The Unified Extensible Firmware Interface (UEFI) code from varied impartial firmware/BIOS distributors (IBVs) has been discovered weak to potential assaults by high-impact flaws in picture parsing libraries embedded into the firmware.
The shortcomings, collectively labeled LogoFAIL by Binarly, “can be utilized by menace actors to ship a malicious payload and bypass Safe Boot, Intel Boot Guard, and different safety applied sciences by design.”
Moreover, they are often weaponized to bypass safety options and ship persistent malware to compromised techniques throughout the boot section by injecting a malicious brand picture file into the EFI system partition.
Whereas the problems aren’t silicon-specific, that means they impression each x86 and ARM-based units, they’re additionally UEFI and IBV-specific. The vulnerabilities comprise a heap-based buffer overflow flaw and an out-of-bounds learn, particulars of that are anticipated to be made public later this week on the Black Hat Europe convention.
Particularly, these vulnerabilities are triggered when the injected photographs are parsed, resulting in the execution of payloads that would hijack the circulate and bypass safety mechanisms.
“This assault vector can provide an attacker a bonus in bypassing most endpoint safety options and delivering a stealth firmware bootkit that can persist in an ESP partition or firmware capsule with a modified brand picture,” the firmware safety firm mentioned.
In doing so, menace actors may acquire entrenched management over the impacted hosts, ensuing within the deployment of persistent malware that may fly underneath the radar.
Not like BlackLotus or BootHole, it is price noting that LogoFAIL does not break runtime integrity by modifying the boot loader or firmware part.
The failings have an effect on all main IBVs like AMI, Insyde, and Phoenix in addition to a whole bunch of client and enterprise-grade units from distributors, together with Intel, Acer, and Lenovo, making it each extreme and widespread.
The disclosure marks the primary public demonstration of assault surfaces associated to graphic picture parsers embedded into the UEFI system firmware since 2009, when researchers Rafal Wojtczuk and Alexander Tereshkin introduced how a BMP picture parser bug may very well be exploited for malware persistence.
“The categories – and sheer quantity – of safety vulnerabilities found […] present pure product safety maturity and code high quality on the whole on IBVs reference code,” Binarly famous.
