Getty Images
Hundreds of Windows and Linux computer models from virtually every hardware manufacturer are vulnerable to a new attack that executes malicious firmware early in the boot sequence. This attack allows for infections that are nearly impossible to detect or remove using current defense mechanisms.
This attack (dubbed LogoFAIL by its researchers) is relatively easy to execute, affects a wide range of both consumer and enterprise models, and is highly sophisticated. It is noteworthy that it can be controlled. LogoFAIL can often be executed remotely in a post-exploitation situation using techniques that are undetectable by traditional endpoint security products. And because the exploit runs early in the boot process, it bypasses numerous defenses, including industry-wide Secure Boot, Intel’s Secure Boot, and similar protections from other companies designed to prevent so-called bootkits. can do. Infection.
Game over for platform security
LogoFAIL is a set of 24 newly discovered vulnerabilities that have been lurking for years, if not decades, in the unified extensible firmware interface responsible for booting modern devices running Windows or Linux. It is a gathering of These vulnerabilities are the result of nearly a year of research by Binarly, a company that helps customers identify and protect against vulnerable firmware.
These vulnerabilities are the subject of a coordinated mass disclosure released on Wednesday. Participating companies make up nearly the entire x64 and ARM CPU ecosystem, including UEFI suppliers AMI, Insyde, and Phoenix (sometimes still referred to as IBV or independent BIOS vendors). Device manufacturers such as Lenovo, Dell, and HP. Manufacturer of the CPU inside the device (usually Intel, AMD, or ARM CPU designer). Researchers announced the attack Wednesday at the Black Hat Security Conference in London.
Affected companies have issued advisories clarifying which products are vulnerable and where security patches can be obtained. The list of companies issuing advisories is not exhaustive, but includes AMI, Incideand phoenix. A complete list was not available at the time of publication. Anyone who wants to know if a particular device is vulnerable should contact the manufacturer.
As its name suggests, LogoFAIL involves logos, specifically hardware vendor logos that appear on a device’s screen early in the boot process while UEFI is still running. There are about a dozen critical vulnerabilities in the three major IBV’s UEFI image parsers that have been overlooked so far. LogoFAIL exploits the most sensitive part of the boot process known as DXE (for Driver Execution Environment) by replacing the legitimate logo image with an identical-looking image created specifically to exploit these bugs. Allows execution of malicious code at a higher stage. .
“If arbitrary code is executed during the DXE phase, it is game over for platform security,” researchers from security firm Binarly, which discovered the vulnerability, wrote in a white paper. “From this stage, you have complete control over the target device’s memory and disk, and thus the operating system that is booted.”
From there, LogoFAIL can deliver a second stage payload that drops an executable file onto the hard drive before the main OS boots. The following video shows a proof-of-concept exploit created by researchers. The infected device (a 2nd generation Lenovo ThinkCentre M70 running 11th generation Intel Core with UEFI released in June) runs standard firmware defenses such as Secure Boot and Intel Boot Guard.
Logo failed.
Binarly founder and CEO Alex Matrosov wrote in an email:
LogoFAIL is a newly discovered set of high-impact security vulnerabilities that affect various image parsing libraries used by various vendors in their system firmware during the device boot process. These vulnerabilities are most often in referenced code and affect not a single vendor, but the entire ecosystem across this code and the device vendors in which it is used. This attack could be advantageous to the attacker in that it bypasses most endpoint security solutions and delivers a stealthy firmware bootkit held within a firmware capsule containing a modified logo image.