Firmware vulnerabilities that may affect 95% of computers allow hackers to flout boot security and execute malware upon startup, researchers say. The flaws stem from image parsers used in UEFI system firmware to load logo images on startup screens, earning the name “LogoFAIL.”
“Hundreds of consumer and enterprise-grade devices from various vendors, including Intel, Acer, and Lenovo, are potentially vulnerable,” warned researchers from firmware supply chain security company Binarly, who discovered the bugs.
LogoFAIL was first revealed in a blog post on Nov. 29 and technical details were published Wednesday after Binarly presented its findings at Black Hat Europe 2023.
What is LogoFAIL?
LogoFAIL is a set of firmware vulnerabilities in image parsing libraries used to load logos during the device boot process. Exploiting LogoFAIL requires an attacker to have access to the EFI System Partition (ESP) where the logo image is stored i.e. a hacker has gained remote access by exploiting other bugs or has physical access to the device.
Altering or replacing the logo image with a malicious payload causes the injected malware to be arbitrarily executed when the image is parsed during boot. This image parsing process takes place too early for security mechanisms like Secure Boot and Intel Boot Guard to detect the malicious code.
“This attack vector can give an attacker an advantage in bypassing most endpoint security solutions and delivering a stealth firmware bootkit that will persist in an ESP partition or firmware capsule with a modified logo image,” the Binarly researchers wrote.
The researchers demonstrate a proof-of-concept exploit of LogoFAIL in the following video:
Is my computer affected by LogoFAIL?
The attack surface of LogoFAIL is immense due to the ubiquitous use of affected image parsers by three major independent BIOS vendors (IBVs) — AMI, Insyde and Phoenix. These vendors provide UEFI system firmware for dozens of major device manufacturers, including Acer, Intel and Lenovo, who then incorporate the firmware into hundreds of device models.
Binarly CEO Alex Matrosov estimated 95% of devices use UEFI firmware from one of the affected IBVs, according to DarkReading.
However, not all devices that possess the image parser flaws that make up LogoFAIL can be considered truly “exploitable,” Binarly researchers reported. For example, while Dell devices tested by the researchers incorporated 526 flawed parsers in total, the flaws could not be used to execute malicious code because Dell computers do not allow the startup logo image to the altered.
While researchers have not yet been able to compile a full list of affected device models, they reported the vulnerabilities to major IBV and device vendors months before disclosing the details of LogoFAIL. Users will need to make sure their computer firmware is up-to-date to protect against LogoFAIL exploits; for example, Lenovo released a security advisory and instructions on how to update specific device models.
