LogoFAIL Attacks: UEFI Bootkit Intrusion via Bootup Logos
Exploring the Intricate Tactics of LogoFAIL: Breaching Systems through Bootup Logos
Threat Analysis
Multiple vulnerabilities collectively named LogoFAIL have been identified, impacting image-parsing components within the UEFI code across various vendors. Researchers emphasize the potential exploitation of these vulnerabilities to compromise the booting process, enabling the delivery of bootkits.
The vulnerabilities lie within image parsing libraries utilized by vendors to display logos during the booting routine, posing a widespread risk across x86 and ARM architectures. Researchers from the firmware supply chain security platform Binarly assert that these vulnerabilities introduce unnecessary security risks, enabling the execution of malicious payloads through the injection of image files into the EFI System Partition (ESP).
The origins of LogoFAIL can be traced back to a research project focusing on attack surfaces associated with image-parsing components, specifically examining custom or outdated parsing code in UEFI firmware. The researchers discovered that attackers could implant a malicious image or logo within the EFI System Partition (ESP) or unsigned sections of a firmware update. This method ensures persistence on the system, with past attacks illustrating the use of infected UEFI components.
Unlike vulnerabilities such as BootHole or the BlackLotus bootkit, LogoFAIL does not impact runtime integrity by necessitating modifications to the bootloader or firmware. In a proof-of-concept (PoC) script shared with BleepingComputer, Binarly demonstrated the creation of an arbitrary file on the system after running the PoC and rebooting the device.
The researchers stress that LogoFAIL's impact is not restricted to specific silicon, affecting vendors and chips from multiple manufacturers. The vulnerabilities have been identified in products from major device manufacturers employing UEFI firmware in both consumer and enterprise-grade devices.
Binarly has identified potential vulnerabilities in hundreds of devices from prominent manufacturers such as Intel, Acer, Lenovo, as well as in custom UEFI firmware code from major providers like AMI, Insyde, and Phoenix. However, the complete scope of LogoFAIL's impact is still under investigation.
While the researchers continue to assess the extent of LogoFAIL, they have already informed multiple device vendors, including Intel, Acer, and Lenovo, along with major UEFI providers, about their findings. The comprehensive technical details of LogoFAIL are slated to be presented on December 6 at the Black Hat Europe security conference in London.
References
Cover Image Credits: BleepingComputer