Endpoint Security
,
Hardware / Chip-level Security
UEFI Feature Flashing Corporate Logo Can Enable Malware Deployment
Hackers could use a firmware specification designed to flash a corporate logo during computer bootup to deliver a malicious payload that circumvents the industry standard for only loading trusted operating systems.
See Also: JavaScript and Blockchain: Technologies You Can’t Ignore
The flaw stems from graphic image parsers embedded into system firmware that display a logo before the operating system takes over – hence its name from researchers at Binaryl: “LogoFAIL.”
Security researchers said vulnerabilities in Unified Extensible Firmware Interface affect all three major independent BIOS vendors – AMI, Insyde and Phoenix. “LogoFAIL impacts almost any device powered by these vendors in one way or another.”
Difficult to patch and often beyond the reach of endpoint security systems – but a miniature operating system in its own right – UEFI is attracting mounting attention from researchers and hackers. Researchers earlier this year exposed a first in-the-wild bootkit malware called BlackLotus being sold on hacking forums for $5,000 (see: BlackLotus Malware Bypasses Secure Boot on Windows Machines).
The U.S. federal government in August urged computer manufacturers to improve UEFI security, suggesting that systems owners be able to audit and manage UEFI components the same as other computer software (see: US CISA Urges Improvements to Key Computer Component).
LogoFAIL is potentially more dangerous than BlackLotus. Unlike BlackLotus, it “doesn’t break runtime integrity by modifying the bootloader or firmware component,” Binaryl said. Hundreds of consumer and enterprise-grade devices made by vendors including Intel, Acer and Lenovo are potentially vulnerable.
The flaw allows attackers to inject malicious logo images into the EFI system partition – where the UEFI specification stores boot loaders – or inside unsigned sections of a firmware update. UEFI parses BMP, GIF, JPEG, PCX and TGA files, significantly increasing the attack surface.
A malicious image triggering a malicious payload can bypass security features such as Secure Boot, “including hardware-based Verified Boot mechanisms (like Intel Boot Guard, AMD Hardware-Validated Boot or ARM TrustZone-based Secure Boot).”