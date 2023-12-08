Researchers have devised an attack that exploits serious vulnerabilities in UEFI firmware used by many computer manufacturers to deploy stealthy rootkits that execute in the early stages of the boot-up process beyond the visibility of endpoint security products. The attack involves planting maliciously crafted images in a special partition on the drive or in non-protected regions of the firmware.

“Hundreds of consumer and enterprise-grade devices from various vendors, including Intel, Acer, and Lenovo, are potentially vulnerable,” researchers from security firm Binarly said in their report. “The exact list of affected devices is still being determined but it's crucial to note that all three major IBVs [independent BIOS vendors] are impacted — AMI, Insyde, and Phoenix — due to multiple security issues related to image parsers they are shipping as a part of their firmware.”

Malicious code delivered through splash screens

Most PC manufacturers use Unified Extensible Firmware Interface (UEFI) implementations developed by a handful of companies known as independent BIOS vendors. UEFI is a standardized specification for firmware in computer systems — the modern equivalent to the old BIOS — and includes the low-level code responsible for initializing a computer’s hardware before loading the operating system installed on the hard drive.

The IBVs allow computer manufacturers to customize the firmware, including to display their own logo and other branding elements on the computer’s screen during the early boot-up phase. This is also referred to as a splash screen and it’s shown before the operating system bootloader takes over and initializes the OS kernel. Binarly researchers decided to investigate and exploit this early boot cosmetic functionality, which is why they’ve dubbed their attack LogoFAIL.

Computer manufacturers supply splash screen graphics as images, which means that the firmware contains image parsing code to display them. Anyone who has followed security research will likely know that file parsers — also known as decoders — have been a source of serious vulnerabilities because they take user-supplied input in the form of files, interpret their contents, and load them into the computer’s memory. If this is not done safely, it can lead to memory corruption issues such as buffer overflows.

Modern UEFI firmware contains image parsers for images in several different formats — BMP, GIF, JPEG, PCX, and TGA — which significantly expands the attack surface and therefore the possibility of a vulnerability slipping through. In fact, the Binarly team found 29 issues in the image parsers used in Insyde, AMI, and Phoenix firmware, of which 15 were exploitable for arbitrary code execution.