LogoFAIL: Critical vulnerabilities in the UEFI code

[German]There are several critical vulnerabilities in the UEFI code of the firmware of various BIOS/UEFI implementations that could be used to inject malware into a system. The whole thing was already announced by the Binarly REsearch Team on November 29, 2023 under the term LogoFAIL.

Several critical vulnerabilities in the UEFI code of various firmware/BIOS vendors could be exploited by threat actors to bypass security technologies and implant a malicious payload on the mainboards or systems.

The problem (a heap-based buffer overflow) probably is located in libraries for image parsing that are embedded in the UEFI firmware and offer potential attack vectors for bypassing Secure Boot, Intel Boot Guard and other security technologies. Furthermore, it should be possible to write a malicious logo image file to the EFI system partition. Hence the name LogoFail, because this logo image file makes it possible to permanently store malware in the EFI and thus persistently compromise the systems.

The LogoFAIL vulnerabilities affect virtually all major independent UEFI firmware developers such as AMI, Insyde and Phoenix. Therefore, hundreds of consumer and enterprise devices from manufacturers such as Intel, Acer and Lenovo (both x86 and ARM systems) are affected by this issue. Firmware updates for the devices are therefore required – the developers of the UEFI firmware have in any case been informed in advance. I am currently unaware of the current status of firmware updates.

The Hackers-News has published a short summary. A video demonstrating the PoC can be viewed on YouTube. The full technical description of the vulnerabilities is currently under embargo and will be presented for the first time on December 6, 2023, at the Blackhat Europe conference.