LogoFAIL firmware exploit bypasses hardware and software security

Topic

New Reply

[Alex5723]

LogoFAIL exploit bypasses hardware and software security measures and is nearly impossible to detect or remove

Individual BIOS Vendors are scrambling to release UEFI patches to OEMs and motherboard manufacturers.

Computers running Windows or Linux are vulnerable to a new type of firmware attack called LogoFAIL, according to a report from Ars Technica. This attack has proven to be extremely effective because it rewrites the logo that typically appears when the system boots after a successful POST (hence the name, “LogoFAIL”), which is early enough that it can bypass security measures designed to prevent bootkit attacks.

The issue affects any motherboards using UEFI provided by Independent BIOS Vendors (IBVs). IBVs such as AMI, Insyde, and Phoenix will need to release UEFI patches to motherboard companies. Because of the way LogoFAIL overwrites the boot-up logo in the UEFI, the exploit can be executed on any platform using Intel, AMD, or ARM running any Windows operating system or Linux kernel. It works because of the way the rewriteable boot logo is executed when the system turns on. It affects both DIY and prebuilt systems with certain functions kept open by default…

https://www.youtube.com/watch?v=EufeOPe6eqk

* Apple Silicon Macs are immune.

* The majority of Windows and Linux users will have to wait forever for getting firmware updates for LogoFail.

• This topic was modified 1 year, 5 months ago by Alex5723.

2 users thanked author for this post.

SueW, Fred

Reply | Quote

Replies

@Alex can you followw up please with some more info? Thank you very much

* _ ... _ *

Reply | Quote

I think that Ars Technica report is quite detailed.

For example Insyde post

CVE-2023-40238

“A LogoFAIL issue was discovered in BmpDecoderDxe in Insyde InsydeH2O with kernel 5.2 before 05.28.47, 5.3 before 05.37.47, 5.4 before 05.45.47, 5.5 before 05.53.47, and 5.6 before 05.60.47 for certain Lenovo devices. Image parsing of crafted BMP logo files can copy data to a specific address during the DXE phase of UEFI execution. This occurs because of an integer signedness error involving PixelHeight and PixelWidth during RLE4/RLE8 compression.”

The Far-Reaching Consequences of LogoFAIL

Finding LogoFAIL: The Dangers of Image Parsing During System Boot

* Everyone will have to check periodically their OEM/Motherboard support sites.

Reply | Quote

Fred, this article covers the technical ramifications:
https://binarly.io/posts/The_Far_Reaching_Consequences_of_LogoFAIL/index.html

Windows - commercial by definition and now function...

1 user thanked author for this post.

Fred

Reply | Quote

As usual, this exploit requires you run malware locally and grant administrator privileges to the malware.
If you download bogus software and grant it full access…
You need to be careful out there.

cheers, Paul

4 users thanked author for this post.

wavy, Alex5723, NaNoNyMouse, DrBonzo

Reply | Quote

Paul T wrote:

As usual, this exploit requires you run malware locally and grant administrator privileges to the malware.

All is needed is to download a BMP file.

Reply | Quote

Alex5723 wrote:

Paul T wrote:

As usual, this exploit requires you run malware locally and grant administrator privileges to the malware.

All is needed is to download a BMP file.

Where is that documented?

There are several ways to exploit LogoFAIL. Remote attacks work by first exploiting an unpatched vulnerability in a browser, media player, or other app and using the administrative control gained to replace the legitimate logo image processed early in the boot process with an identical-looking one that exploits a parser flaw. The other way is to gain brief access to a vulnerable device while it’s unlocked and replace the legitimate image file with a malicious one.

https://arstechnica.com/security/2023/12/just-about-every-windows-and-linux-device-vulnerable-to-new-logofail-firmware-attack/#:~:text=There%20are%20several,a%20malicious%20one.

Reply | Quote

brrr, this is very bad

* _ ... _ *

Reply | Quote

Not as bad as the headlines imply.

Every SINGLE time we get one of these “sky is falling” – understand that the attackers have to jump through a lot of hoops.  It’s still easier to attack us in different ways and ultimately that’s what the attackers use.

So keep those vendor firmware monitoring tools in place, but anytime I see a vulnerability, with a marketing push that was coordinated with a release at a security conference, chances are good that while interesting, it ends up not being quite the OMG we originally think it is going to be.

Susan Bradley Patch Lady/Prudent patcher

3 users thanked author for this post.

wavy, TechTango, DrBonzo

Reply | Quote

b wrote:

Where is that documented?

Image parsing of crafted BMP logo files can copy data to a specific address during the DXE phase of UEFI execution. This occurs because of an integer signedness error involving PixelHeight and PixelWidth during RLE4/RLE8 compression.”

1 user thanked author for this post.

Fred

Reply | Quote

That’s how it could behave once the boot graphic has been replaced by an evil version, but it’s not what gets it there in the first place, which requires local admin rights:

When these parsers are used to display a logo during boot and when this logo can be replaced by an attacker, using any of the OEM customization techniques described in the Attack Surface section of this blogpost, then LogoFAIL becomes an exploitable threat.
…
It could be simply done via placing it into ESP (EFI System Partition) and adding or modifying certain variables in NVRAM, then rebooting the system. Administrator privileges are enough to perform this.

It’s a proof of concept with no known enabling malware in the wild.

2 users thanked author for this post.

sheldon, Fred

Reply | Quote

Though the call  to patch  bios, uefi, intel-sgx, intel-microcode, etc   is very loud.
I “nice” way to rule out all older hardware.

* _ ... _ *

Reply | Quote

Which you should be doing anyway.

“Many devices sold by Dell aren’t directly exploitable because the image files are protected by Intel Boot Guard, making it impossible to be replaced, even during a physical attack. As a further measure, many Dell devices don’t permit logo customization.”

Susan Bradley Patch Lady/Prudent patcher

1 user thanked author for this post.

Alex5723

Reply | Quote

Is legacy mode BIOS affected by logofail exploit?

Reply | Quote

The point behind their PR blast is that this bypasses the secure boot processes. Legacy boot doesn’t claim to protect the boot process in the first place.

Susan Bradley Patch Lady/Prudent patcher

1 user thanked author for this post.

Alex5723

Reply | Quote

This is a interesting theoretical threat.  The flaw is that there are 3 companies that write the firmware.  Each one handles the splash logo differently. Some use standard image formats others use their own.  Some store the image in the flash on the MB  others in the system partition. Plus different versions of code for each vendor may handle it differently.  Also the weaknesses are different among vendors and firmware versions.   As you can see “one size” doesn’t fit all.  This would be a real challenge for the “evil” people to “attack” remotely.

Reply | Quote