modifying the bootloader or firmware, unlike methods seen in other vulnerabilities such as BootHole or the BlackLotus bootkit.

3. **Discovery**:
– LogoFAIL vulnerabilities were discovered during a research project on image-parsing attack surfaces in UEFI firmware.
– An attacker can plant a malicious image or logo on the ESP or in unsigned firmware update sections.

4. **Vulnerability Exploitation Demonstrated**:
– A demonstration included running a PoC script and rebooting, which created an arbitrary file on the system.

5. **Scope and Impact**:
– Binarly reports that hundreds of devices from vendors like Intel, Acer, Lenovo may be vulnerable.
– Custom UEFI firmware code providers AMI, Insyde, and Phoenix also have products potentially affected.

6. **Current Status**:
– The exact extent of LogoFAIL’s impact is still under investigation, but a significant number of consumer and enterprise-grade devices are at risk.

7. **Disclosure and Upcoming Presentation**:
– Findings have been disclosed to affected device vendors and UEFI providers.
– Full technical details are to be presented at the Black Hat Europe security conference on December 6 in London.

Full Article