Security

Research

UEFI flaws allow bootkits to pwn potentially hundreds of devices using images

Exploits bypass most secure boot solutions from the biggest chip vendors


Hundreds of consumer and enterprise devices are potentially vulnerable to bootkit exploits through unsecured BIOS image parsers.

Security researchers have identified vulnerabilities in UEFI system firmware from major vendors which they say could allow attackers to hijack poorly maintained image libraries to quietly deliver malicious payloads that bypass Secure Boot, Intel Boot Guard, AMD Hardware-Validated Boot, and others.

Dubbed "LogoFail," we're told the set of vulnerabilities allows attackers to use malicious image files that are loaded by the firmware during the boot phase as a means of quietly delivering payloads such as bootkits.

The vulnerabilities affect the image parsing libraries used by various firmware vendors, most of which are exposed to the flaws, according to the researchers at Binarly.

Image parsers are firmware components responsible for loading logos of vendors, or workplaces in cases where work-issued machines are configured to do so, flashing them on the display as the machine boots.

Attackers could feasibly inject their own image file into the EFI system partition, which is then parsed during boot and is capable of quietly installing a malicious payload, such as a bootkit, with persistence.

Binarly said the discovery, which started life as a small side project but turned into a much larger, industry-wide disclosure, should be considered more dangerous than the BlackLotus bootkit from earlier this year.

"LogoFAIL differs from BlackLotus or BootHole threats because it doesn't break runtime integrity by modifying the bootloader or firmware component," said the researchers in a blog post.

"In this case, we are dealing with continued exploitation with a modified boot logo image, triggering the payload delivery in runtime, where all the integrity and security measurements happen before the firmware components are loaded."

All three of the major independent BIOS vendors – AMI, Insyde, and Phoenix – are affected by the issues, as well as devices from Intel, Acer, and Lenovo .

"Hundreds of consumer and enterprise-grade devices from various vendors, including Intel, Acer, and Lenovo, are potentially vulnerable," the researchers added. 

"The exact list of affected devices is still being determined but it's crucial to note that all three major IBVs are impacted – AMI, Insyde, and Phoenix due to multiple security issues related to image parsers they are shipping as a part of their firmware."

Almost any device powered by the named vendors is thought to be affected "in one way or another," and the vulnerability spans both x86 and ARM architectures.

The researchers will unveil the issues in greater detail next week, debuting the full research on stage at Black Hat Europe in London on December 6.

The talk will include full details of how the vulnerabilities can be exploited in what they say can be simplified into a three-step process.

Binarly claimed that the industry hasn't seen any public documentation of attacks related to image parsers since a presentation from 2009 [PDF] at Black Hat USA, work that saw Rafal Wojtczuk and Alexander Tereshkin exploiting a BMP parser bug.

Since then, the number of image parsers has increased, ones that cover more file types and subsequently increase the potential attack surface, they said. ®

Send us news
31 Comments

Delinea Secret Server customers should apply latest patches

Attackers could nab an org's most sensitive keys if left unaddressed

CISA in a flap as Chirp smart door locks can be trivially unlocked remotely

Hard-coded credentials last thing you want in home security app

Exploit code for Palo Alto Networks zero-day now public

Race on to patch as researchers warn of mass exploitation of directory traversal bug

Rust rustles up fix for 10/10 critical command injection bug on Windows in std lib

BatBadBut hits Erlang, Go, Python, Ruby as well

Hotel check-in terminal bug spews out access codes for guest rooms

Attacks could be completed in seconds, compromising customer safety

Ivanti commits to secure-by-design overhaul after vulnerability nightmare

CEO addresses whirlwind start to 2024 and how it plans to prevent a repeat

JetBrains keeps mum on 26 'security problems' fixed after Rapid7 spat

Vendor takes hardline approach to patch disclosure to new levels

These 17,000 unpatched Microsoft Exchange servers are a ticking time bomb

One might say this is a wurst case scenario

Nvidia's newborn ChatRTX bot patched for security bugs

Flaws enable privilege escalation and remote code execution

Uncle Sam's had it up to here with 'unforgivable' SQL injection flaws

Software slackers urged to up their game

Microsoft confirms memory leak in March Windows Server security update

ALSO: Viasat hack wiper malware is back, users are the number one cause of data loss, and critical vulns

Mozilla fixes $100,000 Firefox zero-days following two-day hackathon

Users may have to upgrade twice to protect their browsers