Finding and reporting vulnerabilities is basically the primary activity of Binarly Research Team. A small research project on LogoFAIL, which was picked up by them just to have some fun, turned into a mammoth industry-wide disclosure and uncovered massive flaws.
While organizations are implementing different security solutions at different scales & levels and globally security vendors are advancing their security products and solutions almost every day, likewise new discoveries of vulnerabilities are also being reported at a much higher speed. The recent findings on LogoFAIL project have disclosed severe vulnerabilities, which eventually can allow hackers to hijack the execution flow and bypass security features like Secure Boot, including hardware-based Verified Boot mechanisms.
The Rationale Behind The LogoFAIL Project
The very basic thought behind this entire project for Binarly research team was ‘What if the graphic image parsers embedded into system firmware do not update frequently and use not only outdated but also customized versions of the common image parsing libraries?’
The team delved deeper into this wormhole and were shocked by multiple high-impact discoveries that could be used by threat actors to deliver a malicious payload and bypass Secure Boot, Intel Boot Guard, and other security technologies by design. More importantly, it can open doors for attackers to bypass modern endpoint security solutions and should be considered much more powerful than the recent BlackLotus bootkit.
According to team, one of the most important discoveries was that LogoFAIL is not silicon-specific and can impact x86 and ARM-based devices. LogoFAIL is UEFI and IBV-specific because of the specifics of vulnerable image parsers that have been used. That shows a much broader impact from the perspective of the discoveries that will be presented on Dec 6th.
LogoFAIL’s Work Process
The vulnerabilities allow attackers to store malicious logo images either on the EFI System Partition (ESP) or inside unsigned sections of a firmware update. When these images are parsed during boot, the vulnerability can be triggered and an attacker-controlled payload can arbitrarily be executed to hijack the execution flow and bypass security features like Secure Boot, including hardware-based Verified Boot mechanisms (like Intel Boot Guard, AMD Hardware-Validated Boot or ARM TrustZone-based Secure Boot).
These vulnerabilities can compromise the entire system’s security, rendering “below-the-OS” security measures like any shade of Secure Boot ineffective, including Intel Boot Guard. This level of compromise means attackers can gain deep control over the affected systems.
The team previously had seen attackers abusing ESP partitions multiple times to modify operating system-related bootloaders to deliver UEFI bootkits (including BlackLotus). The LogoFAIL case creates a different perspective on the ESP partition attack surface with data-only exploitation by modifying the logo image.
Affected People & Organizations
Hundreds of consumer and enterprise-grade devices from various vendors, including Intel, Acer, and Lenovo, are potentially vulnerable. The exact list of affected devices is still being determined but it’s crucial to note that all three major IBVs are impacted — AMI, Insyde, and Phoenix due to multiple security issues related to image parsers they are shipping as a part of their firmware. Based on this reference code impact, we estimate LogoFAIL impacts almost any device powered by these vendors in one way or another. Also, it’s not limited to specific hardware and can be successfully exploited on x86 or ARM-based devices.
The types — and sheer volume — of security vulnerabilities discovered by Binarly show pure product security maturity and code quality in general on IBVs reference code. Most of these companies grew up in the early 90s. They never change their mindset, being more proactive than reactive and fixing only known problems without addressing complete attack surfaces or implementing effective mitigations.
Easy To Avoid
These types of attacks can be avoided if graphic image parsers embedded into system firmware can be updated frequently and use only updated versions. Hence, it is proven that vulnerabilities will stay here in the world of digital device forever and the one of the most recommended ways to mitigate attacks upgrading the systems in regular intervals.
Source: Binarly Research Page
