Get in Touch
Indiscriminate, opportunistic targeting.
The firmware security platform Binarly has disclosed two dozen vulnerabilities in the image parser responsible for loading the hardware vendor’s logo during the boot sequence. Incorrect input validation in the image parser allows code injection during the Driver Execution Environment (DXE). This phase of the boot sequence does not benefit from ‘below-the-OS’ protections like SecureBoot. The series of vulnerabilities has been aptly named LogoFAIL by Binarly.
Exploitation of LogoFAIL will result in full compromisation of the device by rendering below-OS security measures ineffective. Unlike BlackLotus and other bootkits, reinstalling the operating system or replacing the storage will not remediate the infection.
Numerous devices from brands like Intel, Acer, and Lenovo are at risk due to the LogoFAIL vulnerability, affecting their firmware’s image parsers. This issue spans across major independent BIOS vendors (IBVs) including AMI, Insyde, and Phoenix. Given the widespread use of these IBVs’ firmware, a vast array of devices, irrespective of their hardware platform (x86 or ARM), are potentially vulnerable.
LogoFAIL vulnerabilities are tracked under the following designations with more likely to follow:
Indicators of Compromise
There are no indicators of compromise associated with LogoFAIL at this time.
Hijacking the boot sequence by exploiting image-parsing bugs on Unified Extensible Firmware Interface (UEFI) was first demonstrated at a 2009 BlackHat presentation. Over a decade after that presentation has passed, and in that time, there has been a steady supply of similar attacks with LogoFAIL being the most recent.
2018 saw the first known case using UEFI as an attack vector using malware dubbed LoJax. This malware has been attributed back to Forest Blizzard (APT 28).
Two years later, in 2020, researchers unearthed the second malware family to attack the UEFI in the wild. This malware was dubbed MosaicRegressor by Kaspersky. The initial access mechanism was never discovered but it is likely suspected physical access was required.
Since MosaicRegressor, new UEFI bootkits have been discovered and tracked under names including ESpecter, FinSpy, and MoonBounce.
LogoFAIL is the latest series of vulnerabilities in the UEFI boot sequence that could spawn new malware variants.
No known threat group has been associated with LogoFAIL. Exploitation has not been observed in the wild as of 13th December 2023.