Email or username:

Password:

Forgot your password?
Dan Goodin

If you use a Windows or Linux device, it's vulnerable to a new post-exploit attack that can remotely install an undetectable backdoor at the UEFI level. Updates from just about every vendor available today. Impressive work from @matrosov and the rest of Binarly.

arstechnica.com/security/2023/

86 comments
AI6YR Ben

@dangoodin @matrosov "hacked by malicious logo images" ?!?!?! Arghhh

Kevin Mirsky :donor:

@dangoodin oh man, pure speculation but this strikes me as a trick *someone* had to have in their back pocket.

DELETED

@dangoodin Wow, what a mess. This really shows the danger of putting unnecessary features into firmware. The UEFI/BIOS vendors have always been kind of a joke for software quality so I'm not surprised that they completely fucked up image parsing.

At least on Linux the danger is somewhat mitigated by `/boot/efi` not being writable by a normal user, though of course a full exploit is possible with a malicious package or local root exploit.

Tai xzo

@jiub @dangoodin It’s not an encrypted partition though, so you could just boot a liveCD/liveUSB and edit it from there.

Jonas

@jiub
I wonder whether adding a physical switch sowhere around the flash chip holding the UEFI could lessen this risk. It could be useful for hardening a computer
@dangoodin

DELETED

@magnetic_tape That might be a good idea for security, reminds me of how some Chromebooks require removing a physical screw (which breaks a circuit) to flash the firmware.

But in this case it wouldn't help because the UEFI just loads an image from the unencrypted EFI FAT32 partition 🤦

Third spruce tree on the left

@dangoodin @matrosov uh. ok, so.. this article and the actual blackhat summary blackhat.com/eu-23/briefings/s
are great and all, but `is this exploit applicable to ME mr/ms end user`?

Lets assume I can google what UEFI is.
- what UEFI enabled devices are potentially exploitable? ones after <year>? UEFI 1.x? 2.0? 2.1? or all of them back to when UEFI was introduced in the late 90s as EFI or wut? A: seems like *all of em*.
- more importantly if I DONT CUSTOMIZE my bootup logo, do I need to care?

@dangoodin @matrosov uh. ok, so.. this article and the actual blackhat summary blackhat.com/eu-23/briefings/s
are great and all, but `is this exploit applicable to ME mr/ms end user`?

Lets assume I can google what UEFI is.
- what UEFI enabled devices are potentially exploitable? ones after <year>? UEFI 1.x? 2.0? 2.1? or all of them back to when UEFI was introduced in the late 90s as EFI or wut?...

Charo del Genio

@dangoodin @matrosov the links within the article are dead. It looks like Phoenix and Insyde removed their respective pages about it. In fact, even cve.org/CVERecord?id=CVE-2023- shows no information about it.
I don't understand what's going on... 😕

Dan Goodin

@paraw @matrosov

Those links are part of a massive coordinated disclosure. Disclosures involving this many parties frequently have hicups like these in the early hours. Check the links in an hour or two and they'll likely work. If not, I'll reach out.

Dan Goodin

@matrosov

It's 2023, and not only can malicious images still remotely execute malicious code on your devices, but they can do it at the UEFI level, during bootup, enabling invisible firmware bootkits. This new post-exploit attack, known as LogoFAIL, is mind-blowing. Amazing that an entire ecosystem comprising dozens of wealthy companies couldn't be bothered to fuzz the UEFIs they provide to billions of people. With a small amount of effort, this attack could have been closed off a decade ago.

arstechnica.com/security/2023/

@matrosov

It's 2023, and not only can malicious images still remotely execute malicious code on your devices, but they can do it at the UEFI level, during bootup, enabling invisible firmware bootkits. This new post-exploit attack, known as LogoFAIL, is mind-blowing. Amazing that an entire ecosystem comprising dozens of wealthy companies couldn't be bothered to fuzz the UEFIs they provide to billions of people. With a small amount of effort, this attack could have been closed off a decade ago.

Bo Stahlbrandt

@dangoodin @matrosov Interesting, thanks for sharing this article. Side note: noticed ars technica is driving cookies from 143 different partners.

Joseph Elfelt

@dangoodin @matrosov But wait... It's even worse. I have a PC with an ASUS Z170-A motherboard. It boots using UEFI.

This link:
asus.com/us/supportonly/z170-a
says the last time the BIOS was updated for that motherboard was 2018.

Yes, this is an older motherboard but it works fine and does everything I need. Sure be nice if ASUS fixed such a serious problem for their older products.

