Brother
Professional
- Messages
- 2,590
- Reaction score
- 481
- Points
- 83
Global threat: hundreds of models of computers and laptops are at risk.
Numerous security vulnerabilities collectively known as LogoFAIL allow attackers to interfere with the boot process of computer devices and implement bootkits, due to problems related to image analysis components that motherboard manufacturers use to display corporate logos when starting a computer. Both x86 and ARM devices are at risk.
Researchers at Binarly, a company that specializes in the security of motherboard firmware supply chains, noted in a recent report that branding introduces unnecessary security risks by allowing hackers to perform malicious actions by injecting malicious images into the EFI System Partition (ESP).
The ability to attack the computer's built-in boot interface in this way was demonstrated back in 2009, when researchers Rafal Voitchuk and Alexander Tereshkin showed how to use a bug in the BMP image analyzer to infect the BIOS with malware.
LogoFAIL vulnerability discovery began as a small research project to study attack surfaces using components for image analysis in the context of custom or legacy code for analysis in UEFI firmware.
The researchers found that an attacker could store a malicious image or logo in the EFI system partition or in unsigned firmware update sections.
"When these images are analyzed at boot time, a vulnerability can be triggered, and the payload controlled by an attacker can be randomly launched to intercept the execution flow and bypass security features such as Secure Boot, Intel Boot Guard, AMD Hardware-Validated Boot or ARM TrustZone," Binarly experts said.
Malware infection in this way ensures stability in the system, which is practically undetectable, as was the case, for example, with the CosmicStrand malware, which we discussed last year. LogoFAIL absolutely does not affect the integrity of the system in runtime mode, since there is no need to change the bootloader or firmware.
The researchers emphasize that LogoFAIL vulnerabilities do not depend on a specific hardware vendor and affect devices and chips from a wide variety of manufacturers, affecting UEFI firmware of both consumer and corporate devices.
Binarly has already identified that hundreds of devices from Intel, Acer, Lenovo, and other manufacturers are potentially vulnerable, as are the three main independent vendors of UEFI custom firmware code: AMI, Insyde, and Phoenix. However, it is also worth noting that the exact scale of LogoFAIL's impact has yet to be determined.
"While we are still in the process of understanding the true scale of LogoFAIL, we have already discovered that hundreds of consumer and enterprise-grade devices are potentially vulnerable to this new attack," the researchers said.
Full technical information about LogoFAIL will be presented on December 6 at the Black Hat Europe Security Conference in London. The researchers have already disclosed the findings to several device vendors, as well as major UEFI vendors.
Numerous security vulnerabilities collectively known as LogoFAIL allow attackers to interfere with the boot process of computer devices and implement bootkits, due to problems related to image analysis components that motherboard manufacturers use to display corporate logos when starting a computer. Both x86 and ARM devices are at risk.
Researchers at Binarly, a company that specializes in the security of motherboard firmware supply chains, noted in a recent report that branding introduces unnecessary security risks by allowing hackers to perform malicious actions by injecting malicious images into the EFI System Partition (ESP).
The ability to attack the computer's built-in boot interface in this way was demonstrated back in 2009, when researchers Rafal Voitchuk and Alexander Tereshkin showed how to use a bug in the BMP image analyzer to infect the BIOS with malware.
LogoFAIL vulnerability discovery began as a small research project to study attack surfaces using components for image analysis in the context of custom or legacy code for analysis in UEFI firmware.
The researchers found that an attacker could store a malicious image or logo in the EFI system partition or in unsigned firmware update sections.
"When these images are analyzed at boot time, a vulnerability can be triggered, and the payload controlled by an attacker can be randomly launched to intercept the execution flow and bypass security features such as Secure Boot, Intel Boot Guard, AMD Hardware-Validated Boot or ARM TrustZone," Binarly experts said.
Malware infection in this way ensures stability in the system, which is practically undetectable, as was the case, for example, with the CosmicStrand malware, which we discussed last year. LogoFAIL absolutely does not affect the integrity of the system in runtime mode, since there is no need to change the bootloader or firmware.
The researchers emphasize that LogoFAIL vulnerabilities do not depend on a specific hardware vendor and affect devices and chips from a wide variety of manufacturers, affecting UEFI firmware of both consumer and corporate devices.
Binarly has already identified that hundreds of devices from Intel, Acer, Lenovo, and other manufacturers are potentially vulnerable, as are the three main independent vendors of UEFI custom firmware code: AMI, Insyde, and Phoenix. However, it is also worth noting that the exact scale of LogoFAIL's impact has yet to be determined.
"While we are still in the process of understanding the true scale of LogoFAIL, we have already discovered that hundreds of consumer and enterprise-grade devices are potentially vulnerable to this new attack," the researchers said.
Full technical information about LogoFAIL will be presented on December 6 at the Black Hat Europe Security Conference in London. The researchers have already disclosed the findings to several device vendors, as well as major UEFI vendors.
