• LogoFAIL firmware exploit bypasses hardware and software security

    Home » Forums » Cyber Security Information and Advisories » Code Red – Security/Privacy advisories » LogoFAIL firmware exploit bypasses hardware and software security

    Author
    Topic
    #2609110

    LogoFAIL exploit bypasses hardware and software security measures and is nearly impossible to detect or remove

    Individual BIOS Vendors are scrambling to release UEFI patches to OEMs and motherboard manufacturers.

    Computers running Windows or Linux are vulnerable to a new type of firmware attack called LogoFAIL, according to a report from Ars Technica. This attack has proven to be extremely effective because it rewrites the logo that typically appears when the system boots after a successful POST (hence the name, “LogoFAIL”), which is early enough that it can bypass security measures designed to prevent bootkit attacks.

    The issue affects any motherboards using UEFI provided by Independent BIOS Vendors (IBVs). IBVs such as AMI, Insyde, and Phoenix will need to release UEFI patches to motherboard companies. Because of the way LogoFAIL overwrites the boot-up logo in the UEFI, the exploit can be executed on any platform using Intel, AMD, or ARM running any Windows operating system or Linux kernel. It works because of the way the rewriteable boot logo is executed when the system turns on. It affects both DIY and prebuilt systems with certain functions kept open by default…

    https://www.youtube.com/watch?v=EufeOPe6eqk

    * Apple Silicon Macs are immune.

    * The majority of Windows and Linux users will have to wait forever for getting firmware updates for LogoFail.

    • This topic was modified 2 months, 3 weeks ago by Alex5723.
    2 users thanked author for this post.
    Viewing 5 reply threads
    Author
    Replies
    • #2609119

      @Alex can you followw up please with some more info? Thank you very much

      * _ being 20 in the 70's was fun _ *
    • #2609122

      As usual, this exploit requires you run malware locally and grant administrator privileges to the malware.
      If you download bogus software and grant it full access…
      You need to be careful out there.

      cheers, Paul

      4 users thanked author for this post.
    • #2609186

      As usual, this exploit requires you run malware locally and grant administrator privileges to the malware.

      All is needed is to download a BMP file.

      • #2609192

        As usual, this exploit requires you run malware locally and grant administrator privileges to the malware.

        All is needed is to download a BMP file.

        Where is that documented?

        There are several ways to exploit LogoFAIL. Remote attacks work by first exploiting an unpatched vulnerability in a browser, media player, or other app and using the administrative control gained to replace the legitimate logo image processed early in the boot process with an identical-looking one that exploits a parser flaw. The other way is to gain brief access to a vulnerable device while it’s unlocked and replace the legitimate image file with a malicious one.

        https://arstechnica.com/security/2023/12/just-about-every-windows-and-linux-device-vulnerable-to-new-logofail-firmware-attack/#:~:text=There%20are%20several,a%20malicious%20one.

        • #2609435

          brrr, this is very bad

          * _ being 20 in the 70's was fun _ *
          • #2609441

            Not as bad as the headlines imply.

            Every SINGLE time we get one of these “sky is falling” – understand that the attackers have to jump through a lot of hoops.  It’s still easier to attack us in different ways and ultimately that’s what the attackers use.

            So keep those vendor firmware monitoring tools in place, but anytime I see a vulnerability, with a marketing push that was coordinated with a release at a security conference, chances are good that while interesting, it ends up not being quite the OMG we originally think it is going to be.

            Susan Bradley Patch Lady/Prudent patcher

            3 users thanked author for this post.
    • #2609376

      Where is that documented?

      Image parsing of crafted BMP logo files can copy data to a specific address during the DXE phase of UEFI execution. This occurs because of an integer signedness error involving PixelHeight and PixelWidth during RLE4/RLE8 compression.”

      1 user thanked author for this post.
      • #2609422

        That’s how it could behave once the boot graphic has been replaced by an evil version, but it’s not what gets it there in the first place, which requires local admin rights:

        When these parsers are used to display a logo during boot and when this logo can be replaced by an attacker, using any of the OEM customization techniques described in the Attack Surface section of this blogpost, then LogoFAIL becomes an exploitable threat.

        It could be simply done via placing it into ESP (EFI System Partition) and adding or modifying certain variables in NVRAM, then rebooting the system. Administrator privileges are enough to perform this.

        It’s a proof of concept with no known enabling malware in the wild.

        2 users thanked author for this post.
        • #2609439

          Though the call  to patch  bios, uefi, intel-sgx, intel-microcode, etc   is very loud.
          I “nice” way to rule out all older hardware.

          * _ being 20 in the 70's was fun _ *
          • #2609448

            Which you should be doing anyway.

            “Many devices sold by Dell aren’t directly exploitable because the image files are protected by Intel Boot Guard, making it impossible to be replaced, even during a physical attack. As a further measure, many Dell devices don’t permit logo customization.”

            Susan Bradley Patch Lady/Prudent patcher

            1 user thanked author for this post.
    • #2610114

      Is legacy mode BIOS affected by logofail exploit?

      • #2610218

        The point behind their PR blast is that this bypasses the secure boot processes. Legacy boot doesn’t claim to protect the boot process in the first place.

        Susan Bradley Patch Lady/Prudent patcher

        1 user thanked author for this post.
    • #2628110

      This is a interesting theoretical threat.  The flaw is that there are 3 companies that write the firmware.  Each one handles the splash logo differently. Some use standard image formats others use their own.  Some store the image in the flash on the MB  others in the system partition. Plus different versions of code for each vendor may handle it differently.  Also the weaknesses are different among vendors and firmware versions.   As you can see “one size” doesn’t fit all.  This would be a real challenge for the “evil” people to “attack” remotely.

    Viewing 5 reply threads
    Reply To: LogoFAIL firmware exploit bypasses hardware and software security

    You can use BBCodes to format your content.
    Your account can't use all available BBCodes, they will be stripped before saving.

    Your information: