The Unified Extensible Firmware Interface (UEFI) code from various independent firmware/BIOS vendors (IBVs) has been found vulnerable to potential attacks through high-impact flaws in image parsing libraries embedded into the firmware.
The shortcomings, collectively labeled LogoFAIL by Binarly, “can be used by threat actors to deliver a malicious payload and bypass Secure Boot, Intel Boot Guard, and other security technologies by design.”
Furthermore, they can be weaponized to bypass security solutions and deliver persistent malware to compromised systems during the boot phase by injecting a malicious logo image file into the EFI system partition.
Ever wondered why social engineering is so effective? Dive deep into the psychology of cyber attackers in our upcoming webinar.
While the issues are not silicon-specific, meaning they impact both x86 and ARM-based devices, they are also UEFI and IBV-specific. The vulnerabilities comprise a heap-based buffer overflow flaw and an out-of-bounds read, details of which are expected to be made public later this week at the Black Hat Europe conference.
Specifically, these vulnerabilities are triggered when the injected images are parsed, leading to the execution of payloads that could hijack the flow and bypass security mechanisms.
“This attack vector can give an attacker an advantage in bypassing most endpoint security solutions and delivering a stealth firmware bootkit that will persist in an ESP partition or firmware capsule with a modified logo image,” the firmware security company said.
In doing so, threat actors could gain entrenched control over the impacted hosts, resulting in the deployment of persistent malware that can fly under the radar.
Unlike BlackLotus or BootHole, it’s worth noting that LogoFAIL doesn’t break runtime integrity by modifying the boot loader or firmware component.
The flaws affect all major IBVs like AMI, Insyde, and Phoenix as well as hundreds of consumer and enterprise-grade devices from vendors, including Intel, Acer, and Lenovo, making it both severe and widespread.
The disclosure marks the first public demonstration of attack surfaces related to graphic image parsers embedded into the UEFI system firmware since 2009, when researchers Rafal Wojtczuk and Alexander Tereshkin presented how a BMP image parser bug could be exploited for malware persistence.
“The types – and sheer volume – of security vulnerabilities discovered […] show pure product security maturity and code quality in general on IBVs reference code,” Binarly noted.
CERT/CC Releases Advisory for LogoFAIL
“Implementation of Unified Extensible Firmware Interface (UEFI) by vendors provides a way to customize logo image displayed during the early boot phase,” the CERT Coordination Center (CERT/CC) said in an advisory.
The security vulnerabilities discovered in the image parsing libraries that provide this capability can be exploited by an attacker with local privileged access to the ESP partition to disable UEFI security features, modify UEFI Boot Order, and deliver stealth firmware bootkits. The issues stem from a lack of validation on attacker-supplied data.
In other words, an adversary needs to find a way into a target system by other means – such as an unpatched security flaw – and gain elevated privileges, or via a physical attack vector by using an SPI flash programmer to inject the malicious logo.
“As these [image] files are processed by executables that run under a high privilege, it is possible to exploit these vulnerabilities in order to access and modify high-privileged UEFI settings of a device,” it further noted. “In some cases, the attacker can use the vendor provided logo customization interface to upload these malicious images.”
Binarly, which released additional technical specifics of the vulnerabilities, said “these [OEM-specific] customization features represent a new attack surface because they allow attackers to modify the logo parsed during system boot and mount data-only attacks.”
