1

Just about every Windows and Linux device vulnerable to new LogoFAIL firmware at...

 6 months ago
source link: https://lwn.net/Articles/953985/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.

Just about every Windows and Linux device vulnerable to new LogoFAIL firmware attack(ars technica)

Posted Dec 7, 2023 16:22 UTC (Thu) by jafd (subscriber, #129642) [Link]

The original report at Binarly (https://binarly.io/posts/finding_logofail_the_dangers_of_...) says that some boards allow this by putting the custom logo into your ESP and setting an EFI variable (presumably, vendor-specific) to point to it.

They also have a table with aggregated stats: all vendors have buggy image parsers (I'd wager because there are only three firmware vendors, of which none are known for exceptional code quality) but only boards from Acer, Lenovo, and Intel are actually exploitable.

Just about every Windows and Linux device vulnerable to new LogoFAIL firmware attack(ars technica)

Posted Dec 7, 2023 17:47 UTC (Thu) by simon.d (guest, #168021) [Link]

Thank you very much for the information.

Just about every Windows and Linux device vulnerable to new LogoFAIL firmware attack(ars technica)

Posted Dec 7, 2023 23:37 UTC (Thu) by epithumia (subscriber, #23370) [Link]

I'm having trouble understanding how to get from "boards from three manufacturers are exploitable" to "just about every Windows and Linux device vulnerable". I thought Ars Technica aspired to be better than alarmist clickbait.

Just about every Windows and Linux device vulnerable to new LogoFAIL firmware attack(ars technica)

Posted Dec 8, 2023 0:04 UTC (Fri) by randomguy3 (subscriber, #71063) [Link]

honestly, it's a confusing article overall - for example, it seems to think that wiping or replacing your hard drive won't reset your boot partition (it's certainly possible to have such a configuration, and just reinstalling the os may well leave the boot partition alone depending on how you do it, but the article ignores any of this nuance in favour of over-reaching claims)

Just about every Windows and Linux device vulnerable to new LogoFAIL firmware attack(ars technica)

Posted Dec 8, 2023 6:47 UTC (Fri) by WolfWings (subscriber, #56790) [Link]

If you're hit with this exploit your boot drive no longer matters. The boot drive is merely the vector for some vendors that support loading arbitrary images at boot time from the ESD.

But once it's loaded an exploit would be running in essentially the earliest of the early UEFI boot zones so it can overwrite whatever it pleases with impunity.

Just about every Windows and Linux device vulnerable to new LogoFAIL firmware attack(ars technica)

Posted Dec 10, 2023 18:04 UTC (Sun) by jacinto (subscriber, #157537) [Link]

My knowledge of EFI boot is limited to basic Linux installs on an SSD with boot and root partition. In that scheme, the EFI boot code is in the ESP boot partition (GPT type 1, FAT formatted partition). If I understand this vulnerability correctly, it would compromise the EFI boot code in the ESP by replacing the boot code file with a malicious boot code file containing a logo image that exploits the boot code’s image parser.

To my limited understanding, a compromised install could easily be erased by replacing the compromised EFI boot code file with the correct file. A reformat and reinstall of Linux on the SSD would also serve to erase any other potential malicious modifications to the system. The article seems to suggest, without nuance, that the malicious boot code becomes permanently embedded and unfixable. I could understand the permanence of the exploit if there were an embedded storage device in the motherboard that served as the EFI partition, but for the scenario I described it seems like the article’s dire claim would not be true.

Just about every Windows and Linux device vulnerable to new LogoFAIL firmware attack(ars technica)

Posted Dec 8, 2023 15:39 UTC (Fri) by tshow (subscriber, #6411) [Link]

> I thought Ars Technica aspired to be better than alarmist clickbait.

Look back over Dan Goodin's security articles on Ars Technica over the years and you may or may not notice a theme in this regard. Somewhere buried in any of the articles is usually some useful info, but the title and overall tone are generally BILLIONS OF MACHINES VULNERABLE TO EXPLOIT ALL IS LOST.

Just about every Windows and Linux device vulnerable to new LogoFAIL firmware attack(ars technica)

Posted Dec 9, 2023 3:20 UTC (Sat) by csamuel (✭ supporter ✭, #2624) [Link]

I think part of this is because the original article talks about boards with vulnerable parsers, but that doesn't mean that they can (currently) be exploited by uploading an image. For instance it says:

> Since the vulnerable parsers are developed and distributed by the IBVs – AMI, Insyde and Phoenix – a large percentage of devices
> UEFI firmware image out there contains a parser vulnerable to LogoFAIL. This is also confirmed by the data our platform constantly
> scans. Thanks to our triaging efforts, we were able to produce rules for fwhunt, our firmware vulnerability scanner, and confirm that
> every OEM is impacted by this supply chain problem. As we can see in the following table, we detected parsers vulnerable to
> LogoFAIL in hundreds of devices sold by Lenovo, Supermicro, MSI, HP, Acer, Dell, Fujitsu, Samsung and Intel.

But then goes on to say:

> The exploitability of these vulnerabilities relies on whether the user is able to input data to a parser. When these parsers are used to
> display a logo during boot and when this logo can be replaced by an attacker, using any of the OEM customization techniques
> described in the Attack Surface section of this blogpost, then LogoFAIL becomes an exploitable threat.

They do list 3 scenarios by which it could be exploited, with the first being the easiest (and potentially remote) attack with just 3 vendors named, but then include as the hardest using an SPI flash programmer which would require physical access & an unprotected BIOS which could expand that list considerably.


report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK