Gregory's ServerIt's 2023, and not only can malicious images still remotely execute malicious code on your devices, but they can do it at the UEFI level, during bootup, enabling invisible firmware bootkits. This new post-exploit attack, known as LogoFAIL, is mind-blowing. Amazing that an entire ecosystem comprising dozens of wealthy companies couldn't be bothered to fuzz the UEFIs they provide to billions of people. With a small amount of effort, this attack could have been closed off a decade ago.
|
27 comments
@dangoodin @matrosov But wait... It's even worse. I have a PC with an ASUS Z170-A motherboard. It boots using UEFI. This link: Yes, this is an older motherboard but it works fine and does everything I need. Sure be nice if ASUS fixed such a serious problem for their older products.  @mappingsupport @dangoodin @matrosov Same problem I’m expecting with #MSI. Similar age motherboard. Probably tons of people still have them.  @DeltaWye @mappingsupport @dangoodin @matrosov my main x86 machine has a mobo from ~2014 lmao, my server's board is from ~2016 and my laptop is from 2017, i will be incredibly pissed if they don't get patches  Lots of people asking what the CVEs are and where announcements from various parties can be found. This is a massive, massive (un)coordinated disclosure. Lots of broken or non-existent links at the moment. I'm expecting things will straighten out in an hour or two. Please be patient. @dangoodin Great article (as usual). Although there have been a handful or two of similar UEFI vulns in the past and none of them have been widely exploited. Does this one seem different? @dangoodin @matrosov Lenovo has published CVE-2023-5058, CVE-2023-39538, CVE-2023-39539, CVE-2023-40238 A CERT coordination center has published an advisory on LogoFail, but unfortunately, it doesn't tell us much. It confirms that AMI, Insyde, Intel and Phoenix are affected and that Microsoft and Toshiba are not. But the remaining 20 companies are fall in the "unknown" category. One of the unknowns is Lenovo, which has already confirmed that it is affected. Also, no CVEs. ¯_(ツ)_/¯  @dangoodin I suspect we can count on most affected existing deployed machines never being patched for this. Firmware patches at that level are widely considered to be so risky that they are widely avoided, even for serious problems.  @dangoodin I know my @system76 uses Insyde firmware... my machine is older but I hope I get a fix 🙏 @golemwire @dangoodin since you can't change the logo in firmware this wouldn't effect your system.  @dangoodin @matrosov I don't see how this could be exploited remotely. As far as I understand, a malicious image file has to make it's way onto the EFI system partition first, or did I miss something? @fell @dangoodin @matrosov i think that's what Dan meant about a post exploit attack. You'd need to be infected/hacked via another method first, which would then establish persistence/privilege escalation via LogoFail. Or alternatively have someone with physical access, like it says in the article  @fell @dangoodin @matrosov hai, this is h.acker, please put this image here on your disk and It will enhance your computer greatly. @hanscees @fell @dangoodin @matrosov It doesn't even have to be a complete lie, just "put this image here" and it actually will display a picture of, idk, Harry Styles when you turn your computer on. @carey @hanscees @dangoodin @matrosov Microsoft was wise when they decided they're not going to let Windows users access the ESP. @fell @carey @hanscees @matrosov Wait, what's the basis for saying Windows users can't access the ESP? https://duckduckgo.com/?t=ffab&q=how+to+access+efi+partition+in+windows @dangoodin @carey @hanscees @matrosov The basis is that I never saw it when I clicked on "This PC". Is it possible? @fell @dangoodin @carey @matrosov I really dont know at this point. But if you can get a user to execute something "click here and this pic becomes your background" you can run a script and So on.  @dangoodin firstly this comes as no surprise. Next tho, is that firmware updates from vendors can apparently contain unsigned images and still be legit. That seems weird, but supposedly this is an actual thing. I’m still not clear how a malicious image gets into the right place on a normal system where it doesn’t have privileges. Any thoughts?  @dangoodin @matrosov @phealy3330 Dan, how are CEOs supposed to buy their fifth yacht if they spend money on stuff like this  @dangoodin @matrosov 8kB (IBM PC BIOS size) should've been enough for anyone :D.  @dangoodin "mind-blowing" to me, it's just par for the cause :) really not surprised about vulnerable graphics parsers being used with potentially attacker controlled data @dangoodin @matrosov The fact that these seem to have been caught by fuzz tests makes me feel like sometimes there needs to be legal consequences for not doing the bare minimum in software security when it's as critical as EFI. This sounds like negligence. @dangoodin @matrosov Someone please tell me I got this wrong, because it seems like an utterly stupid thing to except the logo image from the signature. |
@dangoodin @matrosov Interesting, thanks for sharing this article. Side note: noticed ars technica is driving cookies from 143 different partners.