VU#811862: Image files in UEFI can be abused to modify boot behavior

Overview

Implementation of Unified Extensible Firmware Interface (UEFI) by Vendors provide a way to customize logo image displayed during the early boot phase. Binarly has uncovered vulnerabilities in the image parsing libraries that provide this capability. An attacker with local privileged access can exploit these vulnerability to modify UEFI settings.

Description

UEFI firmware provides an extensible interface between an operating system and hardware platform. UEFI software stores a number of settings and files in a customized Extensible Firmware Interface (EFI) partition known as EFI system partition (ESP). ESP is a special privileged file system that is independent of the OS and essentially acts as the storage place for the UEFI boot loaders, applications, hardware drivers and customizable settings to be launched by the UEFI firmware. The ESP partition is mandatory for UEFI boot and is protected from unprivileged access. The information stored in ESP is probed and processed during the early phases of an UEFI based OS. One such information stored in the ESP is a personalizable boot logo.

Binarly has discovered a number of vulnerabilities in the image parsing libraries that read and process these image files. As these files are processed by executables that run under a high privilege, it is possible to exploit these vulnerabilities in order to access and modify high-privileged UEFI settings of a device. UEFI supply-chain allows for many of these shared libraries to be integrated in various ways, including compiled from source, licensed for modification and reuse and finally as a dynamic or static linked executable. Binarly has also observed that in some cases an attacker can create a bundled firmware update that contains a corrupt or malicious image to trigger these vulnerabilities. This can also allow an attacker to exploit vulnerability while flashing the PCI with a firmware update. Due to the complex nature of these vulnerabilities and their potential wide impact, Binarly would like to use the label LogoFAIL to track and support coordination and mitigation of these vulnerabilities.

Note: Multiple CVE’s may be applied to these set of vulnerabilities due to many implementations and potential customization of the libraries and sources that introduce these weaknesses. Please check the Vendor Information section for details provided by various vendors for mitigation and fixes.

Impact

The impacts of these vulnerabilities vary widely due to the nature of the UEFI software and various implementations through the supply-chain.

In summary, a local attacker with administrative privileges to the ESP partition or to the firmware flash can use malicious images to perform any of the following:

  • Disable UEFI security features (SecureBoot)
  • Modify the UEFI Boot Order or the designated Boot Partition
  • Execute unwanted software to infect protected Operating System

In some cases, attacker can use the vendor provided logo customization interface to upload these malicious images.

Solution

Apply Updates

Multiple vendors from the supply-chain have provided their solution to these vulnerabilities and have provided software updates to address them. Please verify your vendor provided Statement and their solution below with any reference or additional information to address this issue.

Acknowledgements

Thanks to Binarly for reporting these vulnerabilities. We would also like to thank multiple vendors from the UEFI supply-chain cooperated to address these issues

This document was written by Vijay Sarvepalli.

Vendor Information

One or more vendors are listed for this advisory. Please reference the full report for more information.

Other Information

CVE IDs:
Date Public: 2023-12-06
Date First Published: 2023-12-06
Date Last Updated: 2023-12-06 18:59 UTC
Document Revision: 1

Source: https://kb.cert.org/vuls/id/811862