Delta Wye

@mappingsupport @dangoodin @matrosov Same problem I’m expecting with #MSI. Similar age motherboard. Probably tons of people still have them.

remote procedure chris

@DeltaWye @mappingsupport @dangoodin @matrosov my main x86 machine has a mobo from ~2014 lmao, my server's board is from ~2016 and my laptop is from 2017, i will be incredibly pissed if they don't get patches

Dan Goodin

@matrosov

Lots of people asking what the CVEs are and where announcements from various parties can be found. This is a massive, massive (un)coordinated disclosure. Lots of broken or non-existent links at the moment. I'm expecting things will straighten out in an hour or two. Please be patient.

Roger A. Grimes

@dangoodin Great article (as usual). Although there have been a handful or two of similar UEFI vulns in the past and none of them have been widely exploited. Does this one seem different?

Dan Goodin

A CERT coordination center has published an advisory on LogoFail, but unfortunately, it doesn't tell us much. It confirms that AMI, Insyde, Intel and Phoenix are affected and that Microsoft and Toshiba are not. But the remaining 20 companies are fall in the "unknown" category. One of the unknowns is Lenovo, which has already confirmed that it is affected.

Also, no CVEs.

¯_(ツ)_/¯

kb.cert.org/vuls/id/811862

Lauren Weinstein

@dangoodin I suspect we can count on most affected existing deployed machines never being patched for this. Firmware patches at that level are widely considered to be so risky that they are widely avoided, even for serious problems.

Ethan Black

@dangoodin I know my @system76 uses Insyde firmware... my machine is older but I hope I get a fix 🙏

Felix Urbasik

@dangoodin @matrosov I don't see how this could be exploited remotely. As far as I understand, a malicious image file has to make it's way onto the EFI system partition first, or did I miss something?

Joseph

@fell @dangoodin @matrosov i think that's what Dan meant about a post exploit attack. You'd need to be infected/hacked via another method first, which would then establish persistence/privilege escalation via LogoFail.

Or alternatively have someone with physical access, like it says in the article

Hans-Cees

@fell @dangoodin @matrosov hai, this is h.acker, please put this image here on your disk and It will enhance your computer greatly.

Carey :blobcatverified:

@hanscees @fell @dangoodin @matrosov It doesn't even have to be a complete lie, just "put this image here" and it actually will display a picture of, idk, Harry Styles when you turn your computer on.

Felix Urbasik

@carey @hanscees @dangoodin @matrosov Microsoft was wise when they decided they're not going to let Windows users access the ESP.

Felix Urbasik

@dangoodin @carey @hanscees @matrosov The basis is that I never saw it when I clicked on "This PC". Is it possible?

Hans-Cees

@fell @dangoodin @carey @matrosov I really dont know at this point. But if you can get a user to execute something "click here and this pic becomes your background" you can run a script and So on.
Clever people Will find a way probably

dch :flantifa: :flan_hacker:

@dangoodin firstly this comes as no surprise. Next tho, is that firmware updates from vendors can apparently contain unsigned images and still be legit. That seems weird, but supposedly this is an actual thing.

I’m still not clear how a malicious image gets into the right place on a normal system where it doesn’t have privileges. Any thoughts?

Thomas 🔭🕹️

@dangoodin @matrosov @phealy3330 Dan, how are CEOs supposed to buy their fifth yacht if they spend money on stuff like this

William D. Jones

@dangoodin @matrosov
@gsuberland

8kB (IBM PC BIOS size) should've been enough for anyone :D.

Rairii

@dangoodin "mind-blowing"

to me, it's just par for the cause :)

really not surprised about vulnerable graphics parsers being used with potentially attacker controlled data

Dan Herbert

@dangoodin @matrosov The fact that these seem to have been caught by fuzz tests makes me feel like sometimes there needs to be legal consequences for not doing the bare minimum in software security when it's as critical as EFI. This sounds like negligence.

svenfoo

@dangoodin @matrosov
Wait, so everything that goes into the secure firmware needs to be signed. Everything except the logo image? I mean, seriously??

Someone please tell me I got this wrong, because it seems like an utterly stupid thing to except the logo image from the signature.

Sir David Nielsen

@dangoodin @matrosov @lisamelton I literally cannot keep up with the stream of serious security issues at any level of computers anymore.

Will we ever get good news?

Delta Wye

@DavidNielsen @dangoodin @matrosov @lisamelton Same. My family is at the end of our collective ropes. Don’t do anything sensitive on a PC. Full stop.

Ed Maste

@dangoodin @matrosov it explains why Windows and Linux are affected, and why macOS and smartphones aren't, but doesn't touch on OSes outside of those

Ed Maste

@dangoodin @matrosov I think the answer is "nothing limits #LogoFAIL to Windows and Linux. Anyone with UEFI firmware should look for an update from their vendor."

