In a recent revelation by Ars Technica, a menacing firmware attack named LogoFAIL has emerged, posing a significant threat to computers running Windows or Linux.
This sophisticated exploit targets the boot-up logo, rewriting it after a successful Power-On Self-Test (POST), a tactic that enables it to bypass conventional security measures.
Scope of Vulnerability: All Roads Lead to LogoFAIL
The vulnerability extends its reach to motherboards employing Unified Extensible Firmware Interface (UEFI) from Independent BIOS Vendors (IBVs) like AMI, Insyde, and Phoenix.
The highlight of the problem lies in the rewriteable boot logo executed during system boot-up, making it compatible with platforms using Intel, AMD, or ARM processors and operating on Windows or Linux.
Infiltration Mode: Unveiling the DXE Phase Exploitation
Researchers at Binarly, who unearthed LogoFAIL, revealed that the attack strikes during the 'Driver Execution Environment' (DXE) phase after a successful POST. In this phase, responsible for loading essential boot and runtime services, LogoFAIL substitutes the UEFI boot-up logo with the exploit, seamlessly embedding it in the DXE phase.
Lenovo ThinkCentre M70s Under the LogoFAIL Spell
According to Tom's Hardware, a practical demonstration showcased the efficacy of LogoFAIL on an Intel 11th-generation CPU-based Lenovo ThinkCentre M70s. Even with Intel Secure Boot and Boot Guard enabled, and the latest UEFI update installed in June, the system fell victim to the exploit, emphasizing the severity of the threat.
Exploiting Image-parsing Vulnerabilities
Alex Matrodov, CEO of Binarly, pinpointed the main point of the matter - LogoFAIL exploits a newly discovered vulnerability in the image-parsing libraries used by UEFI during the boot process.
"LogoFAIL is a newly discovered set of high-impact security vulnerabilities affecting different image parsing libraries used in the system firmware by various vendors during the device boot process. These vulnerabilities are present in most cases inside reference code, impacting not a single vendor but the entire ecosystem across this code and device vendors where it is used. This attack can give a threat actor an advantage in bypassing most endpoint security solutions and delivering a stealth firmware bootkit that will persist in a firmware capsule with a modified logo image," Matrodov wrote in an email.
This ingenious exploitation evades all security layers, including CPU, OS, and third-party security software. Notably, since the exploit doesn't reside in the storage drive, eliminating the infection becomes an insurmountable challenge even after an OS reformat.
Are Pre-Built PCs Safe?
While the threat looms large, Macs and certain OEMs remain immune. Manufacturers like Dell, safeguarded by Image Boot Guard, and Macs with hardcoded logo images in UEFI, emerge unscathed. However, for others, a patch is imperative.
Motherboard manufacturers and OEMs, including AMI, Insyde, and Lenovo, have issued advisories, emphasizing the critical need for users to update their UEFI with the latest security patches.