Gregory's ServerIf you use a Windows or Linux device, it's vulnerable to a new post-exploit attack that can remotely install an undetectable backdoor at the UEFI level. Updates from just about every vendor available today. Impressive work from @matrosov and the rest of Binarly.
 86 comments
@dangoodin oh man, pure speculation but this strikes me as a trick *someone* had to have in their back pocket.  @dangoodin Wow, what a mess. This really shows the danger of putting unnecessary features into firmware. The UEFI/BIOS vendors have always been kind of a joke for software quality so I'm not surprised that they completely fucked up image parsing. At least on Linux the danger is somewhat mitigated by `/boot/efi` not being writable by a normal user, though of course a full exploit is possible with a malicious package or local root exploit. @jiub @dangoodin It’s not an encrypted partition though, so you could just boot a liveCD/liveUSB and edit it from there.  @jiub @magnetic_tape That might be a good idea for security, reminds me of how some Chromebooks require removing a physical screw (which breaks a circuit) to flash the firmware. But in this case it wouldn't help because the UEFI just loads an image from the unencrypted EFI FAT32 partition 🤦 @dangoodin @matrosov the links within the article are dead. It looks like Phoenix and Insyde removed their respective pages about it. In fact, even https://www.cve.org/CVERecord?id=CVE-2023-5058 shows no information about it. Those links are part of a massive coordinated disclosure. Disclosures involving this many parties frequently have hicups like these in the early hours. Check the links in an hour or two and they'll likely work. If not, I'll reach out. @dangoodin @matrosov Interesting, thanks for sharing this article. Side note: noticed ars technica is driving cookies from 143 different partners. @dangoodin @matrosov But wait... It's even worse. I have a PC with an ASUS Z170-A motherboard. It boots using UEFI. This link: Yes, this is an older motherboard but it works fine and does everything I need. Sure be nice if ASUS fixed such a serious problem for their older products.  @mappingsupport @dangoodin @matrosov Same problem I’m expecting with #MSI. Similar age motherboard. Probably tons of people still have them.  @DeltaWye @mappingsupport @dangoodin @matrosov my main x86 machine has a mobo from ~2014 lmao, my server's board is from ~2016 and my laptop is from 2017, i will be incredibly pissed if they don't get patches Lots of people asking what the CVEs are and where announcements from various parties can be found. This is a massive, massive (un)coordinated disclosure. Lots of broken or non-existent links at the moment. I'm expecting things will straighten out in an hour or two. Please be patient. @dangoodin Great article (as usual). Although there have been a handful or two of similar UEFI vulns in the past and none of them have been widely exploited. Does this one seem different? @dangoodin @matrosov Lenovo has published CVE-2023-5058, CVE-2023-39538, CVE-2023-39539, CVE-2023-40238 A CERT coordination center has published an advisory on LogoFail, but unfortunately, it doesn't tell us much. It confirms that AMI, Insyde, Intel and Phoenix are affected and that Microsoft and Toshiba are not. But the remaining 20 companies are fall in the "unknown" category. One of the unknowns is Lenovo, which has already confirmed that it is affected. Also, no CVEs. ¯_(ツ)_/¯  @dangoodin I suspect we can count on most affected existing deployed machines never being patched for this. Firmware patches at that level are widely considered to be so risky that they are widely avoided, even for serious problems.  @dangoodin I know my @system76 uses Insyde firmware... my machine is older but I hope I get a fix 🙏  @dangoodin @matrosov I don't see how this could be exploited remotely. As far as I understand, a malicious image file has to make it's way onto the EFI system partition first, or did I miss something? @fell @dangoodin @matrosov i think that's what Dan meant about a post exploit attack. You'd need to be infected/hacked via another method first, which would then establish persistence/privilege escalation via LogoFail. Or alternatively have someone with physical access, like it says in the article  @fell @dangoodin @matrosov hai, this is h.acker, please put this image here on your disk and It will enhance your computer greatly. @hanscees @fell @dangoodin @matrosov It doesn't even have to be a complete lie, just "put this image here" and it actually will display a picture of, idk, Harry Styles when you turn your computer on. @carey @hanscees @dangoodin @matrosov Microsoft was wise when they decided they're not going to let Windows users access the ESP. @fell @carey @hanscees @matrosov Wait, what's the basis for saying Windows users can't access the ESP? https://duckduckgo.com/?t=ffab&q=how+to+access+efi+partition+in+windows @dangoodin @carey @hanscees @matrosov The basis is that I never saw it when I clicked on "This PC". Is it possible? @fell @dangoodin @carey @matrosov I really dont know at this point. But if you can get a user to execute something "click here and this pic becomes your background" you can run a script and So on.  @dangoodin firstly this comes as no surprise. Next tho, is that firmware updates from vendors can apparently contain unsigned images and still be legit. That seems weird, but supposedly this is an actual thing. I’m still not clear how a malicious image gets into the right place on a normal system where it doesn’t have privileges. Any thoughts?  @dangoodin @matrosov @phealy3330 Dan, how are CEOs supposed to buy their fifth yacht if they spend money on stuff like this  @dangoodin @matrosov 8kB (IBM PC BIOS size) should've been enough for anyone :D.  @dangoodin "mind-blowing" to me, it's just par for the cause :) really not surprised about vulnerable graphics parsers being used with potentially attacker controlled data @dangoodin @matrosov The fact that these seem to have been caught by fuzz tests makes me feel like sometimes there needs to be legal consequences for not doing the bare minimum in software security when it's as critical as EFI. This sounds like negligence. @dangoodin @matrosov Someone please tell me I got this wrong, because it seems like an utterly stupid thing to except the logo image from the signature.  @dangoodin @matrosov @lisamelton I literally cannot keep up with the stream of serious security issues at any level of computers anymore. Will we ever get good news? @DavidNielsen @dangoodin @matrosov @lisamelton Same. My family is at the end of our collective ropes. Don’t do anything sensitive on a PC. Full stop.  @dangoodin @matrosov it explains why Windows and Linux are affected, and why macOS and smartphones aren't, but doesn't touch on OSes outside of those @dangoodin @matrosov I think the answer is "nothing limits #LogoFAIL to Windows and Linux. Anyone with UEFI firmware should look for an update from their vendor."  From the bottom of the article: LogoFAIL vulnerabilities are tracked under the following designations: CVE-2023-40238  @boblord @matrosov @dangoodin for the next trick, get a hardware vendor to list a CVE in an update.  And people think I'm crazy for worrying about using secondhand computers because they might have malicious firmware.  @DeltaWye @dangoodin @matrosov I decided to not update firmware of my MSI motherboard several releases ago. It is not fun when stable, not overclocked system start to crash randomly after firmware upgrade. @dangoodin @matrosov  @dangoodin @matrosov Why am I not surprised? #UEFI is a mess and #unfixable #bloatware!  @dangoodin @matrosov so what I'm gathering is that all the PITA effort spent locking down the boot system and replacing BIOS so we barely even control our own devices was completely goddamned pointless anyways.  @dangoodin This makes hypervisor-based operating systems look especially good right now. Attacker has to do a rare/unlikely VM breakout before they can get to your actual system firmware. @llorenzin Heh, yep, this is a thing. Back in the days of Netbooks and instant boot computers they used flaws in the BIOS logo image processing (I can't find the reference though, I will look)   @dangoodin @matrosov You know darn well the #NSA has known about this for many years and kept quiet about it so they could exploit it.  @dangoodin (*checks multiple PCs and mobos released this year for BIOS updates from multiple vendors*) yeah I'm not seeing anything  @dangoodin @kkarhan @matrosov if u can change the logo u can just as well change the boot loader no??
@dangoodin are device manufacturers actually pushing out updates for this or are we all just gonna be hanging around for our various boards to get some random firmware update within the next 8 months that doesn't say whether it actually fixes this @dangoodin @matrosov My eyes glazed over half-way through. Did I understand correctly that this does nothing if "bios" (I know) is set to NOT display logo on boot-up. I always hav my machines set up that way. @dangoodin @matrosov  So for a remote attack, the attacker needs root/admin access on the system. While not fool proof, if you don't use an admin account as your regular account, you're a little bit better off now (and in general) than if you are always using root/admin. Mind boggling and yet not surprising at all, given the state of ... well... just about everything and anything. @dangoodin That is some scary stuff. I have a couple of asus computers, and I didn't see any news from them about it.  would it be useful to replace the boot image yourself in advance to a locally-known image, so that if it's suddenly displaying manufacturer logo you know something is up? Good question. Anyone know? Also, would opting to set the administrator password in BIOS be useful?  @moira @dangoodin @matrosov that's honestly not a bad idea, if that is how exploits for this work, if they modify the existing image to inject malware then maybe it won't help, or if they already make user visible changes. I haven't read the article yet though so I can only speculate One thing to mention is that with BIOS there isn't even a security boundary to be crossed, you are free to modify firmware at any time, so this is still better security than that. @moira @dangoodin @matrosov I finally had time to read, the article says this can be done so its not visible. It also mentions just registering the sha256 hash of legit logo files and scanning for those, this could be added to AV pretty easily as well, right, so an unexpected logo file is detected quickly, although I suppose the malware could try and hide itself from scanning. Once malware gets to a fundamental level of the system, it's hard for subordinate levels to kick it out @raven667 @dangoodin @matrosov Well yeah, it can be done without being visible - _by replacing the image with your sabotaged one, which shows the same image but also has the payload_. Or that's how I read it. The point is to have a non-standard image in there first so that if it swaps in what looks like the standard image, you know _something_ has happened. You don't know what, and it doesn't stop it - it's just an alarm of sorts. Has there been any discussion as to how these attacks interact with TPM/PCR-based system integrity checks? My understanding is that even if this method were used to bypass Secure Boot protections/etc, that behavior would still result in modified PCR measurements and would be detectable in any subsequent boot processes that rely on TPM-sealed secrets? (for instance, disk encryption) Same thought here. If an attacker can write to your ESP that's usually game over. The exception is if your boot sequence is being measured into your TPM. Seems to me that the larger problem is that the boot sequence isn't measuring the logo file. @hattifattener @dangoodin @matrosov So I think the ultimate issue might be that arbitrary code execution within DXE likely means that an attacker can call or otherwise implement the logic of PCR extension themselves with arbitrary digests to fool the TPM into thinking that everything is fine. If this extends to being able to i.e. load a filesystem driver, unpack and relocate a malicious EFI PE, and jump to its entry point manually, seems like you could bypass any PCR checks as well  |
@dangoodin @matrosov "hacked by malicious logo images" ?!?!?! Arghhh