The Unified Extensible Firmware Interface (UEFI) code from numerous unbiased firmware/BIOS distributors (IBVs) has been discovered susceptible to potential assaults by means of high-impact flaws in picture parsing libraries embedded into the firmware.
The shortcomings, collectively labeled LogoFAIL by Binarly, “can be utilized by risk actors to ship a malicious payload and bypass Safe Boot, Intel Boot Guard, and different safety applied sciences by design.”
Moreover, they are often weaponized to bypass safety options and ship persistent malware to compromised techniques in the course of the boot part by injecting a malicious emblem picture file into the EFI system partition.
Whereas the problems are usually not silicon-specific, which means they influence each x86 and ARM-based units, they’re additionally UEFI and IBV-specific. The vulnerabilities comprise a heap-based buffer overflow flaw and an out-of-bounds learn, particulars of that are anticipated to be made public later this week on the Black Hat Europe convention.
Particularly, these vulnerabilities are triggered when the injected pictures are parsed, resulting in the execution of payloads that would hijack the movement and bypass safety mechanisms.
“This assault vector can provide an attacker a bonus in bypassing most endpoint safety options and delivering a stealth firmware bootkit that may persist in an ESP partition or firmware capsule with a modified emblem picture,” the firmware safety firm mentioned.
In doing so, risk actors might achieve entrenched management over the impacted hosts, ensuing within the deployment of persistent malware that may fly beneath the radar.
In contrast to BlackLotus or BootHole, it is value noting that LogoFAIL would not break runtime integrity by modifying the boot loader or firmware part.
The failings have an effect on all main IBVs like AMI, Insyde, and Phoenix in addition to a whole lot of shopper and enterprise-grade units from distributors, together with Intel, Acer, and Lenovo, making it each extreme and widespread.
The disclosure marks the primary public demonstration of assault surfaces associated to graphic picture parsers embedded into the UEFI system firmware since 2009, when researchers Rafal Wojtczuk and Alexander Tereshkin introduced how a BMP picture parser bug might be exploited for malware persistence.
“The categories – and sheer quantity – of safety vulnerabilities found […] present pure product safety maturity and code high quality typically on IBVs reference code,” Binarly famous.