Security researchers, known for their inquisitive and unconventional methods, have recently scrutinized UEFI, revealing significant vulnerabilities called LogoFAIL vulnerabilities.
These experts, who investigate systems to uncover unusual ways to exploit them, discovered that UEFI, the modern replacement for traditional BIOS, is susceptible to certain failures - which have wide-ranging impacts.
Specifically, researchers found that the libraries used by various system integrators and vendors in their motherboards' UEFI are vulnerable.
These libraries can be manipulated to perform unforeseen operations through specially crafted images displayed during system boot-up, such as logos and banners.
This manipulation effectively circumvents security features like Secure Boot, misleading the subsequent operating system.
Prior Knowledge Understanding UEFI. UEFI stands for Unified Extensible Firmware Interface, an advanced version of the old BIOS. It is essentially a compact operating system that manages hardware initialization and preliminary system security before transitioning control to the main operating system.
UEFI oversees numerous functions, including CPU frequency, power and thermal management, memory timings, and peripheral operations.
Some UEFI systems even offer network connectivity for firmware updates without an operating system being required.
Unlike BIOS, UEFI provides a consistent visual experience by displaying an image during boot-up, which remains visible throughout the UEFI initialization and into the operating system's boot phase.
This differs from BIOS, which typically involves screen resolution changes and text mode resets before operating system drivers are activated.
They're called LogoFAIL vulnerabilities, and they arise from flaws in image parsing libraries embedded in UEFI system firmware.
These vulnerabilities are triggered when a malicious logo image file is injected into the EFI system partition, leading to the execution of payloads that can hijack the boot process and bypass security mechanisms like Secure Boot and Intel Boot Guard.
It is important to note that, despite the hype, to exploit these vulnerabilities it is necessary to have access to the system in the first place, and in that access, to have privileges to write to the EFI partition and UEFI non-volatile ram.
Consider, for example, a ransomware that persists even system reimaging attempts after an infrastructure-wide attack.
Having code running before the operating system has a chance to even start loading and protecting against threats is an especially egregious threat.
LogoFAIL can lead to attacks against any operating system - Linux, Windows, Mac or even more esoteric ones.
It actually survives an operating system reinstall, so it is very resilient to removal attempts.
It's not the first time that firmware has been considered as a persistent way to target a system, as the hard disk firmware exploit showed some years ago, but this is certainly the least-effort way of achieving this level of resiliency.
Affected vendors will have to release updated UEFI images, so firmware updates are required to effectively patch the impacted libraries that are behind the problem, but doing so will protect the system against this threat.
Fuzzing UEFI. The researchers who discovered the problem did so by fuzzing the UEFI code, and they acknowledge that, so far, the risk is theoretical only.
This Cyber News was published on securityboulevard.com. Publication date: Tue, 26 Dec 2023 10:43:05 +0000