LogoFAIL vulnerabilities, a severe threat to UEFI Security toolkit

A series of vulnerabilities called LogoFAIL currently exists in multiple vendors that compromise the security of image-parsing components within the UEFI code.

Based on reports, these vulnerabilities pose a severe risk to various devices since they could potentially allow attackers to install UEFI bootkits through manipulations of bootup logos. Researchers explained that the core feature of the LogoFAIL flaw lies within the image parsing libraries vendors utilise to display logos during the booting routine.

This issue surpasses architecture, affecting both x86 and ARM systems and creating a widespread security concern. Further assessment of the flaw discovered that the vulnerabilities appear from unnecessary risks introduced by branding, enabling the execution of malicious payloads by injecting image files into the EFI System Partition (ESP).

The emergence of LogoFAIL follows the discovery of the image parsers exploit in UEFI. This new exploit resembles a 2009 exploit where a BMP parser bug could compromise the BIOS for persistent malware.

However, the current vulnerabilities focus on image-parsing components, specifically targeting UEFI firmware’s custom or outdated parsing code.

 

Hackers could utilise the LogoFAIL vulnerability to create an undetected way to establish persistence.

 

According to investigations, hackers could leverage the LogoFAIL vulnerability to discreetly store a malicious image or logo on the EFI System Partition (ESP) or in unsigned sections of a firmware update. This technique could allow them to establish persistence on the system, an alarming threat like past attacks that exploited infected UEFI components.

Furthermore, LogoFAIL doesn’t compromise runtime integrity by modifying the bootloader or firmware, unlike other UEFI bootkits. Instead, it operates by injecting malicious content during the booting process.

The implications of LogoFAIL could affect vendors and chips from various manufacturers. Researchers have identified potential device vulnerabilities from major manufacturers like Intel, Acer, and Lenovo. In addition, the vulnerabilities extend to independent custom UEFI firmware code providers, such as AMI, Insyde, and Phoenix.

Despite ongoing investigations to fully understand the extent of LogoFAIL, researchers emphasise that hundreds of consumers and enterprise-grade devices may still be susceptible to this new threat.

However, the LogoFAIL researchers stated that they will reveal the technical details of the vulnerability on December 6 at the Black Hat Europe security conference in London. Hopefully, these details will allow vendors to create fixes to address this newly discovered vulnerability.