Computers running Windows or Linux are vulnerable to a new type of firmware attack called LogoFAIL, according to a report from Ars Technica. This attack has proven to be extremely effective because it rewrites the logo that typically appears when the system boots after a successful POST (hence the name, “LogoFAIL”), which is early enough that it can bypass security measures designed to prevent bootkit attacks.
The issue affects any motherboards using UEFI provided by Independent BIOS Vendors (IBVs). IBVs such as AMI, Insyde, and Phoenix will need to release UEFI patches to motherboard companies. Because of the way LogoFAIL overwrites the boot-up logo in the UEFI, the exploit can be executed on any platform using Intel, AMD, or ARM running any Windows operating system or Linux kernel. It works because of the way the rewriteable boot logo is executed when the system turns on. It affects both DIY and prebuilt systems with certain functions kept open by default.
Mode of Attack
The exploit was discovered by researchers at Binarly, who published their findings. The attack occurs when the ‘Driver Execution Environment’ (DXE) phase is underway after a successful POST. The DXE is responsible for loading up boot and runtime services, initiating the CPU, chipset, and other components in a correct sequence for the boot process to proceed. LogoFAIL replaces the UEFI boot-up logo with the exploit, which then loads during the DXE phase.
The researchers demonstrated its execution and exploit on an Intel 11th gen CPU-based Lenovo ThinkCentre M70s with Intel Secure Boot and Boot Guard enabled and the latest available UEFI update from June.
Alex Matrodov, the founder and CEO of Binarly, highlighted that this issue exploits a newly discovered vulnerability in the image-parsing libraries that are used by the UEFI during the boot process. LogoFAIL exploits that vulnerability to bypass all security solutions implemented by the CPU, operating system, and any third-party security software. Since the exploit is not stored in the storage drive, the infection is impossible to eliminate, even after an OS reformat. This UEFI-level exploit can later install a bootkit without being stopped by any security layer from here onwards — making it very dangerous (and a very effective delivery mechanism).
Macs and some prebuilt PCs are safe
Many OEMs, such as Dell, do not allow their logos to be changed in the UEFI — and their image files are protected by Image Boot Guard; these systems are therefore immune to this exploit. Macs, whose hardware and software are developed in-house by Apple, have logo images hardcoded into the UEFI and are similarly protected. This is also the case for Macs running on Intel CPUs (hardcoded logo images), and so those Macs are also safe.
If your system integrator does not allow for rewriting boot images in its BIOS, you should be fine. But for everyone else, this is an exploit that needs to be patched by both motherboard manufacturers and OEMs, as the research shows both are vulnerable. The only way to protect the image parsing in your system’s UEFI is by installing a new UEFI security patch, which you’ll need to get from your motherboard manufacturer or OEM (who will get it from the IBV).
AMI, Insyde, and Lenovo, among others, have published advisories, but there’s no complete list of affected companies — to see if your system is vulnerable, you’ll need to check with your OEM/motherboard manufacturer.
