News Posts matching #BootHole

Return to Keyword Browsing

LogoFAIL Vulnerability Affects Almost Every PC Running Windows and Linux

Binarly's research team has discovered a collection of security vulnerabilities known as "LogoFAIL", which affects image parsing components within the UEFI firmware of a wide array of devices. These vulnerabilities are especially concerning because they are embedded within the reference code provided by Independent BIOS Vendors (IBVs), affecting not just a single vendor but a broad spectrum of devices that utilize this code. LogoFAIL is particularly dangerous because it allows attackers to bypass crucial security measures such as Secure Boot and Intel Boot Guard by executing a payload during the device's boot process. This is achieved by storing malicious images on the EFI System Partition or within unsigned sections of firmware updates. This method can compromise system security deeply without altering the runtime integrity of the bootloader or firmware, unlike other threats such as BlackLotus or BootHole.

The potential reach of LogoFAIL vulnerability is rather wide, with millions of consumer and enterprise-grade devices from various vendors, including ones like Intel, Acer, and Lenovo, being vulnerable. The exact list of affected devices is still undetermined, but the prevalence of the IBVs' code across numerous devices suggests that the impact could be widespread, with both Windows and Linux users being affected. Only PCs that don't allow any logotype displayed in the UEFI during the boot process are safe. Apple's Macs are secure as they don't allow any add-on images during boot, and some OEM prebuilt PCs, like the ones from Dell, don't allow images in the UEFI. Some makers like Lenovo, AMI, and Insyde have already published notes about cautiously uploading custom images to the UEFI and providing BIOS updates. Consumers and enterprises must check with their OEMs and IBVs for BIOS microcode updates to patch against this vulnerability.
Below, you can see the proof of concept in a YouTube video.

New BootHole Vulnerability Affects Billions of Devices, Compromises GRUB2 Boot-loader

Even if you don't have more than one operating system installed, your PC has a boot-loader, a software component first executed by the system BIOS, which decides which operating system to boot with. This also lets users toggle between different run-levels or configurations of the same OS. The GRUB2 boot-loader is deployed across billions of computers, servers, and pretty much any device that uses a Unix-like operating system. Cybersecurity researchers with Oregon-based firm Eclypsium, discovered a critical vulnerability with GRUB2 that can compromise a device's operating system. They named the vulnerability BootHole. This is the same firm behind last year's discovery of the Screwed Drivers vulnerability. It affects any device that uses the GRUB2 boot-loader, including when combined with Secure Boot technology.

BootHole exploits a design flaw with two of the key components of GRUB2, bison, a parser generator, and flex, a lexical analyzer. Eclypsium discovered that these two can have "mismatched design assumptions" that can lead to buffer overflow. This buffer overflow can be exploited to execute arbitrary code. Devices with modern UEFI and Secure Boot enabled typically wall off even administrative privileged users off from tampering with boot processes, however, in case of BootHole, the boot-loader parses a configuration file located in the EFI partition of the boot device, which can be modified by any user (or malicious process) that has admin privileges. Thankfully, patched versions of GRUB2 are already out, and the likes of SUSE have started distributing it for all versions of SUSE Linux. Expect practically every other *nix vendor, server manufacturer, to release patches to their end-users. Find a technical run-down of the vulnerability in this PDF by Eclypsium.
Return to Keyword Browsing
Nov 21st, 2024 13:39 EST change timezone

New Forum Posts

Popular Reviews

Controversial News Posts