Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label UEFI Firmware. Show all posts

LogoFAIL: UEFI Vulnerabilities Unveiled

The discovery of vulnerabilities is a sharp reminder of the ongoing conflict between innovation and malevolent intent in the ever-evolving field of cybersecurity. The tech community has been shaken by the recent discovery of LogoFAIL, a set of vulnerabilities hidden in the Unified Extensible Firmware Interface (UEFI) code that could allow malicious bootkit insertion through images during system boot.

Researchers have delved into the intricacies of LogoFAIL, shedding light on its implications and the far-reaching consequences of exploiting image parsing vulnerabilities in UEFI code. The vulnerability was aptly named 'LogoFAIL' due to its origin in the parsing of logos during the boot process. The severity of the issue is evident from the fact that it can be exploited to inject malicious code, potentially leading to the deployment of boot kits — a type of malware capable of persistently infecting the system at a fundamental level.

The vulnerability was first brought to public attention through a detailed report by Bleeping Computer, outlining the specifics of the LogoFAIL bugs and their potential impact on system security. The report highlights the technical nuances of the vulnerabilities, emphasizing how attackers could exploit weaknesses in UEFI code to compromise the integrity of the boot process.

Further exploration of LogoFAIL is presented in a comprehensive set of slides from a Black Hat USA 2009 presentation by researcher Rafal Wojtczuk. The slides provide an in-depth analysis of the attack vectors associated with LogoFAIL, offering valuable insights into the technical aspects of the vulnerabilities.

In a more recent context, the Black Hat Europe 2023 schedule includes a briefing on LogoFAIL, promising to delve into the security implications of image parsing during system boot. This presentation will likely provide an updated perspective on the ongoing efforts to address and mitigate the risks that LogoFAIL poses.

The gravity of LogoFAIL is underscored by additional resources such as the analysis on binarly.io and the UEFI Forum's document on firmware security concerns and best practices. Collectively, these sources highlight the urgency for the industry to address and remediate the vulnerabilities in the UEFI code, emphasizing the need for robust security measures to safeguard systems from potential exploitation.

Working together to solve these vulnerabilities becomes critical as the cybersecurity community struggles with the consequences of LogoFAIL. The industry must collaborate to establish robust countermeasures for the UEFI code, guaranteeing system resilience against the constantly changing cyber threat environment.


Leak of BIOS Source Code Confirmed by Intel


The authenticity of the suspected leak of Intel's Alder Lake BIOS source code has been established, potentially posing a cybersecurity risk to users.

Alder Lake, the firm's 12th generation processor, which debuted in November 2021, is coded for the Unified Extensible Firmware Interface (UEFI) in the released documentation.

The breach, according to an Intel statement provided to Tom's Hardware, does not "reveal any new vulnerabilities since we do not rely on encryption of information as a defense policy."Additionally, it is urging other members of the security research community to use its bug bounty program to submit any potential problems, and it is also alerting customers about the situation.

The 5.97 GB of files, source code, secret keys, patch logs, and compilation tools in the breach have the most recent timestamp of 9/30/22, indicating that a hacker or insider downloaded the data time. Several references to Lenovo may also be found in the leaked source code, including code for 'Lenovo String Service,' 'Lenovo Secure Suite,' and Lenovo Cloud Service integrations.

Tom's Hardware, however, has received confirmation from Intel that such source code is real and is its "exclusive UEFI code."

Sam Linford, vice president of Deep Instinct's EMEA Channels, said: "Source code theft is a very serious possibility for enterprises since it may lead to cyber-attacks. Because source code is a piece of a company's intellectual property, it is extremely valuable to cybercriminals."

This year, there have been multiple instances where an organization's source code was exposed. The password manager LastPass disclosed that some of its source code had been stolen in August 2022, and Rockstar Games' Grand Theft Auto 5 and the Grand Theft Auto 6 version's source code was stolen in September 2022.

HP Fixes UEFI Flaws Affecting 200+ Computers

 

HP released updates for two high-severity flaws in the UEFI firmware of more than 200 laptops, workstations, and other products on Wednesday. 

CVE-2021-3808 and CVE-2021-3809 are the two flaws, which have a CVSS score of 8.8. HP credited Aruba Threat Labs' Nicholas Starke and a researcher going by the online handle "yngweijw" with reporting the issues but did not disclose technical details on either of the flaws. 

The company did, however, provide a list of affected products, which includes a variety of corporate notebooks and desktop PCs, as well as desktop workstations, retail point-of-sale devices, and thin client PCs. 

“Potential security vulnerabilities have been identified in the BIOS (UEFI Firmware) for certain HP PC products, which might allow arbitrary code execution. HP is releasing firmware updates to mitigate these potential vulnerabilities,” HP notes in its advisory. 

According to Starke, HP took almost six months to fix CVE-2021-3809, the issue he disclosed. He adds that the security flaw is due to a SMI (System Management Interrupt) handler called from System Management Mode (SMM), a highly privileged x86 processor execution mode. The SMI handler, according to Starke, may be triggered from a kernel execution context like a Windows Kernel Driver, enabling an attacker to determine the memory location of a specific function and overwrite it in physical memory to refer to attacker code. 

“This vulnerability could allow an attacker executing with kernel-level privileges (CPL == 0) to escalate privileges to System Management Mode (SMM). Executing in SMM gives an attacker full privileges over the host to further carry out attacks,” Starke added.

While the majority of the vulnerable devices have already received firmware updates, a handful has yet to receive them. Users can check HP's advisory for more information on the impact and upgrades. HP also released warnings this week that outline the updates Intel have released to address several firmware and software vulnerabilities affecting its CPUs and chipsets, as well as HP products.