LogoFAIL Bootup Flaw Puts Hundreds of Devices at RiskUEFI Feature Flashing Corporate Logo Can Enable Malware Deployment
Hackers could use a firmware specification designed to flash a corporate logo during computer bootup to deliver a malicious payload that circumvents the industry standard for only loading trusted operating systems.
The flaw stems from graphic image parsers embedded into system firmware that display a logo before the operating system takes over - hence its name from researchers at Binaryl: "LogoFAIL."
Security researchers said vulnerabilities found in Unified Extensible Firmware Interface affect all three major independent BIOS vendors - AMI, Insyde and Phoenix. "LogoFAIL impacts almost any device powered by these vendors in one way or another."
A spokesperson for the UEFI Forum, the industry consortium that maintains the standard, told Information Security Media Group that the vulnerability "lies with implementation of a mechanism defined in the UEFI Specification and not with the specification itself."
"Developers handle creating robust implementations outside the scope of the UEFI Forum," the spokesperson said.*
Difficult to patch and often beyond the reach of endpoint security systems - but a miniature operating system in its own right - UEFI is attracting mounting attention from researchers and hackers. Researchers earlier this year exposed a first in-the-wild bootkit malware called BlackLotus being sold on hacking forums for $5,000 (see: BlackLotus Malware Bypasses Secure Boot on Windows Machines).
The U.S. federal government in August urged computer manufacturers to improve UEFI security, suggesting that systems owners be able to audit and manage UEFI components the same as other computer software (see: US CISA Urges Improvements to Key Computer Component).
LogoFAIL is potentially more dangerous than BlackLotus. Unlike BlackLotus, it "doesn’t break runtime integrity by modifying the bootloader or firmware component," Binaryl said. Hundreds of consumer and enterprise-grade devices made by vendors including Intel, Acer and Lenovo are potentially vulnerable.
The flaw allows attackers to inject malicious logo images into the EFI system partition - where the UEFI specification stores boot loaders - or inside unsigned sections of a firmware update. UEFI parses BMP, GIF, JPEG, PCX and TGA files, significantly increasing the attack surface.
A malicious image triggering a malicious payload can bypass security features such as Secure Boot, "including hardware-based Verified Boot mechanisms (like Intel Boot Guard, AMD Hardware-Validated Boot or ARM TrustZone-based Secure Boot)."
*Updated Dec. 5, 2023 18:43 UTC: Adds comment from the UEFI Forum.