Almost every Windows and Linux device is vulnerable to the new LogoFAIL firmware attack

Almost every Windows and Linux device is vulnerable to the new LogoFAIL firmware attack

Almost every Windows and Linux device is vulnerable to the new LogoFAIL firmware attack

Getty Images

Hundreds of Windows and Linux PC models from almost all hardware manufacturers are vulnerable to a new attack that executes malicious firmware early in the boot sequence, a feat that allows infections that are nearly impossible to detect or remove with current defense mechanisms.

The attack – which the researchers who designed it called LogoFAIL – is characterized by the relative ease of its implementation, the breadth of vulnerable models at the consumer and business levels, and the high level of control it gains over them. In many cases, LogoFAIL can be executed remotely in post-exploitation situations using techniques that cannot be detected by traditional endpoint security products. Because exploits operate during the early stages of the boot process, they are able to bypass a range of defenses, including industry-standard Secure Boot, Intel Secure Boot, and similar protections from other companies designed to prevent so-called bootkit infections.

Game over for platform security

LogoFAIL is a constellation of two dozen newly discovered vulnerabilities that have been lurking for years, if not decades, in the standardized extensible firmware interfaces responsible for the operation of modern Windows or Linux devices. These vulnerabilities are the product of nearly a year of work by Binarly, a company that helps customers identify and secure vulnerable firmware.

The vulnerabilities are the subject of a comprehensive, coordinated disclosure released on Wednesday. Participating companies include almost the entire x64 and ARM CPU ecosystem, ranging from UEFI AMI vendors Insyde and Phoenix (still sometimes called IBVs or independent BIOS vendors); hardware manufacturers such as Lenovo, Dell, and HP; And the makers of the CPUs that go inside the hardware, usually Intel, AMD, or ARM CPU designers. Researchers revealed the attack on Wednesday at the Black Hat Security conference in London.

Affected companies are issuing advisories disclosing which products are at risk and where to obtain security patches. A non-exhaustive list of companies issuing consultancies includes AMI, Insyde, and Phoenix. The full list was not available at press time. People who want to know if a particular device is at risk should check with the manufacturer.

As its name suggests, LogoFAIL includes logos, especially those of the hardware vendor that are displayed on the device’s screen early in the boot process, while UEFI is still running. The image parsers in the UEFIs of all three major IBVs are riddled with nearly a dozen critical vulnerabilities that have gone unnoticed until now. By replacing legitimate logo images with identical images specifically designed to exploit these bugs, LogoFAIL makes it possible for malicious code to execute at the most sensitive stage of the boot process, which is known as DXE, short for Driver Execution Environment.

“Once arbitrary code is executed during the DXE phase, it is game over for platform security,” researchers from Binarly, the security firm that discovered the vulnerabilities, wrote in a whitepaper. “From this point, we have complete control over the memory and disk of the target device, thus including the operating system it will run.”

From there, LogoFAIL can deliver a second-stage payload that drops an executable file onto the hard drive before the main operating system starts. The following video demonstrates the proof-of-concept exploit created by the researchers. The affected device — a 2nd generation Lenovo ThinkCentre M70s running an 11th generation Intel Core processor with UEFI released in June — is running standard firmware defenses, including Secure Boot and Intel Boot Guard.

Logo failure.

In an email, Binarly founder and CEO Alex Matrosov wrote:

LogoFAIL is a newly discovered group of high-impact vulnerabilities that affect various image analysis libraries used in system firmware by different vendors during the device boot process. In most cases these vulnerabilities exist within the reference code, affecting not a single vendor but the entire ecosystem across that code and the hardware vendors where it is used. This attack can give the threat actor an advantage in bypassing most endpoint security solutions and delivering a hidden firmware boot kit that will persist in the firmware capsule with a modified logo image.

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *