UEFI flaws allow bootkits to pwn potentially hundreds of devices using images

Trending 3 months ago

Hundreds of chump and action accessories are potentially accessible to bootkit exploits through apart BIOS angel parsers.

Security advisers accept articular vulnerabilities in UEFI arrangement firmware from above vendors which they say could acquiesce attackers to annex ailing maintained angel libraries to agilely bear awful payloads that bypass Secure Boot, Intel Boot Guard, AMD Hardware-Validated Boot, and others.

Dubbed "LogoFail," we're told the set of vulnerabilities allows attackers to use awful angel files that are loaded by the firmware during the cossack appearance as a agency of agilely carrying payloads such as bootkits.

The vulnerabilities affect the angel parsing libraries acclimated by assorted firmware vendors, best of which are apparent to the flaws, according to the advisers at Binarly.

Image parsers are firmware apparatus amenable for loading logos of vendors, or workplaces in cases area work-issued machines are configured to do so, aflame them on the affectation as the apparatus boots.

Attackers could conceivably inject their own angel book into the EFI arrangement partition, which is again parsed during cossack and is able of agilely installing a awful payload, such as a bootkit, with persistence.

Binarly said the discovery, which started activity as a baby ancillary activity but angry into a abundant larger, industry-wide disclosure, should be advised added alarming than the BlackLotus bootkit from beforehand this year.

"LogoFAIL differs from BlackLotus or BootHole threats because it doesn't breach runtime candor by modifying the bootloader or firmware component," said the advisers in a blog post.

  • Uh-oh, amend Google Chrome – accomplishment already out there for one of these 6 aegis holes
  • Weak affair keys let snoops booty a byte out of your Bluetooth traffic
  • Trio of above holes in ownCloud betrayal admin passwords, acquiesce counterfeit book mods
  • OpenCart buyer turns air abject afterwards researcher discloses austere vuln

"In this case, we are ambidextrous with connected corruption with a adapted cossack logo image, triggering the burden commitment in runtime, area all the candor and aegis abstracts appear afore the firmware apparatus are loaded."

All three of the above absolute BIOS vendors – AMI, Insyde, and Phoenix – are afflicted by the issues, as able-bodied as accessories from Intel, Acer, and Lenovo .

"Hundreds of chump and enterprise-grade accessories from assorted vendors, including Intel, Acer, and Lenovo, are potentially vulnerable," the advisers added. 

"The exact account of afflicted accessories is still actuality bent but it's acute to agenda that all three above IBVs are impacted – AMI, Insyde, and Phoenix due to assorted aegis issues accompanying to angel parsers they are aircraft as a allotment of their firmware."

Almost any accessory powered by the called vendors is anticipation to be afflicted "in one way or another," and the vulnerability spans both x86 and ARM architectures.

The advisers will bare the issues in greater detail abutting week, debuting the abounding analysis on date at Black Hat Europe in London on December 6.

The allocution will accommodate abounding capacity of how the vulnerabilities can be exploited in what they say can be simplified into a three-step process.

Binarly claimed that the industry hasn't apparent any accessible affidavit of attacks accompanying to angel parsers back a presentation from 2009 [PDF] at Black Hat USA, assignment that saw Rafal Wojtczuk and Alexander Tereshkin base a BMP parser bug.

Since then, the cardinal of angel parsers has increased, ones that awning added book types and after access the abeyant advance surface, they said. ®