Firmware attacks pose challenge to organization
Binarly Research Team was working on project LogoFAIL, which was picked up by them just to have some fun, turned into a mammoth industry-wide disclosure and uncovered massive flaws.
While organizations are implementing different security solutions at different scales & levels and
globally security vendors are advancing their security products and solutions almost every day,
likewise new discoveries of vulnerabilities are also being reported at a much higher speed. The
recent findings on LogoFAIL project have disclosed severe vulnerabilities, which eventually can allow
hackers to hijack the execution flow and bypass security features like Secure Boot, including
hardware-based Verified Boot mechanisms.
The Rationale Behind The LogoFAIL Project
The very basic thought behind this entire project for Binarly research team was ;What if the graphic
image parsers embedded into system firmware do not update frequently and use not only outdated
but also customized versions of the common image parsing libraries?'
The team delved deeper into this wormhole and were shocked by multiple high-impact discoveries
that could be used by threat actors to deliver a malicious payload and bypass Secure Boot, Intel Boot
Guard, and other security technologies by design. More importantly, it can open doors for attackers
to bypass modern endpoint security solutions and should be considered much more powerful than
the recent BlackLotus bootkit.
According to team, one of the most important discoveries was that LogoFAIL is not silicon-specific
and can impact x86 and ARM-based devices. LogoFAIL is UEFI and IBV-specific because of the
specifics of vulnerable image parsers that have been used. That shows a much broader impact from
the perspective of the discoveries that will be presented on Dec 6th.
LogoFAIL's Work Process
The vulnerabilities allow attackers to store malicious logo images either on the EFI System Partition
(ESP) or inside unsigned sections of a firmware update. When these images are parsed during boot,
the vulnerability can be triggered and an attacker-controlled payload can arbitrarily be executed to
hijack the execution flow and bypass security features like Secure Boot, including hardware-based
Verified Boot mechanisms (like Intel Boot Guard, AMD Hardware-Validated Boot or ARM TrustZone-
based Secure Boot).
These vulnerabilities can compromise the entire system's security, rendering &; below-the-OS"
security measures like any shade of Secure Boot ineffective, including Intel Boot Guard. This level of
compromise means attackers can gain deep control over the affected systems.
The team previously had seen attackers abusing ESP partitions multiple times to modify operating
system-related bootloaders to deliver UEFI bootkits (including BlackLotus). The LogoFAIL case
creates a different perspective on the ESP partition attack surface with data-only exploitation by
modifying the logo image.
Affected People & Organizations
Hundreds of and enterprise-grade devices from various vendors, including Intel, Acer, and
Lenovo, are potentially vulnerable. The exact list of affected devices is still being determined but it’s
crucial to note that all three major IBVs are impacted — AMI, Insyde, and Phoenix due to multiple
security issues related to image parsers they are shipping as a part of their firmware. Based on this
reference code impact, we estimate LogoFAIL impacts almost any device powered by these vendors
in one way or another. Also, it’s not limited to specific hardware and can be successfully exploited on
x86 or ARM-based devices.
The types — and sheer volume — of security vulnerabilities discovered by Binarly show pure product
security maturity and code quality in general on IBVs reference code. Most of these companies grew
up in the early 90s. They never change their mindset, being more proactive than reactive and fixing
only known problems without addressing complete attack surfaces or implementing effective
mitigations.
Easy To Avoid
These types of attacks can be avoided if graphic image parsers embedded into system firmware can
be updated frequently and use only updated versions. Hence, it is proven that vulnerabilities will
stay here in the world of digital device forever and the one of the most recommended ways to
mitigate attacks upgrading the systems in regular intervals.
(Source: Binarly Research Page)
(Image courtesy: eetimes Europe)