LogoFAIL: critical UEFI vulnerabilities
Researchers of Binarly, announced the news that a new vulnerability has been discovered thatue aims for unified extensible firmware interfaces (UEFI) responsible for booting modern devices running Windows or Linux.
Baptized as "LogoFAIL", this vulnerability exploits bugs that have been present for years in the UEFI image analyzers, allowing malicious code to be executed in the early stages of the boot process, thus compromising the security of the platform.
All Windows and Linux devices are said to be vulnerable to the new LogoFAIL firmware attack affecting a wide range of computer models from various manufacturers. The attack stands out for its ease of execution, its impact on consumer and professional models, as well as its high level of control over infected devices. LogoFAIL can be executed remotely, bypassing traditional defense mechanisms and compromising platform security in the early stages of the boot process.
About LogoFAIL
LogoFAIL focuses on logos, especially those of hardware vendors, which are displayed on the screen at the beginning of the boot process while UEFI is still running. The image analyzers integrated into the UEFIs of the three main IBVs present a dozen critical vulnerabilities that until now have gone unnoticed. By replacing legitimate logo images with specifically designed versions To exploit these vulnerabilities, LogoFAIL allows the execution of malicious code at a crucial startup stage known as DXE, (Driver Execution Environment. ).
Binarly researchers explained in a technical document that tas soon as the execution is carried out of arbitrary code during the DXE phase, the security of the platform is compromised. From this point you gain full control over the memory, disk and even the operating system of the target device that will be run. After that, LogoFAIL can deliver a second stage payload, placing an executable on the hard drive even before the main operating system boots.
In order to show the vulnerability, a demonstration of this exploitation was presented through an illustrative video prepared by the researchers. The vulnerabilities are the subject of a massive coordinated disclosure, published on Wednesday, involving the participation of companies representing almost the entire x64 and ARM processor ecosystem.
To pass security checks, the tool installs the same cryptographically signed UEFI firmware already in use, modifying only the logo image, which does not require a valid digital signature. In many cases, the IBV tool is digitally signed, reducing the risk of endpoint protections being involved.
In the whitepaper accompanying the presentation, the researchers described the stages of a LogoFAIL attack as follows:
“As demonstrated in the image above, a LogoFAIL attack can be divided into three distinct phases. First, the attacker prepares a malicious logo image that it stores in the ESP or in an unsigned section of a firmware update. Then restart the device.
During the boot process, the vulnerable firmware loads the malicious ESP logo and analyzes it using a vulnerable image analyzer. This allows the attacker to hijack the execution flow by exploiting a flaw in the parser itself. By exploiting this threat, the attacker can execute arbitrary code during the DXE phase, which is equivalent to completely compromising the security of the platform. »
LogoFAIL's danger level is due to its potential for remote infection and their ability to evade traditional defense mechanisms accentuate the risks involved. The high level of control over infected devices raises concerns about the persistence and detection of this threat, even after security patches are implemented.
Finally, it is important that computer manufacturers, firmware developers, and security vendors work together quickly to develop patches to counter this threat. The magnitude of this vulnerability also highlights the importance of strengthening the security of the boot process and reevaluating existing defense mechanisms to ensure effective protection against such sophisticated attacks.
Finally If you are interested in knowing more about it, you can check the detailss in the following link.