SoylentNews

upstart [soylentnews.org] writes:

████ # This file was generated bot-o-matically! Edit at your own risk. ████

Just about every Windows and Linux device vulnerable to new LogoFAIL firmware attack [arstechnica.com]:

Hundreds of Windows and Linux computer models from virtually all hardware makers are vulnerable to a new attack that executes malicious firmware early in the boot-up sequence, a feat that allows infections that are nearly impossible to detect or remove using current defense mechanisms.

The attack—dubbed LogoFAIL by the researchers who devised it—is notable for the relative ease in carrying it out, the breadth of both consumer- and enterprise-grade models that are susceptible, and the high level of control it gains over them. In many cases, LogoFAIL can be remotely executed in post-exploit situations using techniques that can’t be spotted by traditional endpoint security products. And because exploits run during the earliest stages of the boot process, they are able to bypass a host of defenses, including the industry-wide Secure Boot, Intel’s Secure Boot, and similar protections from other companies that are devised to prevent so-called bootkit infections.

Game over for platform security

LogoFAIL is a constellation of two dozen newly discovered vulnerabilities that have lurked for years, if not decades, in Unified Extensible Firmware Interfaces responsible for booting modern devices that run Windows or Linux. The vulnerabilities are the product of almost a year’s worth of work by Binarly, a firm that helps customers identify and secure vulnerable firmware.

The vulnerabilities are the subject of a coordinated mass disclosure released Wednesday. The participating companies comprise nearly the entirety of the x64 and ARM CPU ecosystem, starting with UEFI suppliers AMI, Insyde, and Phoenix (sometimes still called IBVs or independent BIOS vendors); device manufacturers such as Lenovo, Dell, and HP; and the makers of the CPUs that go inside the devices, usually Intel, AMD or designers of ARM CPUs. The researchers unveiled the attack on Wednesday at the Black Hat Security Conference in London.

The affected parties are releasing advisories that disclose which of their products are vulnerable and where to obtain security patches. Links to advisories and a list of vulnerability designations appears at the end of this article.

As its name suggests, LogoFAIL involves logos, specifically those of the hardware seller that are displayed on the device screen early in the boot process, while the UEFI is still running. Image parsers in UEFIs from all three major IBVs are riddled with roughly a dozen critical vulnerabilities that have gone unnoticed until now. By replacing the legitimate logo images with identical-looking ones that have been specially crafted to exploit these bugs, LogoFAIL makes it possible to execute malicious code at the most sensitive stage of the boot process, which is known as DXE, short for Driver Execution Environment.

“Once arbitrary code execution is achieved during the DXE phase, it’s game over for platform security,” researchers from Binarly, the security firm that discovered the vulnerabilities, wrote in a whitepaper. “From this stage, we have full control over the memory and the disk of the target device, thus including the operating system that will be started.”

From there, LogoFAIL can deliver a second-stage payload that drops an executable onto the hard drive before the main OS has even started. The following video demonstrates a proof-of-concept exploit created by the researchers. The infected device—a Gen 2 Lenovo ThinkCentre M70s running an 11th-Gen Intel Core with a UEFI released in June—runs standard firmware defenses, including Secure Boot and Intel Boot Guard.

In an email, Binarly founder and CEO Alex Matrosov wrote:

LogoFAIL is a newly discovered set of high-impact security vulnerabilities affecting different image parsing libraries used in the system firmware by various vendors during the device boot process. These vulnerabilities are present in most cases inside reference code, impacting not a single vendor but the entire ecosystem across this code and device vendors where it is used. This attack can give a threat actor an advantage in bypassing most endpoint security solutions and delivering a stealth firmware bootkit that will persist in a firmware capsule with a modified logo image.

Page: 1 2 [arstechnica.com]3 [arstechnica.com]4 [arstechnica.com]Next → [arstechnica.com]← Previous story [arstechnica.com]Next story → [arstechnica.com]

proprietary-standards-are-always-dangerous dept.

Detecting LogoFAIL Vulnerabilities and Exploits at Enterprise Scale - Eclypsium [eclypsium.com]:

IT security teams are assessing new UEFI vulnerabilities that affect Windows and Linux systems. The vulnerabilities are collectively called LogoFAIL because they exist in UEFI image parsers that display the manufacturer logo when the system boots up.

Affected vendors include UEFI suppliers AMI, Insyde, and Phoenix and device manufacturers such as Lenovo, Dell, and HP. Some vendors have already issued advisories, but we should expect the list to expand as more vendors assess their exposure.

