Gregory's ServerLots of people asking what the CVEs are and where announcements from various parties can be found. This is a massive, massive (un)coordinated disclosure. Lots of broken or non-existent links at the moment. I'm expecting things will straighten out in an hour or two. Please be patient.
|
7 comments
@dangoodin @matrosov Lenovo has published CVE-2023-5058, CVE-2023-39538, CVE-2023-39539, CVE-2023-40238  A CERT coordination center has published an advisory on LogoFail, but unfortunately, it doesn't tell us much. It confirms that AMI, Insyde, Intel and Phoenix are affected and that Microsoft and Toshiba are not. But the remaining 20 companies are fall in the "unknown" category. One of the unknowns is Lenovo, which has already confirmed that it is affected. Also, no CVEs. ¯_(ツ)_/¯  @dangoodin I suspect we can count on most affected existing deployed machines never being patched for this. Firmware patches at that level are widely considered to be so risky that they are widely avoided, even for serious problems.  @dangoodin I know my @system76 uses Insyde firmware... my machine is older but I hope I get a fix 🙏 @golemwire @dangoodin since you can't change the logo in firmware this wouldn't effect your system. |
@dangoodin Great article (as usual). Although there have been a handful or two of similar UEFI vulns in the past and none of them have been widely exploited. Does this one seem different?