UEFI flaws allow bootkits to pwn potentially hundreds of devices using images

UEFI flaws allow bootkits to pwn potentially hundreds of devices using images

December 1, 2023 at 03:15PM

Security experts have found vulnerabilities in major firmware vendors’ UEFI systems, named “LogoFail,” which could allow attackers to deliver bootkits through unsecured BIOS image parsers, affecting many consumer and enterprise devices. This threat is undetectable by current security measures and impacts major IBVs and brands across x86 and ARM platforms. Details will be presented at Black Hat Europe.

Meeting Takeaways:

1. Vulnerabilities Discovered: Security researchers from Binarly have identified widespread vulnerabilities in UEFI system firmware affecting both consumer and enterprise devices. These vulnerabilities particularly impact the image parsers used in the BIOS firmware from major vendors.

2. Vulnerability Mechanism: The identified flaw, named “LogoFail,” allows attackers to bypass security measures such as Secure Boot and Intel Boot Guard using malicious image files that are loaded during the device’s boot process. This could be used to deploy bootkits or other malicious payloads with persistence.

3. Scope of Impact: The vulnerabilities affect several firmware vendors, including the three major independent BIOS vendors (AMI, Insyde, and Phoenix) and devices from companies like Intel, Acer, and Lenovo. A wide range of devices, including those with x86 and ARM architectures, are potentially vulnerable.

4. Exploitation Technique: Attackers can exploit this by injecting a crafted image into the EFI system partition, which when parsed enables the delivery of malicious code during runtime, after the integrity and security checks are performed.

5. Significance of Exploit: The researchers emphasize that these vulnerabilities pose a more serious threat than previous exploits like BlackLotus, as they allow for continued exploitation without altering bootloader or firmware components’ integrity.

6. Devices Affected: The exact list of affected devices is still being determined, but it is significant that all major independent BIOS vendors are impacted.

7. Public Disclosure: Detailed findings regarding the vulnerabilities will be presented at Black Hat Europe in London on December 6, including a demonstration of how the vulnerabilities can be exploited in a simplified three-step process.

8. Historical Context: The industry has not seen public documentation of attacks utilizing image parsers since a 2009 presentation at Black Hat USA. However, the number of image parsers has since increased, expanding the potential attack surface.

9. Immediate Action Required: It is crucial for vendors and device manufacturers to assess their exposure to these vulnerabilities and take appropriate steps to safeguard their systems and devices. The pending full disclosure at Black Hat Europe highlights the urgency for industry-wide attention to this security risk.

Full Article