LogoFAIL attack can install UEFI bootkits through bootup logos

Trending 2 months ago

LogoFAIL advance can install UEFI bootkits through bootup logos

Multiple aegis vulnerabilities collectively called LogoFAIL affect image-parsing apparatus in the UEFI cipher from assorted vendors. Researchers acquaint that they could be exploited to annex the beheading breeze of the booting action and to bear bootkits.

Because the issues are in the angel parsing libraries, which vendors use to appearance logos during the booting routine, they accept a ample appulse and extend to x86 and ARM architectures.

According to advisers at firmware accumulation alternation aegis belvedere Binarly, the branding has introduced unnecessary aegis risks, authoritative it accessible to assassinate awful payloads by injecting angel files in the EFI System Partition (ESP).

LogoFAIL analysis and impact

Abusing angel parsers for attacks on the Unified Extensible Firmware Interface (UEFI) was demonstrated in 2009 when advisers Rafal Wojtczuk and Alexander Tereshkin presented how a BMP angel parser bug could be exploited to affect the BIOS for malware persistence.

Discovering the LogoFAIL vulnerabilities started as a baby analysis activity on advance surfaces from image-parsing apparatus in the ambience of custom or anachronous parsing cipher in UEFI firmware.

The advisers begin that an antagonist could abundance a awful angel or logo on the EFI System Partition (ESP) or in bearding sections of a firmware update.

"When these images are parsed during boot, the vulnerability can be triggered and an attacker-controlled burden can arbitrarily be accomplished to annex the beheading breeze and bypass aegis appearance like Secure Boot, including hardware-based Verified Boot mechanisms (like Intel Boot Guard, AMD Hardware-Validated Boot or ARM TrustZone-based Secure Boot)" - Binarly


Planting malware in such a way ensures chain on the arrangement that is around undetected, as illustrated in accomplished attacks leveraging adulterated UEFI apparatus [1, 2].

LogoFAIL does not affect runtime candor because there is no charge to adapt the bootloader or the firmware, a adjustment apparent with the BootHole vulnerability or the BlackLotus bootkit.

In a video that Binarly aggregate abreast with BleepingComputer, active the proof-of-concept (PoC) script and rebooting the accessory resulted in creating an approximate book on the system.

The advisers highlight that because it is not silicon-specific LogoFAIL vulnerabilities appulse vendors and chips from assorted makers. The issues are present in articles from abounding above accessory manufacturers that use UEFI firmware in chump and enterprise-grade devices.

Binarly has already bent that hundreds of accessories from Intel, Acer, Lenovo, and added vendors are potentially vulnerable, and so are the three above independent providers of custom UEFI firmware code: AMI, Insyde, and Phoenix.

However, it is additionally account acquainted that the exact ambit of the appulse of LogoFAIL is still actuality determined.

“While we are still in the action of compassionate the absolute admeasurement of LogoFAIL, we already begin that hundreds of consumer- and enterprise-grade accessories are possibly accessible to this atypical attack,” the advisers say.

The abounding abstruse capacity for LogoFAIL are to be presented on December 6 at the Black Hat Europe aegis appointment in London.

According to the summary of the LogoFAIL presentation, the advisers appear their allegation to assorted accessory vendors (Intel, Acer, Lenovo) and to the three above UEFI providers.