UEFI vulnerabilities: The Far-Reaching Consequences of LogoFAIL

BoerenkoolMetWorst · Dec 2, 2023

What is LogoFAIL?

LogoFAIL is a newly discovered set of security vulnerabilities affecting different image parsing libraries used in the system firmware by various vendors during the device boot process. These vulnerabilities are present in most cases inside IBVs (Independent BIOS vendor) reverence code, impacting not a single vendor but the entire ecosystem across this reference code and device vendors where it is used (See "The Firmware Supply-Chain Security is Broken: Can we fix it?").

One of the most important discoveries is that LogoFAIL is not silicon-specific and can impact x86 and ARM-based devices. LogoFAIL is UEFI and IBV-specific because of the specifics of vulnerable image parsers that have been used. That shows a much broader impact from the perspective of the discoveries that will be presented on Dec 6th.
Click to expand...

https://binarly.io/posts/The_Far_Reaching_Consequences_of_LogoFAIL/index.html

waking · Dec 8, 2023

Windows and Linux devices vulnerable to new LogoFAIL firmware attack

Dan Goodin - 12/6/2023, 10:02 AM

https://arstechnica.com/security/2023/12/just-about-every-windows-and-linux-device-vulnerable-to-new-logofail-firmware-attack/

"Hundreds of Windows and Linux computer models from virtually all hardware makers are
vulnerable to a new attack that executes malicious firmware early in the boot-up
sequence, a feat that allows infections that are nearly impossible to detect or remove
using current defense mechanisms."

...

"The affected parties are releasing advisories that disclose which of their products are
vulnerable and where to obtain security patches. Links to advisories and a list of
vulnerability designations appears at the end of this article."

reasonablePrivacy · Dec 10, 2023

Adversary needs physical or complete remote access to an administrator or root account on computer to perform this. In first case it is serious issue significantly increasing risk of leaving computer without physical security unattended. For the remaining second case you are already p0wned by something else, so it mostly adds additional persistence.

BoerenkoolMetWorst · Dec 11, 2023

reasonablePrivacy said: ↑

Adversary needs physical or complete remote access to an administrator or root account on computer to perform this. In first case it is serious issue significantly increasing risk of leaving computer without physical security unattended. For the remaining second case you are already p0wned by something else, so it mostly adds additional persistence.
Click to expand...

Not necessarily. A BIOS update can be modified to include an image in the unsigned section of the update, leaving the signed section intact so the modified BIOS update will install without any problems. Given that it's not really possible to verify if a BIOS update is authentic (unless you're an expert), there are enough ways to serve modified updates to users to abuse these vulnerabilities:

The vulnerabilities allow attackers to store malicious logo images either on the EFI System Partition (ESP) or inside unsigned sections of a firmware update. When these images are parsed during boot, the vulnerability can be triggered and an attacker-controlled payload can arbitrarily be executed to hijack the execution flow and bypass security features like Secure Boot, including hardware-based Verified Boot mechanisms (like Intel Boot Guard, AMD Hardware-Validated Boot or ARM TrustZone-based Secure Boot).

This attack vector can give an attacker an advantage in bypassing most endpoint security solutions and delivering a stealth firmware bootkit that will persist in an ESP partition or firmware capsule with a modified logo image. Technically, from a high-level perspective, the attack can be simplified into three steps.
Click to expand...

Though of course there are enough ways to compromise users machine/data without having a stealth firmware bootkit for additional persistence.

reasonablePrivacy · Dec 12, 2023

BoerenkoolMetWorst said: ↑

Not necessarily. A BIOS update can be modified to include an image in the unsigned section of the update, leaving the signed section intact so the modified BIOS update will install without any problems. Given that it's not really possible to verify if a BIOS update is authentic (unless you're an expert),
Click to expand...

I assume that user downloads UEFI update from trusted sources: laptop/motherboard vendor site or LVFS through https. Of course there is a possibility that server hosting updates becomes compeomised and during that period indeed computers can become infected

Log in or Sign up

UEFI vulnerabilities: The Far-Reaching Consequences of LogoFAIL

BoerenkoolMetWorst Registered Member

waking Registered Member

reasonablePrivacy Registered Member

BoerenkoolMetWorst Registered Member

reasonablePrivacy Registered Member

Log in or Sign up

UEFI vulnerabilities: The Far-Reaching Consequences of LogoFAIL

BoerenkoolMetWorst Registered Member

waking Registered Member

reasonablePrivacy Registered Member

BoerenkoolMetWorst Registered Member

reasonablePrivacy Registered Member

Useful Searches