Researchers has identified numerous security vulnerabilities collectively known as LogoFAIL enable malicious actors to interfere with the booting process of computer devices and implant bootkits, owing to issues related to image analysis components used by motherboard manufacturers for displaying brand logos at computer startup. Devices with both x86 and ARM architectures are at risk.
Researchers in their report that branding introduces unnecessary security risks, allowing hackers to execute malicious actions by embedding malevolent images in the EFI System Partition (ESP).
The possibility of attacking a computer’s built-in boot interface in such a manner was demonstrated as far back as 2009, when researchers Rafal Wojtczuk and Alexander Tereshkin showed how a bug in the BMP image analyzer could be used to infect BIOS with malware.
The discovery of LogoFAIL vulnerabilities began as a small research project examining attack surfaces through image analysis components in the context of custom or legacy code for analysis in embedded UEFI software. Researchers discovered that an attacker could store a malicious image or logo in the EFI system partition or in unsigned firmware update partitions.
The researchers noted “When these images are parsed during boot, the vulnerability can be triggered and an attacker-controlled payload can arbitrarily be executed to hijack the execution flow and bypass security features like Secure Boot, including hardware-based Verified Boot mechanisms,”.
Infection by malware in this manner provides persistence in the system that is virtually undetectable, as was the case with the CosmicStrand malware reported last year. LogoFAIL does not affect the integrity of the system in execution mode, as there is no need to modify the bootloader or firmware.
Researchers emphasize that LogoFAIL vulnerabilities are not vendor-specific and impact devices and chips from a wide range of manufacturers, affecting UEFI firmware of both consumer and enterprise devices.
Researchers has already determined that hundreds of devices from Intel, Acer, Lenovo, and other manufacturers are potentially vulnerable, as are three major independent suppliers of custom UEFI firmware code: AMI, Insyde, and Phoenix. However, it is also worth noting that the exact scope of LogoFAIL’s impact is yet to be determined.
Comprehensive technical information about LogoFAIL will be presented on December 6th at the Black Hat Europe security conference in London. Researchers have already shared the findings with several device manufacturers, as well as major UEFI suppliers.
This research was documented by researchers from Binarly.
