The Unified Extensible Firmware Interface (UEFI) code from various independent firmware/BIOS vendors (IBVs) was found to be vulnerable to potential attacks via high-impact flaws in image parsing libraries embedded in firmware.
Deficiencies, collectively marked LogoFAIL said Binarly, “may be used by threat actors to deliver a malicious payload and bypass Secure Boot, Intel Boot Guard, and other security technologies by design.”
Additionally, they can be a weapon to bypass security solutions and deliver persistent malware to compromised systems during the boot phase by injecting a malicious logo image file into EFI system partition.
While the issues are not silicon-specific, meaning they affect x86 and ARM-based devices, they are also UEFI and IBV-specific. The vulnerabilities include a buffer-based buffer overflow flaw and an out-of-bounds read, the details of which are expected to be announced later this week in Black Hat Europe conference.
Specifically, these vulnerabilities are triggered when the injected images are parsed, leading to the execution of payloads that can hijack the flow and bypass security mechanisms.
“This attack vector can give an attacker an advantage to bypass most endpoint security solutions and deliver a stealth firmware bootkit that will persist to an ESP partition or capsule in firmware with a modified logo image,” the firmware security company. SAYS.
By doing so, threat actors can gain strong control over affected hosts, resulting in the deployment of persistent malware that flies under the radar.
Unlike BlackLotus or BootHole, it is worth noting that LogoFAIL does not destroy runtime integrity by modifying the boot loader or firmware components.
The flaws affect all major IBVs such as AMI, Insyde, and Phoenix as well as hundreds of consumer and enterprise-grade devices from vendors, including Intel, Acer, and Lenovo, making it a serious and widespread.
The disclosure marks the first public display of surface attacks related to graphic image parsers embedded in UEFI system firmware since 2009, when researchers Rafal Wojtczuk and Alexander Tereshkin presented how a BMP image parser bug can be exploited for malware persistence.
“The types – and sheer number – of security vulnerabilities discovered (…) reflect the sheer maturity of the product’s security and code quality as a whole in IBVs reference code,” said Binarly.