Researchers have devised an attack that exploits serious vulnerabilities in UEFI firmware used by many computer manufacturers to deploy stealthy rootkits that execute in the early stages of the boot-up process beyond the visibility of endpoint security products. The attack involves planting maliciously crafted images in a special partition on the drive or in non-protected regions of the firmware.
“Hundreds of consumer and enterprise-grade devices from various vendors, including Intel, Acer, and Lenovo, are potentially vulnerable,” researchers from security firm Binarly said in their report. “The exact list of affected devices is still being determined but it’s crucial to note that all three major IBVs [independent BIOS vendors] are impacted — AMI, Insyde, and Phoenix — due to multiple security issues related to image parsers they are shipping as a part of their firmware.”
Malicious code delivered through splash screens
Most PC manufacturers use Unified Extensible Firmware Interface (UEFI) implementations developed by a handful of companies known as independent BIOS vendors. UEFI is a standardized specification for firmware in computer systems — the modern equivalent to the old BIOS — and includes the low-level code responsible for initializing a computer’s hardware before loading the operating system installed on the hard drive.
The IBVs allow computer manufacturers to customize the firmware, including to display their own logo and other branding elements on the computer’s screen during the early boot-up phase. This is also referred to as a splash screen and it’s shown before the operating system bootloader takes over and initializes the OS kernel. Binarly researchers decided to investigate and exploit this early boot cosmetic functionality, which is why they’ve dubbed their attack LogoFAIL.
Computer manufacturers supply splash screen graphics as images, which means that the firmware contains image parsing code to display them. Anyone who has followed security research will likely know that file parsers — also known as decoders — have been a source of serious vulnerabilities because they take user-supplied input in the form of files, interpret their contents, and load them into the computer’s memory. If this is not done safely, it can lead to memory corruption issues such as buffer overflows.
Modern UEFI firmware contains image parsers for images in several different formats — BMP, GIF, JPEG, PCX, and TGA — which significantly expands the attack surface and therefore the possibility of a vulnerability slipping through. In fact, the Binarly team found 29 issues in the image parsers used in Insyde, AMI, and Phoenix firmware, of which 15 were exploitable for arbitrary code execution.
“These results also show the scope and the impact of LogoFAIL, since each IBV has at least one exploitable bug inside their parsers, and every parser contains bugs,” the Binarly researchers said in their technical write-up. “The only exception is Insyde’s PNG parser that is based on an open-source project and was likely already well-tested by the community. As we can see from the CWE column, we found a lot of different bug classes, from division-by-zero exceptions to NULL pointer dereference, from out-of-bounds reads to heap overflows.”
The Binarly team found these vulnerabilities through fuzz testing (fuzzing), which involves automatically generating malformed or unexpected input and feeding it to a target application to see how it behaves. If the application crashes, it usually means that a memory corruption occurred so the root cause is investigated to see if the corruption can be triggered and exploited in a controlled manner and therefore has security implications.
Fuzzing has become a standard process over the years and is now integrated into most code security testing tools that organizations use in the development stage, which is why the Binarly team was surprised to find so many exploitable crashes in the firmware. “The results from our fuzzing and subsequent bug triaging unequivocally say that none of these image parsers were ever tested by IBVs or OEMs,” the researchers concluded. “We can confidently say this because we found crashes in almost every parser we tested. Moreover, the fuzzer was able to find the first crashes after running just for a few seconds and, even worse, certain parsers were crashing on valid images found on the internet.”
Bypassing firmware security features
Planting malicious code early in a computer’s bootloader or in the BIOS/UEFI firmware itself is not a new technique. These programs have been referred to as boot-level rootkits, or bootkits, and offer huge advantages to attackers because their code executes before the operating system starts, allowing them to hide from any endpoint security products that might be installed inside the OS itself.
The low-level bootkit code usually injects malicious code into the OS kernel when it’s being loaded during the boot stage and that code then uses the kernel’s capabilities to hide itself from any user-installed programs, which is the typical definition of a rootkit — self-hiding malware that runs with root (kernel) privileges.
The modern UEFI firmware comes with several defenses against these attacks — if they’re enabled by the computer manufacturer. For example, UEFI Secure Boot is a feature that checks if the pieces of code loaded during the boot process have been cryptographically signed with a trusted key. This includes the firmware drivers, also known as Option ROMs, that are needed to initialize the various hardware components before the OS takes over, the EFI applications that run inside the firmware itself and the operating system bootloader and other components. Intel Boot Guard provides a hardware-based mechanism for establishing the cryptographic root of trust storing the OEM keys.
A system with Boot Guard and Secure Boot enabled should prevent the exploitation of the LogoFAIL vulnerabilities. Unfortunately, that’s not always true because in some cases the IBV will provide the computer manufacturer with a way to customize the logo without it being covered by the Boot Guard signature enforcement.
For example, some implementations will look for the vendor-provided image on the EFI System Partition (ESP). This is a special partition on the hard disk drive where the EFI looks for various applications, including the OS bootloader code. In this case, an attacker only needs to have administrator privileges on the OS to put a malicious logo on the ESP partition then change a NVRAM variable and force a system reboot.
This will cause the UEFI firmware to load the malicious logo, which will exploit one of the identified vulnerabilities to execute malicious code and hijack the normal execution flow. This will happen at a critical stage of the boot-up sequence called the Driver Execution Environment (DXE).
Another logo customization possibility for OEMs is to use an IBV-provided tool that allows patching firmware capsules to add their logo and then flash these capsules to the flash ROM. An attacker could use the same firmware flashing tool to inject their malicious logo, but only if the logo is not part of any digitally signed code block of the firmware.
If the firmware-stored logo is not in a region covered by Intel Boot Guard or AMD’s equivalent Hardware-Validated Boot, an attacker could also use an SPI flash programmer tool and reprogram the flash chip that stores the firmware, if they gain physical access to the device, for example somewhere in the supply or distribution chain.
Some computer vendors such as Dell distribute their logo inside firmware blocks that are covered by Intel Boot Guard and do not provide an additional method of logo customization, such as images stored on ESP. They are not vulnerable to the LogoFAIL attack. “However, despite these devices not being at immediate risk, they still contain image parsers with high-severity vulnerabilities that need to be fixed, as they represent a hazard that could inadvertently turn into a security issue,” the researchers said.
Mitigation of the LogoFAIL vulnerability
All the impacted IBVs have issued security advisories — Insyde, AMI, and Phoenix — and are working with OEMs to release updated firmware images. End users are advised to check on their respective computer manufacturer’s website for UEFI updates for their models and apply them as soon as possible.
“Based on this reference code impact, we estimate LogoFAIL impacts almost any device powered by these vendors in one way or another,” the researchers said. “Also, it’s not limited to specific hardware and can be successfully exploited on x86 or ARM-based devices.” The vulnerabilities are tracked as CVE-2023-5058 for Phoenix firmware, CVE-2023-39538 and CVE-2023-39539 for AMI and CVE-2023-40238 for Insyde. Lenovo, one of the affected PC vendors, has released its own security advisory with a list of affected models and available updates so far.