Security researchers have identified a vulnerability in a common implementation of the UEFI firmware booting up desktop computers powered by Intel chips could allow attackers to obtain ongoing persistence, warn security researchers.
The vulnerability tracked as CVE-2024-0762 with a CVSS score of 7.5 is a buffer overflow vulnerability in the UEFI SecureCore implementation made by Phoenix Technologies and affects devices built by major manufacturers including Lenovo, Acer, Dell and HP and potentially affects hundreds of personal computer models.
The flaw is tied to an unsafe variable in the Trusted Platform Module configuration. To be clear, this vulnerability lies in the UEFI code handling TPM configuration -in other words, it doesn’t matter if you have a security chip like a TPM if the underlying code is flawed.
The flaw involves a call to the GetVariable service. The issue arises with how the TCG2_CONFIGURATION argument calls GetVariable twice “without adequate checks between.” That creates an opening to modify the variable, setting it to a value that returns a “buffer too small” message. The second call, set top the length of the modified variable, would succeed “and overflow the buffer, leading to a stack buffer overflow.”
Researchers initially identified the issue on Lenovo ThinkPad X1 Carbon 7th Gen and X1 Yoga 4th Gen. Phoenix Technologies later acknowledged that the same flaw exists in multiple versions of its SecureCore firmware used across Intel processor families, including AlderLake, CoffeeLake, CometLake, IceLake, JasperLake, KabyLake, MeteorLake, RaptorLake, RocketLake and TigerLake.
This research was documented by researchers from Eclypsium
