Researchers have uncovered "LogoFAIL," a set of critical vulnerabilities present in the Unified Extensible Firmware Interface ecosystem for PCs. Exploitation of the vulnerabilities nullify essential endpoint security measures and provide attackers with deep control over affected systems. The flaws originate in image-parsing libraries within the boot process, impacting all major device manufacturers on both x86 and ARM-based devices, according to a Binarly Research report that will be officially released at Black Hat Europe in London next week. Hijacking the Boot Process With LogoFAIL Binarly researchers found that by embedding compromised images in the EFI System Partition or unsigned firmware update sections, threat actors can execute malicious code during boot-up, enabling them to hijack the boot process. This exploitation bypasses crucial security measures like Secure Boot and Intel Boot Guard, facilitating the insertion of a persistent firmware bootkit operating beneath the OS level. "Because the attacker is getting the privileged code execution into the firmware, it's bypassing the security boundaries by design, like a Secure Boot," explains Alex Matrosov, CEO and founder of Binarly. "The Intel Boot Guard and other trusted boot technologies are not extended in runtime, and after the firmware is verified, it just boots further in the system boot flow." "One day, it suddenly started to reboot after showing the boot logo," he says. He adds, "In this case, we are dealing with continued exploitation with a modified boot logo image, triggering the payload delivery in runtime, where all the integrity and security measurements happen before the firmware components are loaded." This is not the first Secure Boot bypass ever discovered; in November 2022, a firmware flaw was found in five Acer laptop models that could be used to disable Secure Boot and allow malicious actors to load malware; and the BlackLotus or BootHole threats have opened the door to boot process hijacking before. Matrosov says that LogoFAIL differs from prior threats because it doesn't break runtime integrity by modifying the bootloader or firmware component. He says LogoFAIL is a data-only attack, occurring when malicious input comes from the firmware image or the logo is read from the ESP partition during the system boot process - and thus, it's hard to detect. "Such an approach with the ESP attack vector leaves zero evidence of the firmware attack inside the firmware itself, since the logo comes from an outside source," he explains. Majority of the PC Ecosystem Is Vulnerable Devices equipped with firmware from the three major independent BIOS vendors, Insyde, AMI, and Phoenix, are susceptible, indicating a potential impact across diverse hardware types and architectures. Matrosov says LogoFAIL affects "Most devices worldwide," including consumer and enterprise-grade PCs from various vendors -Acer, Gigabyte, HP, Intel, Lenovo, MSI, Samsung, Supermicro, Fujitsu, and "Many others." "The exact list of affected devices is still being determined, but it's crucial to note that all three major IBVs - AMI, Insyde, and Phoenix - are impacted due to multiple security issues related to image parsers they are shipping as a part of their firmware," the Binarly report warned. "We estimate LogoFAIL impacts almost any device powered by these vendors in one way or another." For its part, Phoenix Technologies published an early security notification this week detailing that the bug is present in all versions lower than 1.0.5 of its Phoenix SecureCore Technology 4, which is a BIOS firmware that provides advanced security features for various devices. "The flaw exists in the processing of user-supplied splash screen during system boot, which can be exploited by an attacker who has physical access to the device," according to the notification, which noted that an updated version is available. "By supplying a malicious splash screen, the attacker can cause a denial-of-service attack or execute arbitrary code in the UEFI DXE phase, bypassing the Secure Boot mechanism and compromising the system integrity." Firmware Updates Key to Minimizing Risk To minimize firmware risk in general, users should stay updated with manufacturer advisories and promptly apply firmware updates, as they often address critical security flaws.
This Cyber News was published on www.darkreading.com. Publication date: Fri, 01 Dec 2023 21:00:22 +0000