Researchers Uncover UEFI Vulnerability Affecting Multiple Intel CPUs

20-June-24

Cybersecurity researchers have disclosed details of a now-patched security flaw in Phoenix SecureCore UEFI firmware that affects multiple families of Intel Core desktop and mobile processors.



Tracked as CVE-2024-0762 (CVSS score: 7.5), the “UEFIcanhazbufferoverflow” vulnerability has been described as a case of a buffer overflow stemming from the use of an unsafe variable in the Trusted Platform Module (TPM) configuration that could result in the execution of malicious code.



“The vulnerability allows a local attacker to escalate privileges and gain code execution within the UEFI firmware during runtime,” supply chain security firm Eclypsium said in a report. “This type of low-level exploitation is typical of firmware backdoors (e.g., BlackLotus) that are increasingly observed in the wild. Such implants give attackers ongoing persistence within a device and often, the ability to evade higher-level security measures running in the operating system and software layers.”



Following responsible disclosure, the vulnerability was addressed by Phoenix Technologies in April 2024. PC maker Lenovo has also released updates for the flaw as of last month.



“This vulnerability affects devices using Phoenix SecureCore firmware running on select Intel processor families, including AlderLake, CoffeeLake, CometLake, IceLake, JasperLake, KabyLake, MeteorLake, RaptorLake, RocketLake, and TigerLake,” the firmware developer said.



UEFI, a successor to BIOS, refers to motherboard firmware used during startup to initialize the hardware components and load the operating system via the boot manager.



The fact that UEFI is the first code that’s run with the highest privileges has made it a lucrative target for threat actors looking to deploy bootkits and firmware implants that can subvert security mechanisms and maintain persistence without being detected.



This also means that vulnerabilities discovered in the UEFI firmware can pose a severe supply chain risk, as they can impact many different products and vendors at once.“UEFI firmware is some of the most high-value code on modern devices, and any compromise of that code can give attackers full control and persistence on the device,” Eclypsium said.



The development comes nearly a month after the company disclosed a similar unpatched buffer overflow flaw in HP’s implementation of UEFI that impacts HP ProBook 11 EE G1, a device that reached end-of-life (EoL) status as of September 2020.



It also follows the disclosure of a software attack called TPM GPIO Reset that could be exploited by attackers to access secrets stored on disk by other operating systems or undermine controls that are protected by the TPM such as disk encryption or boot protections.

Read More…