ROTOPE~1 :yell:

@emaste @dangoodin @matrosov TempleOS is immune because of 𝒟𝒾𝓋𝒾𝓃𝑒 𝑅𝒾𝑔𝒽𝓉

Kevin Skoglund :verified: :donor:

@boblord @matrosov @dangoodin

From the bottom of the article:

LogoFAIL vulnerabilities are tracked under the following designations:

CVE-2023-40238
CVE-2023-5058
CVE-2023-39538
CVE-2023-39539
CVE-2023-40238

Farce Majeure

@boblord @matrosov @dangoodin for the next trick, get a hardware vendor to list a CVE in an update.

argv minus one

@dangoodin @matrosov

And people think I'm crazy for worrying about using secondhand computers because they might have malicious firmware.

Delta Wye

@dangoodin @matrosov Not seeing any updates by #MSI motherboard. 😔

Marcin Juszkiewicz

@DeltaWye @dangoodin @matrosov

I decided to not update firmware of my MSI motherboard several releases ago.

It is not fun when stable, not overclocked system start to crash randomly after firmware upgrade.

OddOpinions5

@dangoodin @matrosov
'
my fav crypto thing is
Crypto Bros: it is 100% safe because it is software based
Me: so you are saying software makes crypto safe ? software ?

Pxtl

@dangoodin @matrosov so what I'm gathering is that all the PITA effort spent locking down the boot system and replacing BIOS so we barely even control our own devices was completely goddamned pointless anyways.

tsk

@dangoodin This makes hypervisor-based operating systems look especially good right now. Attacker has to do a rare/unlikely VM breakout before they can get to your actual system firmware.

Dan Goodin

@tasket

What's stopping someone from using this attack on the host machine?

tsk

@dangoodin Physical threat model is a separate concern, to me anyway. Though I can't think how an "evil maid" would succeed undetected vs various boot chain checks (incl open source ones like Qubes' anti-evil-maid; IIRC a fw boot logo would have to be included in both the sealing and measurement process).

Remote threats to a regular OS are a very big concern w something like this, because 1) typical OS protections are weak due to the kernel being very complex (just one priv escalation and they've got into your firmware) and 2) online system means many hours and avenues of opportunity throughout each day and 3) high value exploit bc its so privileged and hard to detect or remedy. Putting VM breakout requirement in their way is a game changer, IMO. #sanity

As for this particular class of exploit, malformed images, a permanent fix may be possible if an update including a setting to disable custom image, or perhaps a better parser that is formally verified. But you still have to wonder what else the fw may be parsing insecurely.

@dangoodin Physical threat model is a separate concern, to me anyway. Though I can't think how an "evil maid" would succeed undetected vs various boot chain checks (incl open source ones like Qubes' anti-evil-maid; IIRC a fw boot logo would have to be included in both the sealing and measurement process).

tsk

@dangoodin I think this shows a critical difference in boot protection schemes:

Anti-evil-maid makes the system validate itself to the user. If anything loaded up to that point doesn't match what was used to seal the all-clear phrase, then nothing the malware does will be able to cryptographically unseal the phrase. In a sense it doesn't matter if malware was loaded, as long as the user is diligent enough to watch for the phrase. That's a significant payoff for a small amount of extra effort!

Secureboot validates the fw to an absent authority (the OEM) so there can be no out-of-band check performed. This reminds me a lot of DRM's weaknesses.

@dangoodin I think this shows a critical difference in boot protection schemes:

Anti-evil-maid makes the system validate itself to the user. If anything loaded up to that point doesn't match what was used to seal the all-clear phrase, then nothing the malware does will be able to cryptographically unseal the phrase. In a sense it doesn't matter if malware was loaded, as long as the user is diligent enough to watch for the phrase. That's a significant payoff for a small amount of extra effort!

Paul Asadoorian

@llorenzin Heh, yep, this is a thing. Back in the days of Netbooks and instant boot computers they used flaws in the BIOS logo image processing (I can't find the reference though, I will look)

cslinuxboy

@dangoodin @matrosov You know darn well the #NSA has known about this for many years and kept quiet about it so they could exploit it.

Dan

@dangoodin @matrosov use UEFI they said
It'll be more secure they said

Gourd

@dangoodin (*checks multiple PCs and mobos released this year for BIOS updates from multiple vendors*)

yeah I'm not seeing anything

:parrot:
@dangoodin @kkarhan @matrosov if u can change the logo u can just as well change the boot loader no??
remote procedure chris

@dangoodin are device manufacturers actually pushing out updates for this or are we all just gonna be hanging around for our various boards to get some random firmware update within the next 8 months that doesn't say whether it actually fixes this

Håkon Alstadheim 🇪🇺 🇳🇴🇺🇦

@dangoodin @matrosov My eyes glazed over half-way through. Did I understand correctly that this does nothing if "bios" (I know) is set to NOT display logo on boot-up. I always hav my machines set up that way.

