LogoFAIL is a constellation of two dozen newly discovered vulnerabilities that have lurked for years, if not decades, in Unified Extensible Firmware Interfaces responsible for booting modern devices that run Windows or Linux.
The vulnerabilities are the subject of a coordinated mass disclosure released Wednesday.
The participating companies comprise nearly the entirety of the x64 and ARM CPU ecosystem, starting with UEFI suppliers AMI, Insyde, and Phoenix; device manufacturers such as Lenovo, Dell, and HP; and the makers of the CPUs that go inside the devices, usually Intel, AMD or designers of ARM CPUs.
As its name suggests, LogoFAIL involves logos, specifically those of the hardware seller that are displayed on the device screen early in the boot process, while the UEFI is still running.
Image parsers in UEFIs from all three major IBVs are riddled with roughly a dozen critical vulnerabilities that have gone unnoticed until now.
By replacing the legitimate logo images with identical-looking ones that have been specially crafted to exploit these bugs, LogoFAIL makes it possible to execute malicious code at the most sensitive stage of the boot process, which is known as DXE, short for Driver Execution Environment.
From there, LogoFAIL can deliver a second-stage payload that drops an executable onto the hard drive before the main OS has even started.
Corporate buyers want the ability to display their own logos, and not the logos of the hardware makers.
So the ability has to be in the BIOS, which means that the vulnerabilities aren't being protected by any of the OS's defenses.
The BIOS makers probably pulled some random graphics library off the Internet and never gave it a moment's thought after that.
This Cyber News was published on www.schneier.com. Publication date: Tue, 12 Dec 2023 12:43:05 +0000