The Binarly REsearch team, a firmware supply chain security platform company, has uncovered a constellation of security vulnerabilities called LogoFAIL hiding with the Unified Extensible Firmware Interfaces (UEFI) that we use for booting almost all modern computing devices. Linux or Windows, ARM or x86, it doesn’t matter — they’re all vulnerable.
This threat has been lurking in systems for years, indeed for decades. What makes it particularly concerning is the wide range of affected consumer and enterprise-grade computers. The core of LogoFAIL is its exploitation of logos displayed on the device screen during the early boot process, while UEFI is still running.
This exploitation happens during the earliest stages of the boot process, so the attacks bypass UEFI defenses, such as Microsoft Secure Boot and Intel Secure Boot, that are meant to block bootkit infections. This technique is bad, bad news.
Specifically, the attack takes advantage of UEFI image parsers. There are programs available that render the boot image logos, so you can see them. This software is incorporated into UEFI by major independent BIOS vendors (IBVs), such as AMI, Insyde, and Phoenix.
The UEFI firmware can contain parsers for images in multiple image formats, including BMP, GIF, JPEG, PCX, and TGA. Altogether, the Binarly team found 29 security issues — and 15 of those were exploitable for arbitrary code execution.
In short, these UEFI image parsers were poorly maintained and riddled with critical vulnerabilities. Attackers can replace legitimate logo images with identical-looking ones that have been specially crafted to exploit the bugs. This technique allows for the execution of malicious code at the Driver Execution Environment (DXE) phase, a highly sensitive part of the boot process. This attack happens before the operating system starts.
As the Binarly researchers said: “Once arbitrary code execution is achieved during the DXE phase, it’s game over for platform security.” From here on out, the attackers have “full control over the memory and the disk of the target device, thus including the operating system that will be started.”
So, once arbitrary code execution is achieved during the DXE phase, an attacker gains full control over the memory and disk of the target device, including the operating system that will be started. This ability means that LogoFAIL can deliver a second-stage payload that drops an executable onto the hard drive before the main operating system has even started. This level of access makes it nearly impossible to detect or remove the infection using current defense mechanisms.
The vulnerabilities were disclosed at the Black Hat Security Conference in London, and the affected parties are releasing advisories that disclose which of their products are vulnerable, and where to obtain security patches. The widespread impact of LogoFAIL is clear as it affects nearly the entirety of the x64 and ARM CPU ecosystem, including UEFI suppliers, device manufacturers, such as Lenovo and HP, and CPU makers, such as Intel, AMD, and ARM CPU designers.
But why is this attack such a big problem? I mean, who wants to change the bootup logos on their computers? The answer, according to security expert Bruce Schneier, is companies: “Corporate buyers want the ability to display their own logos. So the ability has to be in the BIOS, which means that the vulnerabilities aren’t being protected by any of the OS’s defenses. And the BIOS makers probably pulled some random graphics library off the internet and never gave it a moment’s thought after that.”
Now for some good news
Macs, smartphones, and other devices that don’t use UEFI are not vulnerable. Even Intel Apple Macs, which used UEFI to boot, can’t be attacked by LogoFAIL. That protection happens because Apple has hardcoded its logo image files into the UEFI and you can’t replace them with a malicious duplicate.
Most Dell computers aren’t vulnerable, either. That’s because the company uses Intel Boot Guard to make it impossible to replace the images. In addition, Dell devices, generally speaking, don’t allow you to change logo images.
If you do have vulnerable machines, you first need to make sure no one can get into the device in the first place. That level of protection means patching your operating system and programs against all known attacks. If you’re running Windows, update your antivirus protections. These programs can’t stop LogoFAIL, but they can stop you from getting malware that will load LogoFAIL into your system.
The trick is to keep attackers from getting access to the EFI System Partition (ESP) in the first place. This hidden part of your drive is where the logo image is stored. If the attackers can’t reach the ESP, they can’t attack it.
The real fix is to upgrade your firmware. Fixes are on their way from AMI, Intel, Insyde, Phoenix, and Lenovo. They’re not coming out quickly, though. As Intel states: “Bios updates will be released late Q4 2023 to early Q1 2024.” Of course, I always wanted to spend the winter holidays updating and hard-booting all my machines — and I’m sure you did, too.
In the meantime, just lock down your systems as much as you can, so a LogoFAIL attacker doesn’t get a foothold. Once they’re in, you’re almost certainly not getting them out.