Steve Hersey

@dangoodin @matrosov
And it's all down to a stupid, pointless, totally functionless LOGO IMAGE handler that merely plays to corporate vanity.
Criminally insane.

Imperor 🎲🎮

@dangoodin @matrosov

So for a remote attack, the attacker needs root/admin access on the system. While not fool proof, if you don't use an admin account as your regular account, you're a little bit better off now (and in general) than if you are always using root/admin.

Mind boggling and yet not surprising at all, given the state of ... well... just about everything and anything.

Chris :verified: :vbike:

@dangoodin @matrosov

Cool, cool. I guess it's time to limber up the old Trash 80.

Darrell Bowles

@dangoodin That is some scary stuff. I have a couple of asus computers, and I didn't see any news from them about it.

Solarbird :flag_cascadia:

@dangoodin @matrosov hm

would it be useful to replace the boot image yourself in advance to a locally-known image, so that if it's suddenly displaying manufacturer logo you know something is up?

Paul van Gulick

@moira @dangoodin @matrosov

Good question. Anyone know?

Also, would opting to set the administrator password in BIOS be useful?

Raven667

@moira @dangoodin @matrosov that's honestly not a bad idea, if that is how exploits for this work, if they modify the existing image to inject malware then maybe it won't help, or if they already make user visible changes. I haven't read the article yet though so I can only speculate

One thing to mention is that with BIOS there isn't even a security boundary to be crossed, you are free to modify firmware at any time, so this is still better security than that.

Solarbird :flag_cascadia:

@raven667 @dangoodin @matrosov The vector is to replace the image with an apparently-identical image that is malformed to create a payload. This takes a degree of crafting, so given how many slices of the install base there are (since each one has to attack a particular BIOS) I'm pretty sure they're going to use manufacturer-original graphics.

So if you've replaced yours with a graphic screen made of text reading "still good" in some font and suddenly you have the manufacturer bootup image back, you know _something_ has happened.

It wouldn't _stop_ anybody... well, maybe it could, right? If someone does write an attack to modify rather than replace the image, having the wrong image there would almost certainly break that specific attack.

@raven667 @dangoodin @matrosov The vector is to replace the image with an apparently-identical image that is malformed to create a payload. This takes a degree of crafting, so given how many slices of the install base there are (since each one has to attack a particular BIOS) I'm pretty sure they're going to use manufacturer-original graphics.

Raven667

@moira @dangoodin @matrosov I finally had time to read, the article says this can be done so its not visible. It also mentions just registering the sha256 hash of legit logo files and scanning for those, this could be added to AV pretty easily as well, right, so an unexpected logo file is detected quickly, although I suppose the malware could try and hide itself from scanning.

Once malware gets to a fundamental level of the system, it's hard for subordinate levels to kick it out

Solarbird :flag_cascadia:

@raven667 @dangoodin @matrosov Well yeah, it can be done without being visible - _by replacing the image with your sabotaged one, which shows the same image but also has the payload_. Or that's how I read it.

The point is to have a non-standard image in there first so that if it swaps in what looks like the standard image, you know _something_ has happened. You don't know what, and it doesn't stop it - it's just an alarm of sorts.

josh

@dangoodin @matrosov

Has there been any discussion as to how these attacks interact with TPM/PCR-based system integrity checks? My understanding is that even if this method were used to bypass Secure Boot protections/etc, that behavior would still result in modified PCR measurements and would be detectable in any subsequent boot processes that rely on TPM-sealed secrets? (for instance, disk encryption)

hattifattener

@josh @dangoodin @matrosov

Same thought here. If an attacker can write to your ESP that's usually game over. The exception is if your boot sequence is being measured into your TPM. Seems to me that the larger problem is that the boot sequence isn't measuring the logo file.

josh

@hattifattener @dangoodin @matrosov

So I think the ultimate issue might be that arbitrary code execution within DXE likely means that an attacker can call or otherwise implement the logic of PCR extension themselves with arbitrary digests to fool the TPM into thinking that everything is fine.

If this extends to being able to i.e. load a filesystem driver, unpack and relocate a malicious EFI PE, and jump to its entry point manually, seems like you could bypass any PCR checks as well

Gustav Wengel

@dangoodin @matrosov what a wild exploit to have existed for so long

Go Up