LogoFAIL Vulnerabilities Expose Firmware Attacks: Endpoint Security Solutions at Risk

Numerous security vulnerabilities collectively known as LogoFAIL enable malefactors to interfere with the booting process of computer devices and implant bootkits, owing to issues related to image analysis components used by motherboard manufacturers for displaying brand logos at computer startup. Devices with both x86 and ARM architectures are at risk.

Researchers from Binarly, specializing in firmware supply chain security for motherboards, noted in their recent report that branding introduces unnecessary security risks, allowing hackers to execute malicious actions by embedding malevolent images in the EFI System Partition (ESP).

The possibility of attacking a computer’s built-in boot interface in such a manner was demonstrated as far back as 2009, when researchers Rafal Wojtczuk and Alexander Tereshkin showed how a bug in the BMP image analyzer could be used to infect BIOS with malware.

The discovery of LogoFAIL vulnerabilities began as a small research project examining attack surfaces through image analysis components in the context of custom or legacy code for analysis in embedded UEFI software.

Researchers discovered that an attacker could store a malicious image or logo in the EFI system partition or in unsigned firmware update partitions.

“When these images are parsed during boot, the vulnerability can be triggered and an attacker-controlled payload can arbitrarily be executed to hijack the execution flow and bypass security features like Secure Boot, including hardware-based Verified Boot mechanisms (like Intel Boot Guard, AMD Hardware-Validated Boot or ARM TrustZone-based Secure Boot),” reported the Binarly experts.

Infection by malware in this manner provides persistence in the system that is virtually undetectable, as was the case with the CosmicStrand malware reported last year. LogoFAIL does not affect the integrity of the system in execution mode, as there is no need to modify the bootloader or firmware.

Researchers emphasize that LogoFAIL vulnerabilities are not vendor-specific and impact devices and chips from a wide range of manufacturers, affecting UEFI firmware of both consumer and enterprise devices.

Binarly has already determined that hundreds of devices from Intel, Acer, Lenovo, and other manufacturers are potentially vulnerable, as are three major independent suppliers of custom UEFI firmware code: AMI, Insyde, and Phoenix. However, it is also worth noting that the exact scope of LogoFAIL’s impact is yet to be determined.

“Binarly Transparency Platform uniquely detects LogoFAIL vulnerable components in system firmware, and all our customers are informed about the impact on their code bases or enterprise infrastructure,” the researchers reported.

Comprehensive technical information about LogoFAIL will be presented on December 6th at the Black Hat Europe security conference in London. Researchers have already shared the findings with several device manufacturers, as well as major UEFI suppliers.