While we are not aware of exploitation in the wild, Eclypsium customers will be able to detect the vulnerabilities as well as indicators of potential exploits of the LogoFAIL vulnerabilities [arstechnica.com] with the version 3.4 release available now. Eclypsium can also assist in the remediation process by identifying vulnerable components and automating firmware updates.

LogoFAIL Summary

Exploiting LogoFAIL vulnerabilities requires attackers to replace the logo image with a malicious look-alike that includes specially crafted code to exploit vulnerabilities in the UEFI image parsers. Because the exploitation occurs in the Driver Execution Environment (DXE), a very early stage of the boot process, it can bypass built-in security protections such as Secure Boot. Attackers can run arbitrary code before the operating system and any endpoint security agents that might be installed on the device.

LogoFAIL CVEs and Severity Scores

Defenders need to know which systems are affected by LogoFAIL vulnerabilities and the associated severity. The CERT Coordination Center at Carnegie Mellon has a dynamic list of affected vendors [cert.org] and associated security advisories.

So far, it is difficult to determine the severity as no public exploit has been published, and some of the now public vulnerabilities have been scored differently by the researchers from Binarly who discovered the LogoFAIL vulnerabilities, the UEFI firmware vendors (Phoenix Technologies, Insyde, and AMI), and the National Vulnerability Database (NVD). The severity and exploitability of each LogoFAIL vulnerability will likely depend on how affected firmware vendors and equipment manufacturers (OEMs) store and process logo images. An attacker’s ability to modify these logo images or paths to them may depend on malicious software running locally on a system (with administrative or root-level privileges), by an attacker remotely accessing the system, or by an attacker who gained physical access to a target.

You should monitor and apply patches as they become available from each OEM for each product model. As of the time of this writing, the list of affected products that have associated CVE identifiers includes the following:

Insyde

Insyde has issued INSYDE-SA-2023053 [insyde.com] and assigned it a CVSS score of 4.4. The associated CVE is CVE-2023-40238 [nist.gov] and has been scored a CVSS 5.5 (Medium) by the NVD. The aforementioned CVE correlates to Binarly’s vulnerability identifier BRLY-LOGOFAIL-2023-006 with an assigned CVSS of 8.2 (High). The difference in CVSS score appears to result from differences in perceived potential impact on confidentiality, integrity, and availability.

AMI

AMI has issued AMI-SA-2023009 [hubspotusercontent-na1.net] and assigned a score of 7.5 to each of the associated CVEs, while the NVD has assigned a score of 7.8:

• CVE-2023-39538 [nist.gov] – AMI CVSS = 7.5 (High), NVD CVSS = 7.8 (High)
• CVE-2023-39539 [nist.gov] – AMI CVSS = 7.5 (High), NVD CVSS = 7.8 (High)

The severity rating for the AMI vulnerabilities is higher than the CVE in Insyde firmware due to stated impact on confidentiality and integrity.

Phoenix Technologies

Phoenix Technologies has released an advisory [phoenix.com] and the associated CVE (CVE-2023-5058 [nist.gov]) has been issued. At the time of this writing, no CVSS scores have been provided.

While Phoenix has encouraged customers to upgrade to the latest version of firmware, it is unclear when patches from all vendors will be available to customers.

Detection and Recommendations

LogoFAIL represents a class of vulnerabilities in image parsing functionality of UEFI firmware in Windows and Linux systems. While firmware vendors have issued advisories, the scope of the impact and severity of these vulnerabilities on various systems will become clear as more affected OEMs publish advisories and release updates. It’s important to look for new advisories and plan to install new updates as they are published by OEMs. In the meantime, Eclypsium has added detection of specific instances of LogoFAIL vulnerabilities affecting AMI, Phoenix Technologies, Insyde-based UEFI firmware on PC and server systems. We are also working on adding a capability to monitor systems for potential exploitation of the LogoFAIL class of vulnerabilities. As more advisories become available from OEMs and as proof-of-concept exploits become available we will be adding detection of both vulnerabilities and indicators of compromise/exploitation.

Eclypsium customers who are configured to use the Automated Firmware Update capability will start receiving notifications about the new firmware updates as they are published by OEMs, verified, tested, and added to the Eclypsium platform.

Keep up to date with threats to low-level components such as UEFI by subscribing to our newsletter [eclypsium.com].

Original Submission