Home / Threat Intelligence bulletins / LogoFAIL: Widespread firmware vulnerabilities unveiled in major device brands

Target Industry

Indiscriminate, opportunistic targeting.

Overview

The firmware security platform Binarly has disclosed two dozen vulnerabilities in the image parser responsible for loading the hardware vendor’s logo during the boot sequence. Incorrect input validation in the image parser allows code injection during the Driver Execution Environment (DXE). This phase of the boot sequence does not benefit from ‘below-the-OS’ protections like SecureBoot. The series of vulnerabilities has been aptly named LogoFAIL by Binarly.

Impact

Exploitation of LogoFAIL will result in full compromisation of the device by rendering below-OS security measures ineffective. Unlike BlackLotus and other bootkits, reinstalling the operating system or replacing the storage will not remediate the infection.

Compromised Systems

Numerous devices from brands like Intel, Acer, and Lenovo are at risk due to the LogoFAIL vulnerability, affecting their firmware’s image parsers. This issue spans across major independent BIOS vendors (IBVs) including AMI, Insyde, and Phoenix. Given the widespread use of these IBVs’ firmware, a vast array of devices, irrespective of their hardware platform (x86 or ARM), are potentially vulnerable.

LogoFAIL vulnerabilities are tracked under the following designations with more likely to follow:

CVE-2023-5058

CVE-2023-39538

CVE-2023-39539

CVE-2023-40238.

Indicators of Compromise

There are no indicators of compromise associated with LogoFAIL at this time.

Threat Landscape

Hijacking the boot sequence by exploiting image-parsing bugs on Unified Extensible Firmware Interface (UEFI) was first demonstrated at a 2009 BlackHat presentation. Over a decade after that presentation has passed, and in that time, there has been a steady supply of similar attacks with LogoFAIL being the most recent.

2018 saw the first known case using UEFI as an attack vector using malware dubbed LoJax. This malware has been attributed back to Forest Blizzard (APT 28).

Two years later, in 2020, researchers unearthed the second malware family to attack the UEFI in the wild. This malware was dubbed MosaicRegressor by Kaspersky. The initial access mechanism was never discovered but it is likely suspected physical access was required.

Since MosaicRegressor, new UEFI bootkits have been discovered and tracked under names including ESpecter, FinSpy, and MoonBounce.

LogoFAIL is the latest series of vulnerabilities in the UEFI boot sequence that could spawn new malware variants.

Threat Group

No known threat group has been associated with LogoFAIL. Exploitation has not been observed in the wild as of 13th December 2023.

Mitre Methodologies

T1542.003 – Pre-OS Boot: Bootkit

Further Information

The Far-Reaching Consequences of LogoFAIL

Finding LogoFAIL: The Dangers of Image Parsing During System Boot