Thursday, December 7th 2023

LogoFAIL Vulnerability Affects Almost Every PC Running Windows and Linux

Binarly's research team has discovered a collection of security vulnerabilities known as "LogoFAIL", which affects image parsing components within the UEFI firmware of a wide array of devices. These vulnerabilities are especially concerning because they are embedded within the reference code provided by Independent BIOS Vendors (IBVs), affecting not just a single vendor but a broad spectrum of devices that utilize this code. LogoFAIL is particularly dangerous because it allows attackers to bypass crucial security measures such as Secure Boot and Intel Boot Guard by executing a payload during the device's boot process. This is achieved by storing malicious images on the EFI System Partition or within unsigned sections of firmware updates. This method can compromise system security deeply without altering the runtime integrity of the bootloader or firmware, unlike other threats such as BlackLotus or BootHole.

The potential reach of LogoFAIL vulnerability is rather wide, with millions of consumer and enterprise-grade devices from various vendors, including ones like Intel, Acer, and Lenovo, being vulnerable. The exact list of affected devices is still undetermined, but the prevalence of the IBVs' code across numerous devices suggests that the impact could be widespread, with both Windows and Linux users being affected. Only PCs that don't allow any logotype displayed in the UEFI during the boot process are safe. Apple's Macs are secure as they don't allow any add-on images during boot, and some OEM prebuilt PCs, like the ones from Dell, don't allow images in the UEFI. Some makers like Lenovo, AMI, and Insyde have already published notes about cautiously uploading custom images to the UEFI and providing BIOS updates. Consumers and enterprises must check with their OEMs and IBVs for BIOS microcode updates to patch against this vulnerability.
Below, you can see the proof of concept in a YouTube video.

Source: Binarly
Add your own comment

20 Comments on LogoFAIL Vulnerability Affects Almost Every PC Running Windows and Linux

#1
chrcoluk
Its a test fail for me, it required the user to grant UAC permission and to manually run the payload.

They need to show it working as a drive by in a restricted permission browser to get my attention.
Posted on Reply
#2
phanbuey
chrcolukIts a test fail for me, it required the user to grant UAC permission and to manually run the payload.

They need to show it working as a drive by in a restricted permission browser to get my attention.
Typically they combine exploits to deliver them on a system - i.e. EternalBlue was used to run wannaCry on target systems and then it spread like wildfire.

So there would be another remote code exploit used to run this process on the machine to then gain full access to the system.
Posted on Reply
#3
Ferrum Master
I suggest putting read only jumper for BIOS at certain stage and call it a day.
Posted on Reply
#4
unwind-protect
Ferrum MasterI suggest putting read only jumper for BIOS at certain stage and call it a day.
The broken code is in the firmware, but to trigger it you only need to modify the uEFI partition, which is not requiring a flash.
Posted on Reply
#5
_JP_
But modding an image of my <favorite thing> when it boots for 3 seconds was the coolest thing about UEFI! I could show it off, briefly!
Does this mean that there will finally be less bloat and more functionality, boarder hardware support will be a thing?
Posted on Reply
#6
TheoneandonlyMrK
You know I noticed that image change last bios update too, and that happens often, ,, not.
I'll be monitoring closely, hopefully, heuristic analysis of Windows Defender will gain skills against this given time and effort.
Posted on Reply
#7
chrcoluk
phanbueyTypically they combine exploits to deliver them on a system - i.e. EternalBlue was used to run wannaCry on target systems and then it spread like wildfire.

So there would be another remote code exploit used to run this process on the machine to then gain full access to the system.
Indeed, in that case EternalBlue was the real danger. In this case the "other remote code exploit" is what I would be worried about.
Posted on Reply
#8
swaaye
I thought Secure Boot was cracked like 10 years ago. Which actually would be not long after it first appeared lol.

We better just go back to the old school BIOS. Just had that sketchy boot sector virus protection that you always left off.
Posted on Reply
#9
R-T-B
Ferrum MasterI suggest putting read only jumper for BIOS at certain stage and call it a day.
Yeah not too worried about this here. If someone is able to flash your boot logo of course they can cause mischief, what happened to not getting that plague infested in the first place?
swaayeI thought Secure Boot was cracked like 10 years ago. Which actually would be not long after it first appeared lol.
Nah, not really. Secure boot has had a flaw here and there but overall works if some minion from the deepweb doesn't literally rewrite your firmware while you sleep. In which case, invest in a lock, please.
Posted on Reply
#10
user556
So for those that don't have a UEFI partition, it won't work?
Posted on Reply
#11
R-T-B
user556So for those that don't have a UEFI partition, it won't work?
It'll work on any UEFI PC flashed with a malicious logo. The partition scheme has nothing to do with it. But really, malware doesn't tend to mess with your bios logo to date and I don't really see that changing...
Posted on Reply
#12
user556
Can't say I've ever tried flashing the BIOS with the OS running. I've always done that within the BIOS menus using a FAT32 USB drive. It must be quite the feat for malware to achieve over the Internet.
Posted on Reply
#13
P4-630
user556Can't say I've ever tried flashing the BIOS with the OS running.
I did several times with an HP laptop.
The firmware updater was made for it in this case.
Posted on Reply
#14
user556
No laptops here. All assembled generic PC parts in a tower.
Posted on Reply
#15
unwind-protect
user556Can't say I've ever tried flashing the BIOS with the OS running. I've always done that within the BIOS menus using a FAT32 USB drive. It must be quite the feat for malware to achieve over the Internet.
Again, you don't have to flash the BIOS to hit this problem. Modifying the uEFI partition does it, and you can write to it like to any other FAT partition.
Posted on Reply
#16
user556
I don't have such a partition.
Posted on Reply
#18
R-T-B
unwind-protectAgain, you don't have to flash the BIOS to hit this problem. Modifying the uEFI partition does it, and you can write to it like to any other FAT partition.
Wait, what? That's not how I read this at all. Citation? Logos aren't loaded from the UEFI partition at all.
AleksandarKThis is achieved by storing malicious images on the EFI System Partition or within unsigned sections of firmware updates.
Ah nvm found it. Is this TPU taking liberties though or is this just using some mechanism I was unaware of? Been a while since my firmware security days.

Still, it needs to write to your most likely unmounted boot partition at minimum. Which would be pretty odd.
Posted on Reply
#19
xorbe
LogoFAIL or JailbreakWIN?
Posted on Reply
#20
R-T-B
xorbeLogoFAIL or JailbreakWIN?
If you're in a jail you aren't going to be able to parse a bootlogo like that.
Posted on Reply
Add your own comment
Dec 21st, 2024 20:55 EST change timezone

New Forum Posts

Popular Reviews

Controversial News Posts